Cyber security is a huge topic in many industries right now. The recent guidelines issued makes it particularly important for the shipping industry, yet at the same time many companies are not sure how to ensure they adhere to those guidelines. This week, I talked about cyber security and what it means for the shipping industry at the CLIA Technical and Regulatory Forum.
Of course, cyber security has also become a bigger concern over recent years because of the number of devices that now connect to networks. A cruise operator, for example, needs to offer its passengers wifi connections, but that means a whole range of devices, from mobile phones, to tablets, and even laptops, all connected, and all vulnerable to attack. This doesn’t even take into account the operators’ own devices. Devices at threat can also be software or even completely virtual.
Cyber attacks can come from different sources, such as cyber criminals, industrial competitors, hackers, foreign intelligence services, hactivists, employees, or terrorists. In all of those cases, however the attacker will be looking to do one of three things:
In the first instance, this is likely a threat against your company. The second could more likely be against your customers on board. In the third scenario, the ship’s control systems could be at risk. All of these are potentially serious and the threat, especially the threat to personal safety, is often underestimated. Cyber attacks can cause mass devastation. They can of course also be costly, with the HM Government estimating that for the financial year 2015/16, there was a total cost of £21 billion to business, £2.2 billion to Government, and £3.1 billion to citizens.
Clearly, cyber crime is a serious issue and needs to be on the agenda for every company. We cannot stop the threat but we can reduce the risk. Half of the battle is about educating users of your system on the importance of following company protocols and how to spot a phishing cyber attack. Companies should also harden their perimeter by using penetration testing and other simulated cyber attacks.
I would also advise any company unsure about how to be cyber secure to get expert advice to develop good processes and procedures and develop a Cyber Attack Incident Response Plan. Quite simply, the more prepared you are, the more you can reduce the risk, and the more you can be ready to respond if an attack does occur.