Seatrade Maritime is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Tackling the cyber security conundrum

Tackling the cyber security conundrum
If cyber security wasn’t in focus before in maritime it certainly is after the Petya virus took out the global IT systems, both internal and customers facing, of Maersk Line in late June.

A standard bearer for digitalisation in shipping Maersk responded quickly but the company still needed a month to get its systems back fully functioning, highlighting not just the vulnerability of companies in global shipping to attack, but also the scale the problem that can result.

Certainly there is now awareness at all levels in the industry - from the office executive to the board member. However how to actually tackle the issue of cyber security remains rather more problematic.

Attending the business panel session at the cyber security event RSA Conference 2017 Asia Pacific and Japan this week revealed a surprising similarity in problems facing the cyber security sector and as those that face shipping. And much like maritime the difficulty it has in explaining its message to the wider world. Many of the issues discussed facing the cyber security sector could easily have been transposed to talking to about shipping – regulations that were just about ticking boxes, attracting talent to the industry – especially women, and the role of the human element in incidents.

At very basic level there is a human element to the problem of cyber security. Much as the human element is to blame for 90% of the accidents in shipping, the human actor is very much a factor in cyber security breaches.

The threats raised malicious emails and viruses on USB sticks are well known, but it does not stop these incidents from happening. Benjamin Ang, senior fellow, Centre of Excellence for National Security (CENS) at RSIS, National Technological University Singapore, noted it takes people a long time learn new procedures. We’ve had centuries to learn to lock our doors when leaving the house but just a few years to learn about cyber security. Similarly health campaigns last for decades to change behaviour.

The point was made by moderator Hugh Thompson, cto of Symantec, that a lot of the early parts of a cyber attack stemmed from the social aspect where cyber criminals convinced people to do something they shouldn’t.

While C-suite executives and board members may well now have cyber security as major item on their radar, both how they view tackling the issue and how IT professionals can communicate solutions to them are another issue.

Much like shipping executives happily talk to each other about the complexities industry, but find it much harder to explain the industry to the outside world - the same applies to cyber security. Ang highlighted that one of the challenges was that other profession such as for example lawyers may not be “exactly tech friendly”.

When it comes to talking to senior executives in other sectors he said sometimes you need someone from outside the tech sphere who has “crossed over” and can speak to the board of directors in their language rather than cyber security jargon.

As for solutions senior executives are often looking for single magic fix. Diana Kelley, global executive security advisor for IBM shared that as humans we like “magpie things” – by which she meant things that are bright and shiny and will, we believe, help fix all our problems in one go. The reality is though constant work is required rather than a quick fix, rather like maintaining personal health. “We have to get the board to appreciate this going to take some good solid hygiene work,” she said.

The example of a table top exercise involving ransomware was cited where while mid-level executives debated hotly how to fix the problem, the cfo came along and asked how much the ransom was. On being told it was $1m his simple response was “pay it”.

One potential answer to issues of cyber security could be regulation as is being seen in the EU with the NIS Directive but this solution did not get an exactly enthusiastic response from the panel.

Zulkikar Ramzan, chief technology officer for RSA, noted that, “for the longest time compliance has been a dirty word in security as people just ticked the boxes”, however these exercises did not necessarily ensure security.

With the explosion of digitalisation and the Internet of Things, including in the world of shipping, cyber security is an issue that is not going away and the ability for both IT and non-tech executives to understand how to handle it will be crucial to future business operations.