Cyberattacks can result from inadequacies in design, integration or maintenance of systems, as well as lapses in cybersecurity discipline. In general, where risks in information technology are exposed or exploited, either directly or indirectly, there can be implications for security and the confidentiality, integrity and availability of information.
It is important, however, to know that not all risks, even if identified in advance, can be eliminated. But even in those cases, you can reduce the potential impact. Here are 8 topics to consider when planning your vessel’s cybersecurity risk management.
1. Share the Responsibility, Create an Organizational Culture of Security
When planning your vessel’s cybersecurity risk management program, the burden for maintaining cybersecurity cannot rest exclusively on the ETO or IT department. Every crew member needs to be aware of potential risks and be responsible for preventing security breaches. Cybersecurity includes planning for hardware, software, and human factors. According to a recent survey by Verizon, 93% of all data breaches are caused by phishing. To prevent such intrusions, it is important to develop an organizational culture of security among the entire crew to prepare against cyberattacks. Crew members need the right tools and training to recognize malware, phishing emails, and other social engineering attacks.
2. Train the Crew
To implement your cybersecurity plan, you need to fully train crew at all levels on the identified risks, procedures, and systems designed to reduce those risks. Take the time to train crew on how to identify common social engineering attacks, and how to avoid them when online.
3. Share Information
Information about cybersecurity risks must be shared across all departments and at all levels. What the vessel (and management office) is doing related to cybersecurity must be communicated to all crew, especially those involved in the vessel’s decision-making. Keep crew aware and involved in ongoing activities, and they will appreciate the impact of relevant cyber risks.
4. Implement a cybersecurity framework
It is important to implement the appropriate cybersecurity framework for your vessel. For the superyacht industry, the International Maritime Organization (IMO) has published guidelines on maritime cyber risk management. The Guidelines provide high-level recommendations on maritime cyber risk management, to safeguard shipping from current and emerging cyber-threats and vulnerabilities. The Guidelines also include functional elements that support effective cyber risk management.
5. Prioritize cybersecurity risks and emphasize speed
Despite appearances, not all yachts have unlimited staff or budgets for protecting against all cyber risks. Consequently, you need to prioritize risks in terms of both probability and the level of impact, and then prioritize your security preparations accordingly.
When a security breach or cyberattack occurs, an immediate response is required. The longer it takes to address the threat, the more damage may be done. Speedy reaction must be a part of your security-forward culture. That means prioritizing an early recognition of the potential risks, immediate identification of the attacks and breaches, and know how to provide rapid response to security incidents. When it comes to risk containment, speed is of the essence.
6. Encourage diverse views
It can become all too easy to compartmentalize risks coming from a single viewpoint, often based on personal experience or the vessel’s history. But malicious actors are more likely to think “outside the box” and identify weak points in your system that you haven’t seen before or even considered. For this reason, it’s useful to encourage crew members to think of and argue different points of view. This kind of diversity in thinking will help you identify more risks and more possible solutions.
7. Develop a risk assessment process
Risk assessment is an important part of any cybersecurity risk management plan. The plan should include:
— Identify all the vessel’s digital assets, including all stored data and any intellectual property
— Identify all potential cyber threats, both external (hacking, attacks, ransomware, etc.) and internal (accidental file deletion, data theft, malcontent current or former crew, etc.)
— Identify the impact (financial and otherwise) if any of your assets were to be stolen or damaged
— Rank the likelihood of each potential risk occurring.
8. Incident response plan
Finally, develop an incident response plan, focusing on the priority of risks previously identified. Your crew needs to know what to do when a threat is detected—and who needs to do it. This plan should be shared, practiced, and understood by all crew so that even if an incident occurs if your IT or security crew are off the vessel, the crew will have a roadmap for how to respond.
Analyze your vessel’s cyber risks
Managing your vessel’s cybersecurity is a constant challenge, as new and ever more sophisticated cyberattacks emerge on an almost daily basis. Many ETOs and IT engineers turn to Great Circle Systems to manage their yacht’s cybersecurity risk. Contact our IT Support department to develop a Cybersecurity Risk Management Plan that is right for your vessel.