The NotPetya malware attack of 2017 encrypted the systems and disrupted the operations of global businesses, starting in Ukraine and spreading rapidly to over 60 countries around the world. Global shipping company Maersk, one of the worst hit, ultimately needed to rebuild its entire IT infrastructure. In the nine days it took to get its systems back online, the company struggled to continue operations using manual workarounds that teams came up with on the fly. In the end, the incident cost Maersk nearly $300 million.
A more recent ransomware attack shut down the operations of JBS USA, the largest U.S. meatpacker, and other attacks have affected hundreds more companies. In late 2021, for instance, the Log4j vulnerability allowed adversaries to embed malware and take control of millions of Java applications developed over the past decade. These widespread incidents have proved that successful cyberattacks are inevitable.
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
Given that it’s impossible to protect against all new cyberattacks, it has become critical for companies to reduce the impact of cyber breaches by focusing on cyber resilience. Cyber resilience requires a systematic, structured, adaptive approach and cannot be relegated to the office of the CIO or chief information security officer. Because it potentially involves all parts of the business, it must be led by the C-suite and board.
Traditional Cybersecurity Is Insufficient
Most organizations evaluate their cyber maturity according to the National Institute of Standards and Technology’s Cybersecurity Framework, but it is 80% focused on identification, protection, and detection, and only 20% on an organization’s ability to respond to and recover from a breach.1 Similarly, our research on cybersecurity spending shows that 72% is spent on identification, protection, and detection, with only 18% spent on response, recovery, and business continuity.2 Not only does this imbalance leave organizations vulnerable, but it leaves companies ill prepared to comply with new rules proposed by the U.S. Securities and Exchange Commission that would require companies’ SEC filings to include details on “business continuity, contingency, and recovery plans in the event of a cybersecurity incident.” Cybercrime laws have already been enacted in 156 countries, and 250 bills are being considered in 40 U.S. states and Puerto Rico, with additional cyber resilience regulations expected to follow.
1. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has identified 98 subcategories: 25 related to identification, 35 related to protection, 18 to detection, 14 to response, and six to recovery.
2. These figures are based on BCG research that used data from Gartner, IDC, and NIST.
3. See the following sources, from which this concept of biological thinking and resilience came. Note that “time scales” refers to the time necessary for a given process or sequence of events. S.A. Levin, “Fragile Dominion: Complexity and the Commons” (Cambridge, Massachusetts: Helix Books, 1999); M. Reeves, L. Simon, and U. Daichi, “The Biology of Corporate Survival,” Harvard Business Review 94, no. 1-2 (January-February 2016): 46-55; M. Reeves and J. Fuller, “The Imagination Machine: How to Spark New Ideas and Create Your Company’s Future” (Boston: Harvard Business Review Press, 2021); and Y. Sheffi, “The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage” (Cambridge, Massachusetts: MIT Press, 2005).
4. Least privilege access is a concept in computer security that limits users’ access rights to only what is strictly required to do their jobs. Zero trust is the concept that every user and every device must authenticate themselves when communicating with another user or device, to make it more difficult for an impostor user or impostor device to access systems in the enterprise. Network segmentation is the concept of putting different systems on smaller, individualized networks, with firewalls between the smaller networks to make it more difficult for an adversary to move laterally from one system to another.