It was 4 a.m. on a night in June 2017. Bret Arsenault, the top-ranking cybersecurity executive at Microsoft, had fallen asleep on top of his cell phone when it shocked him awake with a buzz.

A cyberattack, later dubbed NotPetya, had begun locking down computers and shutting down businesses in Ukraine.

It first looked like a routine ransomware attack, in which companies would have been able to pay to open their locked up computers. But NotPetya was different -- it spread lighting-fast, like a worm rather than ransomware, and companies quickly found there were no criminals to negotiate a ransom with at all, leaving them with inoperable hardware and no data.

Arsenault quickly jumped on a phone call with staff in Eastern Europe and the U.S. He demanded his staff shut off access to Ukraine within 10 minutes to stop the malicious software from spreading out of Microsoft's locations in that country.

The staff said they didn't think they could do it that fast. He pushed. They worked. They shut it down.

"If you do the right thing, they'll say you did your job. If it's the wrong thing, you get fired," said Arsenault, Microsoft's chief information security officer. "It was my team trying to not call chicken little. That is probably the hardest part of the job, to not get overexcited but not to under-react."

He might have the hardest cybersecurity job in the world, being accountable to the board of one of the world's largest tech companies, which supplies ubiquitous products and software that serve most other companies across the globe.

Microsoft is one of the most-attacked companies in the world. But Arsenault said the lessons he's learned from NotPetya and the other 6.5 trillion incidents the company sees each year can be used by businesses with much smaller profiles, and even by individuals. The biggest one: Get beyond passwords.