BCG Henderson Institute

The NotPetya malware attack of 2017 encrypted the systems and disrupted the operations of global businesses, starting in Ukraine and spreading rapidly to over 60 countries around the world. Global shipping company Maersk, one of the worst hit, ultimately needed to rebuild its entire IT infrastructure. In the nine days it took to get its systems back online, the company struggled to continue operations using manual workarounds that teams came up with on the fly. In the end, the incident cost Maersk nearly $300 million.

A more recent ransomware attack shut down the operations of JBS USA, the largest U.S. meatpacker, and other attacks have affected hundreds more companies. In late 2021, for instance, the Log4j vulnerability allowed adversaries to embed malware and take control of millions of Java applications developed over the past decade. These widespread incidents have proved that successful cyberattacks are inevitable.

Given that it’s impossible to protect against all new cyberattacks, it has become critical for companies to reduce the impact of cyber breaches by focusing on cyber resilience. Cyber resilience requires a systematic, structured, adaptive approach and cannot be relegated to the office of the CIO or chief information security officer. Because it potentially involves all parts of the business, it must be led by the C-suite and board.

  • Michael Coden

    Senior Advisor, Boston Consulting Group

  • Martin Reeves

    Chairman, BCG Henderson Institute

  • Keri Pearlson

    Executive Director of the Cybersecurity at MIT Sloan

  • Stuart Madnick

    John Norris Maguire Professor of Information Technologies, Emeritus at the MIT Sloan School of Management and the Founding Director of Cybersecurity at MIT Sloan: the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity.

  • Cheryl Berriman

    Global CEO Advisory Program Senior Manager, BCG

Sources & Notes