An employee at Maersk, the world’s largest shipping conglomerate, saw computer screens suddenly turn black and irreversibly lock in late June 2017. A highly engineered malware worm exploited company computers in Ukraine lacking the latest Microsoft Windows security patches. With this small foothold, the worm breached the company’s IT system and blocked access to all computers and servers worldwide, ultimately halting shipping operations for several days. The incident cost Maersk over $200 million in lost revenue, caused unquantified costs in perished goods and recovery efforts, and created a slew of unhappy customers.
The Maersk story is not uncommon. In 2015, 80 million customer records were stolen from Anthem because an unsuspecting employee responded to a phishing email. In 2017, the United Kingdom’s National Health Service suffered a ransomware attack that resulted in 19,000 canceled appointments due to the use of, once again, an outdated, unpatched version of Microsoft Windows. In 2019, data on 106 million Capital One customers was stolen via a misconfigured Amazon Web Services firewall. And the list goes on.
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
With cybersecurity high on the corporate agenda, falling victim to a catastrophic breach is the dreaded nightmare scenario. Amid the COVID-19 crisis and a sudden increase in remote work arrangements, cybercrime is surging. Boards are looking to CEOs to prevent cyber incidents — but how?
“More advanced technology” is a common answer, but even that would not have prevented the Maersk incident, where a small human oversight — not installing a software update — led to catastrophic consequences. Technology is clearly the focus of industry investment and such spending is forecast to be $133 billion per year by 2022. But while choosing the right technology is essential, the majority of incidents relate to gaps in human performance, a persistent and often overlooked cybersecurity issue in most organizations.
Without addressing this issue of human performance, a vicious cycle perpetuates. (See “A Technology-Led Cycle Leads to Increased Cybersecurity Incidents.”) As companies bring on board new technologies — each one potentially addressing an emerging threat — they also add more corresponding people and processes. As this continues, the interactions between technology, processes, and people pile up, and the level of complexity increases geometrically.