“Unpack the Case” is a new monthly case feature that examines different perspectives from a case author, case teacher, and student, allowing for a complete 360-degree analysis. We explore insights into writing a great case, effective ways experienced educators teach with cases, and the impact on the student learning experience.
Discipline: General Management/Strategy, International
Synopsis: In 2017, the new chairman of A. P. Møller-Maersk confronted one of the worst cyberattacks in history, which crippled the company's vast global shipping network that accounted for nearly 20 per cent of global container shipping. NotPetya was a particularly virulent strain of ransomware that, within seconds, destroyed Maersks’s servers and personal computers around the world. Maersk's senior system administrators had warned the company that its network was vulnerable, but the necessary upgrades were never completed. How can the company recover from this devastating event? And how can it protect itself from cyberattacks in the future?
Learning Objective: The case is suitable for undergraduate and graduate introductory strategy and international business courses, particularly those that emphasize technology and risk. The case is intentionally non-technical, focusing more on global business strategy; however, the case can be used as a starting point to help students understand the risks and challenges faced by companies that rely on Internet connectivity.
Author Insights: David T.A. Wesley, Luis Alfonso Dau, Alexandra Roth, Northeastern University
About the authors:
David T.A. Wesley, Research Program Manager, Northeastern University
Dr. Wesley’s research encompasses a range of strategic management topics, including international strategy, cultural diversity, intellectual property, and new product development. His award-winning cases have appeared in 30 management textbooks in multiple editions. Dr. Wesley is a co-author of a leading book on video game marketing and innovation. He teaches graduate-level courses in global strategy and culture. Click here to view other cases authored by Dr. Wesley.
Luis Alfonso Dau, Associate Professor, International Business & Strategy, Northeastern University
Dr. Dau’s research and teaching interests include global strategy, emerging market firms, institutional changes, pro-market reforms, business groups, family firms, firm performance, international corporate social responsibility, sustainability, formal and informal entrepreneurship, and culture. Click here to view other cases authored by Dr. Dau.
Alexandra Roth, Executive Professor, International Business and Strategy
Dr. Roth teaches courses in International Business Management, Cultural Aspects of International Business, Managing the Global Enterprise, International Business and Global Social Responsibility, and Executive development. Her research interests are cross-cultural management, gender studies, globalization and cultural change, corporate social responsibility (CSR), and socially responsible investments (SRI). Click here to view other cases authored by Dr. Roth.
Ivey Publishing: What made you decide to write this case?
Authors: There were a number of reasons for writing this case, primarily the lack of awareness among business students and executives of the growing business threat from cyberattacks. The U.S National Cyber Security Alliance estimates that 60 percent of small businesses fail within six months of a major cyber attack. Yet, cybersecurity is rarely part of the business curriculum. Also, as international business faculty, this case is a great vehicle for teaching global strategy as it takes place over a large number of countries and demonstrates the growing interconnectedness of business operations. Students particularly like the fact that the Maersk's office in the small African country of Ghana rescued the world's largest container shipping company from a potentially much worse fate. Finally, we like the case because it can be used in a variety of different ways, including discussions on strategic change and renewal, crisis management, the role of change agents, corporate duty of care, supply chain management, and information systems.
Ivey Publishing: What was your favorite part of this case writing experience?
Authors: Although we already had a good grasp of cybersecurity before undertaking this case study, our research gave us new insights on the roles of various state actors and the implications of cyber public policy on business operations. For instance, Apple received a lot of criticism for not helping the FBI crack iPhone encryption in the 2015 San Bernadino terrorist case. The government's argument is that companies should be providing back door access to electronic devices, access that would be closely guarded by responsible government entities. Yet, in the Maersk case, bad actors were able to hack the US National Security Agency (NSA), arguably the most advanced spy agency in the world, and re-purpose its hacking tools to attack western companies. The impact of the NSA losing its cyber arsenal to criminal entities continues to this day. In 2019, major cities across the world fell victim to ransomware attacks. In the US alone, more than 500 schools were hit, as well as hospitals, public safety (police, fire, ambulance), and legislatures. The economic and human toll is often greater than being hit by a major hurricane, but remains largely hidden from the public eye.
Ivey Publishing: What did you find the most challenging in writing this case?
Authors: Writing the case involved considerable detective work to reveal the various perspectives of key actors. As mentioned above, the story of what happened in Ghana was compelling, but required considerable research to piece together what happened. Also, because the events unfolded quickly across multiple time zones, reconstructing the sequence of events was both challenging and rewarding.
Ivey Publishing: What do you hope students will get out of this case?
Authors: Perhaps we should start by saying that we DON'T expect students to become cybersecurity experts. The case focuses on business strategy rather than technological prowess and, besides, there are far too many constantly evolving threats to stay ahead of. Instead, we hope that students will use the case as a launching pad for exploring the topic in greater depth and to become aware of the importance of having a good cyber strategy so that they can better protect themselves and their companies from becoming future victims.
Instructor Insights: Dr. Mark Fuller, Associate Professor, St. Francis Xavier University
About the instructor:
Dr. Fuller’s research interests include corporate social responsibility, stakeholder management, and non-economic forms of competition. He has particular expertise in corporate social reporting and has extensively studied the reporting habits of Canadian firms in sectors such as financial services, extractive resources, transportation, tourism and hospitality, wholesale and the retail trades.
Ivey Publishing: What did you like most about teaching this case?
Mark Fuller: The case was attractive because there was a singular incident – a cyberattack – that leads to a cascading set of issues at different levels of analysis. There are operational, functional, and strategic issues that arise from this situation. Students quickly realize that the interdependencies in business that can be a challenge to prioritize and address. There are also short term and long term consequences, to both the incident and the students’ responses, which provides a valuable longitudinal perspective to the case.
IP: Is there anything unique about how you taught this case?
MF: This case was part of an introduction to the strategic management process within the first month of the term. Three teams of students analyzed the case, developed a strategic course of action, and developed an implementation plan for success. These were then presented in class with students from other teams watching. Students benefitted from case analysis, presentation design, and presentation delivery skills. However, they also benefitted from seeing how other students analyzed and presented the case differently. This segued nicely into our course team project as it familiarized themselves with the strategic management process, and provided students with inspiration for different ways to use and communicate important course concepts.
IP: Do you have any advice/insights for those who have never taught this case before?
MF: For those with a familiarity with enterprise systems strategy, you can choose to leverage much from this functional perspective on business. For those with less familiarity, you can easily leverage the case into a meaningful discussion about strategic decision-making in times of crisis. Making fast decisions in times of ambiguity are difficult to simulate, yet this case enables students to grapple with the challenge that comes from these situations.
IP: Are there any elements of the case that took the class in a different direction?
MF: The international aspects of the case – the Russian annexation of Crimea and the surviving hard drive in Ghana – elevated the case to a higher level. Managing a business during a time of international turmoil, the tangible issues of how to protect a firm’s employees and the obligations to their families, the change in perspective that arose from the digital divide – made for a richer, more informative educational experience.
Student Insights: Vanessa Cinel, BSAD 471: Strategic Management Course, St. Francis Xavier University
Ivey Publishing: What did you like most about the case?
Vanessa Cinel: What I enjoyed most about the case was how it dealt with an actual crisis, unlike other cases we explored in this class. Many other cases looked to find solutions to business strategies and business practices to see future success, whereas the Maersk case threw us the serious issue the firm faced with regards to cyber warfare. It also highlighted the complications of various nations and political powers interacting. It is not always healthy, but rather can be tense relationships that occur during international relations. As a major in International Business, this lesson is something that can be brought forward hopefully in my career. Sometimes the repercussions of these issues are felt from those who are not even involved. It also allows us to see how unpredictable a crisis like this can be, although it may not be fair on Maersk's part to have to endure the effects.
IP: How did the case help illustrate the subject matter being taught?
VC: The case brought forward the subjects of cyber warfare, political challenges between Russia and the Ukraine, as well as the constant changes in the cyberworld with technology and malware specifically. The case was successful at demonstrating how these subjects have an effect on each other. We were able to see how detrimental an attack like the one presented can be for a company, especially if they are not prepared. Although it is not necessarily just that a third party that is not involved in the cyberwar feels the effects of it, that is the reality. It allowed us to explore the importance of being proactive as a company rather than reactive. This lesson could transcend to more aspects of a business than just with regards to malware technology and software updates. I also did find that the layout of how the case was presented allowed us to properly understand the environment surrounding Maersk as the time, including politics, staffing, business practices and the technological world prior to explaining the actual crisis. This gave students the ability to see the full picture rather than just the moment of the cyber-attack.
IP: Did the case change the way you thought of the subject matter or brand?
VC: Prior to the case, I did not have knowledge of Maersk as a company. I also did not know the severity of the political issues going on between Russia and the Ukraine and how this actually affected more than just Maersk. At first glance, I was quick to judge the tactics and security put in place for the company. It is easy to point a finger on how the company went wrong. However, after exploring the case further, it is evident that it is not that simple. It is easy to see the faults after the fact, however Maersk was caught off guard in this scenario. Although their security and malware practices are questionable in this scenario, we are able to see how something that may not have been a priority for them ended up hurting them immensely. Instead of leaving off with a judgmental attitude towards Maersk's poor security, I chose to consider that there is most likely many firms who do not prioritize malware and cyber security either. When looking at it in that point of view, I was able to have sympathy for the damages that were done and hope for a more strategic future for them. I was also able to conclude that in order to stay viable in today's business world, cyber security should be at the top of the list.
IP: What were the key takeaways from this case?
VC: The key takeaways for myself from the Maersk case were the importance of adapting to the everchanging technological world, the prioritization of malware and cybersecurity, the necessity of monitoring the political world surrounding your firm, as well as the skill of being a proactive firm rather than reactive. The world of technology is changing every day. It is crucial to understand the dangers that come along with this. Cyber security is so important as a big company. When holding important data such as personal information of employees and confidential information of the company, this should be a priority to protect that. Maersk had a reward program in place that did not favor downtime. However, this downtime would have been pivotal for the company's ability to update their software regularly, and potentially avoided this crisis. There are other ways to incentivize that would allow the firm to update their systems as needed to stay safe against cyber warfare. In a way this showed the company did not value the time needed for important software updates as much as the output that could be produced in that time. In addition, although a company cannot control the environment around them (especially the political one), they are capable of monitoring it regularly in order to predict circumstances such as this one. A more regimented check on the political world will at the very least allow a company like Maersk to take concerns such as cyber warfare more seriously. This leads to the point of a company taking a proactive approach. Measures can be taken to mitigate risk. It is a very important part of strategic planning for a business's success. Maersk (and all companies) should prioritize the risk mitigation that comes along with operations. To solely react in business will eventually lead to downfall. This does not just pertain to cyber security, but to all possible risks a firm may face. Predicting possible crises and ways on how you may mitigate or minimize the damage will only put your firm that many steps ahead in the case it does occur.
Full-text access to this case and others is available for approved faculty/administrator accounts. Not yet registered? Request one today.