How to Turn a Cyberattack Into a Strategic Advantage

On June 27, 2017, the NotPetya malware caused massive problems for Maersk, which is the world’s largest shipping company and handles 20% of global trade. After just a few minutes, 76 ports and 900 ships were frozen. The destruction was massive as 4,000 servers, 45,000 PCs and 2,500 applications were severely damaged and required significant work to be restored to their former glory. The estimated cost of the damage is believed to be around $300 million.

Maersk showed strong resilience, and within a couple of weeks, their share price was up, and they renewed customer loyalty. Today, this story of resilience has become a Harvard Business School case study. It provides masterclass lessons in how one can turn turbulence into a story of success. All leaders can learn from this. If you handle disasters through innovation, care and honesty, you can turn them into a success.

Related: My Company Was the Target of a Cyberattack, and Yours Could Be Too

Phase 1: The strategic post-mortem — moving from blame to insight

Typically, a lot of companies will panic and then look for a scapegoat when faced with a crisis. Maersk opted to realize that the root cause of the problem was not just a virus. Leaders accepted that they were bang average in terms of how they handled cybersecurity.

The company also accepted that what happened may have been due to a cultural problem internally that needed to be fixed. While malware was a cause of issues, they also understood that their culture played a part, as security was seen as something that IT dealt with and not a core business thing.

They conducted a business process autopsy and identified what was critical. The autopsy helps a business to identify what is working, what is not working and what processes from internal business practices can be removed.

These days, the public generally understands that companies will go through data complications at some point. They will respect a company that proactively aims to improve its defense systems.

Related: So, You’ve Been Hacked. These are the Best Practices for Business Leaders Post-Hack

Phase 2: The strategic pivot — transforming insight into action

This is the time during which you turn defense into attack and develop core advantages. After what happened, Maersk took drastic action. It increased its security team from 28 to 150 people. Its security culture and long-standing safety culture were made a communal responsibility in the company. Their CISO, Andy Powell, said, “Security becomes part of everyday culture. Whatever you’re doing, you think safety, you think cyber.”

You can modernize the technology stack with purpose. After the crisis, you may have sufficient power to urge the company powers that be that investment in defense and improving defenses are needed. Maersk used multi-factor authentication systems, upgraded its OS and created geographically redundant backups. They adopted systems such as NIST, which can stop so-called “extinction events.” Investments such as this should not be presented as something that is optional and costly, but as something that will have great long-term benefits.

Maersk succeeded in strengthening customer trust and communication as it turned what could have been a defeat into a competitive advantage. Rather than trying to sugarcoat, they were very transparent and quickly informed customers of what was happening in the journey to recovery. Instead of telling customers, “we failed you,” they opted for a stance of “we are being tested, and we are in this together.”

Phase 3: Operationalizing resilience — building the “antifragile” organization

After a data disaster, your aim should not just be to recover, but you must also aim to build an “antifragile” organization that can come out stronger after a major challenge. An important step is to ensure that you fully internalize the lessons. When Maersk had to act, it did not just fix the problem. Instead, it embedded a new security system into its future planning. Accountability was added to all teams.

Resilience should not just be something you aim for or use in a one-time project. You need to regularly have drills within your teams in order to be prepared for a potential crisis. By doing the drills, the thought memory and muscle memory of the staff will also be ready to act when disaster does strike.

Your backup plans and data must be regularly tested. Communication plans must be regularly updated, and response team plans of action must regularly be reviewed and updated. The resilience and plans to achieve this must continuously be refined, given that IT is a fast-moving line of work.

Related: 4 Steps You Need to Follow to Make It Through Any Crisis With Your Company Intact

Through its legendary handling of a crisis, Maersk proved that developing good technology is not just vital to overcoming a disaster. It moved from being a victim to coming out of the disaster as a stronger industry leader through good on-the-ground planning and strategic improvisation.

Instead of viewing a crisis as a problem, one must rather think “how can we emerge from this as a stronger brand and company and use it to increase customer loyalty?”

On June 27, 2017, the NotPetya malware caused massive problems for Maersk, which is the world’s largest shipping company and handles 20% of global trade. After just a few minutes, 76 ports and 900 ships were frozen. The destruction was massive as 4,000 servers, 45,000 PCs and 2,500 applications were severely damaged and required significant work to be restored to their former glory. The estimated cost of the damage is believed to be around $300 million.

Maersk showed strong resilience, and within a couple of weeks, their share price was up, and they renewed customer loyalty. Today, this story of resilience has become a Harvard Business School case study. It provides masterclass lessons in how one can turn turbulence into a story of success. All leaders can learn from this. If you handle disasters through innovation, care and honesty, you can turn them into a success.