I became quite interested in cybersecurity around a year ago, given the growing threats of cyberattacks by criminal groups and adversarial governments. I then joined CAMS, MIT’s interdisciplinary cybersecurity consortium and started attending its online weekly seminars. A few weeks ago I attended a CAMS seminar on cyber resilience by Manuel Hepfer, a research affiliate at Oxford University and a research analyst at ISTARI, a cyber risk management company.
What is cyber resilience? While cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks, cyber resilience is the ability to prepare for, withstand, and recover rapidly from any major disruption, whether an intentional cyberattack or a natural disaster.
The seminar was based on a study by Hepfer and colleagues of the 2017 NotPetya ransomware attacks, a series of powerful cyberattacks which caused over $10 billion in global economic damage across a number of industries. Their study was primarily focused on three global companies that were the subject of NotPetya attacks: a logistics company with over 60,000 employees, a manufacturing one with over 20,000 employees, and a third in professional services with over 5,000 employees.
The study conducted around 50 interviews with senior executives across the three companies, including CEOs, CFOs, CIOs, and CISOs. In addition, it reviewed internal documents, presentations, press releases, newspaper coverage, and audio and video files related to events before, during, and after the attack. Their study was published in two articles in the MIT Sloan Management Review, the first in 2020, the second in 2022.
Continue reading "How to Build Organizational Resilience to Cyberattacks" »