The story of Norsk Hydro’s ransomware attack illustrates what a devastating cyber crisis can look like. The company has been fairly public in its response, allowing other companies to learn from Hydro’s experience. In the security community, the story of Hydro is seen as a case in point of how to respond to a serious attack.
There are many reasons why.
Norsk Hydro’s leadership team never paid off the hackers, even as production lines switched to manual functions or ground to a complete halt. They remained open and transparent with their employees, customers, and the wider public throughout the crisis, while rebuilding its systems from scratch. Although the attack ultimately cost more than £45m, the CIO at the time (Jo De Vliegher, today a Client Partner at ISTARI) remains steadfast on it being the right decision for Norsk Hydro.
Why does this matter for businesses?
Ransomware is even more prolific today than in 2019 when Norsk Hydro faced the attack. Organisations of all shapes and sizes should know, practise and revise their incident response plans for when - not if - their systems are held at ransom.
Sometimes it is hard for companies to really imagine what a cyber crisis looks like, and how crippling it can be. The case study of Norsk Hydro fills that imagination gap.
The case of Norsk Hydro also shows that preparing for cyber crises isn’t just about technical defences – it’s a matter of collective responsibility and leadership.
Norsk Hydro's staff had to use paper-based workarounds to remain resilient in the face of the crisis. Is your company able to?
Every company in the world has had to deal with the impacts of the COVID-19 pandemic. In the wake of the first shutdown, many companies invoked their crisis response strategies with the goal of emerging stronger from the crisis.
One of the core responsibilities of the board and its directors is to oversee risk. Cybersecurity risk has become a top business risk for many enterprises. Board directors may not consider themselves as being cyber literate, but they still need to know what questions to ask.
By Manuel Hepfer