Adam Banks joined Maersk in August 2015, initially as vice-president and head of simplification in Maersk Line, before being appointed as CIO. With a track record of handling major transformational change and overseeing improvements in technology, processes and capability to maximize margins, Banks faced the ultimate challenge in 2017 when the company was hit by the NotPetya ransomware. The impact cost the company between $200-$300m, despite there being “no data breach or data loss,” according to CEO Soeren Skou.
On the day in July, the process of turning off every computer took more than two hours and digital phones at every cubicle had been rendered useless in the emergency network shutdown, with a network “so deeply corrupted that even IT staffers were helpless,” according to Wired’s article on the attack fallout.
Banks was one of the keynote speakers at Infosecurity Europe 2019, and he spoke to Infosecurity about his memories of the incident and what lessons he took away from the experience.
NotPetya occurred several weeks after the WannaCry ransomware outbreak– were businesses more prepared to deal with this sort of attack as a result of WannaCry?
There is a significant difference between NotPetya and WannaCry, the protections that were in place for WannaCry were not effective at preventing a NotPetya attack. If a company was unfortunate enough to have been hit by both, having recent crisis management experience would have been beneficial in the NotPetya experience, likewise having proven processes for rebuilding the technical estate would have been useful. Maersk wasn’t affected by WannaCry, having been fully patched at the time.
“The NotPetya attack is an industry changing event”
What did the NotPetya attack teach both the security industry and businesses in general about dealing with cyber-attacks?
The NotPetya attack is an industry changing event; it highlighted the level of activity of state actors to the boards and governing bodies of big business. This has led to a change in the way many organizations are protecting themselves and the level of interest at the top table in being appropriately protected.
NotPetya hit national headlines as the attack unfolded, does that sort of wide media coverage help organizations better respond as an attack happens?
During the attack, a number of the most significantly impacted businesses were in contact with each other at C-level to compare responses and to try to learn from each other. The media coverage helped this happen, as did a number of the large tech firms or consultancies. Due to the global scale of the attack, a number of key skills were in very short supply. Certain skills needed couldn’t be sourced from tech firms or consultancies, so the media coverage allowed Maersk to reach out to partners, customers and suppliers who hadn’t been impacted directly and borrow some of the key technical skills.
Does attribution for an attack have any impact on an organization’s ability to react to and deal with a breach?
Knowing where the attack is coming from allows many organizations to work out if they are actively being targeted, or if they are just collateral damage. This is of value on the recovery exercise as it allows those in charge of the recovery to steer resources more effectively rather than having to cover all bases.