The virus had begun its spread via a software-update of a widely used Ukrainian tax preparation programme. Within minutes, the malware had spread globally, infecting companies’ central servers and computers and paralyzing every aspect of their operations.
Together with Thomas C. Powell, I studied three global companies that fell victim to the NotPetya cyberattack. Our research gave us unprecedented access to the executive suites of three companies that compete in logistics, professional services, and consumer goods. We interviewed their chief executives, senior managers and IT administrators, and reviewed internal documents, presentations, and audio and video files related to the cyberattack.
Based on our interviews and data, we prepared comparative case studies of the companies’ cyberattack preparation, response and resilience. We analysed differences in executive perception, organizational response, and organisational learning before, during, and after the attack. We cross-referenced our findings with executives in companies that had experienced different cyberattacks and with experts in cybersecurity consulting, cyber-insurance, forensic services and information security.
From our research, we developed concepts of cyber-resilience, which we describe in an article recently published in MIT Sloan Management Review.