Hudson Analytics Cyber Resilience

Improving Cyber Resilience Through Training - A Call to Action

By Chronis Kapalidis HudsonCyber

As of October 2020, 59 percent of the world’s population – that’s almost 4.66 billion people – used the Internet to access information or communicate, actively selling goods and services, exchanging all forms of data and connecting with friends, family, business connections and communities of shared interest.

How do these 4.66 billion people with different education levels and experience, from different cultures, speaking diverse languages, residing in different countries, and perceiving the world through their own values, function securely? More specifically, how do maritime transportation organizations function securely within such a global community? One of the fundamental steps a maritime organization should take is to initiate and sustain a cyber-aware culture.

According to the European Union Agency for Cybersecurity Cyber Security Culture in Organizations the “concept of cybersecurity culture refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest themselves in people’s behavior with information technologies”. Maritime transportation organizations face a serious challenge in aligning these factors among staff, which may be spread across regions or even around the globe. Creating an organization-wide cyber-aware culture requires, first and foremost, a basic understanding of existing threats, system vulnerabilities, and the potential consequences of a cyber breach. Achieving such awareness requires appropriate cybersecurity awareness training among all staff.

To this end, HudsonCyber conducted a survey in early 2020 to identify cybersecurity awareness training needs in the port and maritime industry. According to the findings, over 70 percent of respondents affirmed that cybersecurity was important in their daily job activities, and nearly 50 percent acknowledged that they had not received any cybersecurity awareness training.

A “cyberized” maritime sector

The risks to the organization generated from staff not having received cybersecurity awareness training have risen alarmingly. Fifteen years ago, the security requirements defined in the International Ship & Port Security (ISPS) Code provided adequate guidance for the protection of vessels and port facilities. However, cyber threats now represent an increasingly significant form of risk to maritime organizations. As the maritime industry rapidly digitalizes, partly due to the Covid-19 pandemic that has only accelerated changes to its modus operandi, most business processes and operational components are progressively interconnected. In this sense, cyber risk management has ascended to an enterprise-wide discipline that executives must understand, own, and advocate across the entire organization rather than relegating it to the information technology department. Overall, the global maritime industry has been, is, and will continue to be affected by cyber-attacks that include malware and denial-of-service attacks, spear-phishing emails, and network penetration or disruption activities. Threat actors no longer require physical access to an organization to commit harm or gather information for illicit purposes. Malicious activities can go undetected by port authorities, terminal operators, and shipping companies for months and, in some cases, years. For example, the recent SolarWinds cyber-attack underscores the fact that executives must accept that their organizations are likely already compromised and will operate with an ongoing degree of cyber risk “unknowability.” The extent of this attack serves as a disturbing reminder that Advanced Persistent Threats can undermine confidence and trust in proprietary organizational data, client information, intellectual property, and financial data.

Create a cyber culture via training

Research consistently reaffirms that human error represents the most common cause behind successful cyber breaches. Since employees frequently override security measures, humans, not technologies, represent the greatest recurring source of cyber risk. For this reason alone, cyber threat actors frequently target employees. Training employees on cyber risk awareness is one of the most cost-effective and consequential steps a maritime organization can take to create a cybersecurity culture, reduce its organizational cyber risk profile and increase overall cyber resilience.

In today’s threat environment, maritime organizations must train staff to understand how to recognize threats and avoid falling victim to malicious schemes that attempt to exploit them in gaining unauthorized access to organizational data. Developing a cyber culture empowers staff to identify, report and, if possible, mitigate vulnerabilities, provide the necessary foundation for achieving organization-wide cyber resilience, and create a sense of shared responsibility and accountability across the organization.

The CSA 2021 cyber awareness seminar series

To help its members navigate these challenges, the Caribbean Shipping Association (CSA) has partnered with HudsonCyber to deliver a four-part virtual cyber seminar series throughout 2021. Seminar workshops will provide important insights to CSA members regarding organizational cyber risk assessment and management as part of a continuous improvement process; cyber incident response and recovery; managing cyber risk in the supply chain; and cybersecurity awareness for executives.

Every day, maritime organizations are falling victim to cyber-attacks, and CSA members are no exception. The question for 2021 is whether your organization is doing enough to empower your people and bolster your ability to withstand and recover from a cyber breach.