Implementing the Lessons Learned From Maersk's Major Cyberattack

GettyImages-919394610.jpg

When Lewis Woodcock, head of Cyber Security Operations at A.P. Moller — Maersk, spoke to a virtual crowd at the 2020 ACFE Fraud Conference Europe, he remained cautiously optimistic. Despite the gravity and intensity of his experience on the ground during the cyberattack that plagued Maersk in the summer of 2017, Woodcock recalled his time working with the response team saying, “There was no sense of panic, more of a distinct, determined energy. There was work that could almost be described as excitement to tackle the enormous challenge that lay ahead.”

In this case, “enormous challenge” could almost be considered a euphemism. Maersk, an integrated transport logistic company, manages nearly 20% of world trade; its vessels make 50,000 port calls each year. The company itself is large and complex, employing approximately 88,000 people globally and with no real central office. When their networks were struck with a cyberattack that shut down all their computer operating systems, the outage it caused transcended national borders and affected hundreds of thousands of people. In total, 50,000 company laptops were rendered unusable and had to be manually wiped and reconfigured. While no data was lost or destroyed because of prior backups, the grand total of collateral damages, including those to revenue streams of all companies inadvertently affected, reached close to $10 billion.

Before detailing the measures that Maersk took to recover from an attack of this scale, Woodcock asked audience members to imagine if this situation were playing out in their own business or organization: “So all of those IT systems which you rely upon for normal business operation, even for basic communication, they’re all gone. Whilst the security and IT teams are resolving the technical issues, who’s coordinating the continued operation of the business? Who’s managing your HR issues when you’ve got no HR system? Who’s arranging for payments to customers and to suppliers when you’ve got no finance system? Who’s handling media inquiries and investor relations, with no emails, no documents, and no libraries? … You can hopefully begin to imagine the breadth of the challenge.”

Woodcock cited human resilience and heroic teamwork as the primary analgesic in this scenario. His team rebuilt the entire IT infrastructure over a 10-day period, and then continued to develop new configuration settings that were manually sent out on over 2,000 USB sticks to reconfigure all 50,000 company laptops that were affected. In a note of humor in his presentation, Woodcock recounted the fact that he and his colleagues bought out all the USB sticks within a 25-mile radius of their office in the U.K., so he’s sure someone ended up downloading their new laptop settings from a Homer Simpson USB.

In continuing with his praise of human resilience, Woodcock noted the importance of innovation within unexpected and unrehearsed situations. He elaborated on the example of one customer service team that launched an independent program for booking intake during the days that the system was down. They were able to take in over 30,000 bookings — business that would have been postponed or lost if this team hadn’t been given the freedom and opportunity to innovate.

Throughout the system-wide shutdown, communication, both internal and external, remained one of Maersk’s biggest challenges. Woodcock stressed the importance of being prepared to be entirely open and honest about the conditions in these types of circumstances, noting that Maersk received praise for their willingness to communicate quickly and reliably, providing updates at regular intervals via their social media channels so that they could keep customers and investors informed. He added that senior management participated in numerous interviews and that WhatsApp became a valuable messaging platform to keep employees up-to-date and to provide positive messages of progress that helped to keep the workforce focused.

In terms of cybersecurity and preparedness, Woodcock reiterated the accelerated rate at which malware is evolving. “My belief is that the focus needs to be more on resilience and recovery and less on traditional anti-virus and anti-malware products. Going forward, it’s not going to be possible to stop every attack, to prevent every intrusion. Yet the faster that we can contain that attack and then recover, the greater the value to the business.”

In his view, risk mapping is a vital component of enhancing a company’s preparedness to respond to an attack like this. He encouraged companies to incorporate continuous training of employees in cyber hygiene, and he extended this to include all third-party suppliers, something that partners must adhere to Maersk’s security compliance standards in order to do business with them.

While the potential for an attack like this to transpire may discourage companies from building out robust IT platforms, Woodcock cautioned otherwise. He argued that digital growth and digital transformation should be a crucial focus in company growth. “If anything,” he continued, referencing the current COVID-19 situation, “in the last few weeks we’ve seen the massive role technology can play to support business.” Citing the increased threat that many businesses may be facing as their employees are working from home, Woodcock recommended proactively running an exercise to practice how your IT teams might manage a cyberattack while working remotely to ensure that you have these efforts in place. He also suggested that people remain exceptionally cautious about the websites they visit and networks they use to connect to the internet, especially since many employees may be using personal devices. Calling for an extra layer of diligence when it comes to COVID-related scams and phishing emails, Woodcock concluded, “Cybersecurity is everyone’s responsibility.”