“Not if, but when.”
Possibly one of the most common sayings heard in conversations around cybersecurity.
While cybersecurity is higher on the risk profile of most organisations today, there is a deeper consideration of adequacy. Some may view new or updated software as plug-and-play solution as fit for purpose – ready to go with minimal disruption to the organisation. While this may be suitable for some companies the reality is an out-the-box solution with accompanying one-hour training session will just not be enough. In time, we could even see certain business partners or solutions providers being chosen over others due to their cybersecurity policies and practices.
At the CrewConnect Global Virtual Event, Cameron Amigo (Global IT and Data Management Lead at SPI Marine) shared his thoughts on safety and security considerations for crew managers. He recognises that cybersecurity relies on creating a framework of core functions, and reducing risk is reliant on creating an operation and culture that understands the dynamic threats of cyberattacks.
“When it comes to your data - and specifically in terms of crewing - one of the terms that we use in Personal Identifiable Information (PII),” states Amigo.
Simply, it’s any information that can identify a person. This definition of the information connected can differ from country to country, or region to region, but it’s safe to say that it is any personal information which could identify an individual. In a data driven world almost every interaction you have involves the sharing data of some kind.
“We must be aware of cybersecurity threats as a part of this. They're out there,” cautions Amigo.
Amigo observes that one can think of cybersecurity as a house, “What does the house look like? Where is your house? Is it in a safe neighbourhood or unsafe neighbourhood? Do you have locks on the door? Is someone home at your house? Are there children in the home?”
“When it comes to data in security, it's the same thing. If somebody wants to get in and get our data, we want to make it as difficult for them as possible and we want to make sure that we have locks on our doors. And if they do get in, we want to make sure an alarm goes off and it's hard for them to find what they're looking for.”
“Importantly, we want to make sure that no one gets hurt and when they leave that we can put the house in order quickly.”
Amigo states this may be an oversimplification, but all these considerations often fall to the backburner within organisations as day-to-day operations can outweigh forward thinking. There is even good chance your systems are probably already compromised, and you just don't know it yet. Amigo observes that just like the Maersk breach, “you might not even be the intended target of the attack. Your system could be attacked because maybe they're trying to get into another system or something further down the line. Whether you are little fish or big fish, you could just be the entry point to the individual or organisation they want to compromise.”
“A common tactic is to get in someone's email account, and they intercept an invoice, change the banking details, and then send that invoice on for someone. It's a very common thing as we still heavily rely on email transfer and it’s just one way attackers target small companies to get to the bigger companies. You have to realize this is real.”
A Framework for Cybersecurity
What can you do? Amigo states the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework which is recommended by the IMO – are widely accepted international standards. There are five core functions to the framework – Identify, Protect, Detect, Respond, and Recover.
These serve as a set of activities or practices which organisations do to achieve specific cybersecurity outcomes. The framework is high-level and does not provide an "exact checklist of items for your organisation," states Amigo, but it does give a "generic checklist" and present outcomes identified by stakeholders which are "helpful in managing cybersecurity risk."
“With this, we need to identify where the threats are coming from – who or what are the internal and external threats. In the case of a crews, this starts with who has access to your system? Does everyone in your company have the availability to see your crewing information? You could find you have a lot of access points!”
“It’s a big thing to assess your external threats but it is very important to be thorough. You need to think broadly and consider things like, where your data is being stored? How are you collecting or transmitting the data? If you’re using email, you need to protect your email and your database.” Amigo observes that one might not think of email as the centre of your database, but if people in your organisation are using email to share any of this personal information hackers could scrape your email account for this information.
“Basically, you need to identify all the doors and windows to your digital house.”
Next on the NIST framework is to consider how you want to protect your organisation based on the threats you have identified. “It’s probably the area most people focus on and there are a variety of different digital protections which you can deploy pending the threats you have identified.”
“There are thousands of different products or solutions to consider, and it can be quite challenging and daunting, states Amigo. “What you want to do is take a list of the threats you have identified and tier them according to those with the highest risk and the biggest impact. Ultimately, you want to start at the top and work your way down.”
“As part of the protect function you want to consider your internal policies are and who is responsible. Clear lines need to be draw as sometimes management can assume a crewing manager is responsible, or maybe an IT manager. You want to know exactly who's responsible.
“If any organization is going to bring me in and they ask me to run their IT and digital, I would want to know if I would be in charge of cybersecurity - and what's fireable offense! That way I know what I can be held accountable appropriately.”
Amigo stresses that it is important to have clear, but also realistic, expectations. He also believes that those Crewing Managers who do have expectations from their employer on cybersecurity should reach out to their manager and ask these questions, “Don’t assume its someone from IT who's responsible.”
Amigo highlights that education is big part of the protection function and that educating the people who are using (or responsible) for usage or enforcement of policy should receive the relevant training in these systems. The developers or solutions providers who are providing you with these systems will have to fit the framework provided by your organisation.
The detect and respond functions of the framework “seems simple, but the reality is that many wait until something is wrong,” states Amigo. Many organisations believe detection is more a defensive function where Amigo states, “you really want to go on the offense.”
“You want to know when someone is in your system, and you want to know as soon as possible. The simplest way is to pull a report. If you have your crew list database, you can pull a report that list all the change which were done that week. Any changes that appear irregular – like changes done outside normal business hours – should set off an alarm bell to you.”
“You can also buy solutions – some of these even powered by AI – which can look for anomalies in your software and notify you. You definitely want some kind of detection solution instead of a call from one of your customers saying your banking details look different!”
As part of the last function of the core framework, Amigo cautions that organisations need to have a recovery plan. “Plain and simple, you need to have backups and a plan to get those back online.”
“If everyone's emails compromised, what do you do? How do you communicate? If your computers are compromised, how do you want to communicate with your crew? Is it through mobile? Is the game plan to go on WhatsApp? Is it through an outlook application on your phone?”
Amigo believes that you need to have a game plan that accounts for as many scenarios as possible and, “It's no different than being on a ship. We must run our fire drills. Do our man overboard drills whether it was monthly or quarterly, you got to mock, run, or simulate these procedures.”
“You can make this process very complicated,” states Amigo, “but to simplify the standards I use three things; Prevent, Detect, and Recover.
Amigo believes that if you focus on prevention, this will include identification, then detection and recovery, you will give you a good start to upgrading your cybersecurity. He notes that organisations should also examine these functions as a part of people, process, and technology.
“You must think in the mindset of all three. It can't just be technology. You must look at the people and processes. You can't train your staff, create a secure database and email systems and then neglect your processes. You will be leaving yourself to vulnerabilities and you need to apply all three functions for this framework to have an effect.”
Actionable steps for cybersecurity you can do now
Amigo says that managers need to first consider whether a similar framework or any of the previously mentioned functions or policies exist. From here, it’s important to work your way down and determine some budgets. On a basic level this would include budgets for prevention, detection and recovery.
He adds, “When you have a cyber-attack, that's not the time you want to develop a relationship with IT or a cybersecurity company which is coming to comment and protect you. You want to do that now. The last thing you want to do is wait for the house is on fire to figure who you need to call. You know you want to have all this in advance.”
“Next, you want to look at your storage – where is your data being stored? Is your Crew Manager keeping this an Excel spreadsheet on their personal computer as they're working at home? Ideally, this should be stored on an encrypted site and I would recommend a cloud-based solution to avoid managing upkeep and security.”
Amigo’s next consideration is how this data or information is being collected. He states that if you are collecting this data by email you could leave an organisation vulnerable. Secure portals which crew members can log into with multi-factor authentication tighten security to ensure these people are who they say they are.
Following from collection, Amigo states that access should be your next focus. “You don't want internally everyone at your company having access to all your information? Understanding who has what access helps you identify internal and external threats.”
“Next you should observe process and policy. You want to write a process that fits the technology and the prevention measures you have in place. Following that you want to ensure you have this all written down.” These measures ensure clear lines for all new and current employees.
Leading on from process and policy, Amigo states that accountability needs to be assigned. “Who is the person you're going to call, who needs to be communicated too, and where does responsibility lay when things go wrong.”
Finally, Amigo recommends doing cybersecurity audit at least once a year. “I would recommend hiring a third-party to come in and do it with fresh eyes and doesn't have skin in the game.”
“It's the best money ever spent to find your vulnerabilities.”