Conclusions from the Maersk case study
My last post was a case study of A.P. Møller-Maersk's communication is response to the NotPetya incident that took some of the company's global systems offline in June 2017 and the narratives carried by the news media in covering the incident. In this post, I want to wrap up this case study and look at the larger implications of the incident.
This was actually a pretty big deal...
If you read official communication out of A.P. Møller-Maersk, you might not realize how big of a deal the situation was. That worked in their favor. Too frequently, organizations have been quick to call incidents unprecedented and sophisticated. As I said in the last post, Maersk allowed others to make these sorts of conclusions. Its communication was dry and factual. However, this was actually a pretty unprecedented attack. When I talk to people about incidents that changed information security, they almost always mention NotPetya. Sometimes it evens comes up when I don't ask such a leading question. By taking this approach, Maersk was seen as reasonable and measured.
NotPetya was a big deal, and the work Maersk was able to accomplish to recover was "monumental" (Bleeping Computer). Modesty is usually a safe approach and it's one we haven't seen regularly taken by organizations responding to and recovering from infosec incidents. There may be many reasons organizations want to put on a strong front or play up the technical sophistication of the attack/hack/ransomware/what-have-you that took them down but that has gotten more organizations into trouble than it has benefited. I think more organizations are starting to realize that the strong approach earns more ridicule than praise. Awareness that no organization is completely immune to incident is consistently spreading to wider audiences outside of the security community.
With this realization, more organizations are taking the dry, "just state the facts" approach to incident communication. I haven't seen many go as far as Maersk did with Chariman Jim Hagemann Snabe's comment that they "were basically average when it comes to cybersecurity, like many companies" but I wouldn't be totally surprised to see it happen. It worked for Maersk, right?
This brings me to the larger conclusion, organizations should not see Maersk as a model for how to respond to any infosec crisis they experience. This might seem odd since I've spent so many words describing how successful their response was.
The success of Maersk's response comes down to a mix of components including: the type of incident; the fact that this was global in scale and many other organizations were impacted; the type of business Maersk does; and their ability to pull of such a herculean effort to restore operations (among so many others). If any of these components had been different - a more consumer-focused business; data theft rather than ransomware; a single-case incident (not a global one) - it might have played out totally differently.
While this is a positive case study, an example of an organization responding well and being lauded by the public and media, I don't think it should be a model for crisis communication. It's very common to look for models as a crisis communicator (whether researcher or practitioner). You want to see what others have done in similar situations and how it played out for them. Many "best practices" for communication are developed this way. There is just too much variation in infosec incidents for any organization's response to act as a proper model for others.
Maersk succeeded but they also took a gamble. When Maersk made the decision to have "a very open dialogue around this from day one," they couldn't have been 100% sure what was going on. That will almost always be the case with infosec incidents. Organizations must make strategic decisions without complete information.
When I say Maersk shouldn't be a model, I'm not saying that organizations shouldn't have an open dialogue when they're experiencing a crisis. But completely open dialogue is unlikely to get broad support internally without a big player (like the Chairman of the company) backing it. Communicators need to figure out as much information as they can before developing strategy, consult experts, and avoid getting stuck in models and best practices as much as they can. Best practices have led to a lot of failed infosec crisis communication.