It has been many times supported that people are the weak link between the hacker and the company, as it is the human factor that leads to a cyber incident, whether it is a wrongly used USB or a link clicked. Yet, it is up to the organization to build a culture of trust and knowledge around cyber security and make its employees understand the importance of being cyber resilient and reporting mistakes.
The human factor
Human Factor is the term used in the oil, gas, nuclear, aviation, space and military sectors, recognizing that the human error is not simply a feature of individual failure, but is caused by workplace factors, equipment, and task design, among others.
Thus, the shipping industry should focus on how to stay protected also viewing cyber along with the physical, human factor, and other risks they already face.
We should always think that it is not about the act of cyber-attack itself, but the person behind each cyber-attack. The industry could be resilient and protected from cyber risks if they think one move ahead from the attacker, because the hacker remains a person. Therefore, staying up to date with the current cyber challenges will enable the industry know what the attacker could think of next, so that each organization is able to train and educate its employees on the current risks.
When it comes to human factor, OCIMF established eight principles, noting that the term human factor is the correct one to be adopted because it is most recognized, giving the maritime world access to knowledge, resources, tools and advice from multiple industries and companies.
Also, OCIMF’s eight principles note that
- people will make mistakes
- people’s actions are rarely malicious and usually make sense to them at the time.
- mistakes are typically due to conditions and systems that make work difficult.
- understanding the conditions in which mistakes happen helps us prevent or correct them.
- people know the most about their work and are key to any solution.
- plan, tools and activities can be designed to reduce mistakes and manage risk better.
- leaders contribute in shaping conditions that influence what people do.
- it matters how leaders respond when things go wrong and take opportunity to learn.
In line with the second principle which highlights that people mean well and their actions are rarely malicious, it is best we understand that as people are the weak link between the hacker and the company, each organization must build a protection wall for its people, train them and embrace their mistakes.
Building a culture of training and knowledge
During a digital discussion hosted by ICS, Päivi Brunou Head of Cyber Security, Wärtsilä Voyage, Finland, explained that cyber incidents must be dealt as a physical incident. In other words, she explained that when an incident happens, such as a vessel is on fire, industry bodies investigate the incident looking for the cause, the factors and the lessons learned.
Similarly, in case of cyber incidents, she advises the industry follows the same path. She explained that companies have to report every cyber incident so that we learn from mistakes.
When a cyber incident is occurring, it can be the focus of attention and industry stakeholders could investigate what went wrong, what where the factors that caused the incident, and ways to learn from the incident.
Consequently, the shipping industry could build a culture of training and knowledge around cyber security.
In addition, employees must be aware of the most common ways of attack, them being:
- obsolete and unsupported operating systems
- outdated or missing antivirus software and protection from malware
- inadequate security configurations and best practices, including ineffective network management, the use of default administrator accounts or passwords, and also ineffective network management which is not based on the principle of least privilege
- shipboard computer networks, which lack boundary protection measures and segmentation of networks
- safety critical equipment or systems always connected with the shore side
- inadequate access controls for third parties including contractors and service providers.
Knowing your enemy and what to look out for, will help those interested understand if something is wrong and be able to deal with a threat.
Building a culture of trust – Embracing mistakes
Although people are aware of the challenges and the risks arising, they may not understand the threat and, for example, click on a link they are not supposed to. In case this happens, each organization must have a culture of trust which embraces mistakes.
Here’s four ways you could build a culture of trust within your organization:
#1 Be honest and supportive
Understand what employees need to know and communicate facts while being considerate of their effort and sensitivity to their feelings.
You must engage in dialogue with employees, giving them the opportunity to ask questions, get answers, and voice concerns. Then, apply what your internal stakeholders share for future actions. Use a variety of feedback tools to ensure everyone has the chance for their voice to be heard.
#3 Be consistent
Keeping commitments must be the essence of your behavior, in all relationships, day after day and year after year.
#4 Build in accountability
It is advisable you encourage honest dialogue and foster accountability by building in processes that become part of the culture.
You build and maintain trusting relationships and a culture of trust in your workplace one step at a time through every action you take and every interaction you have with your coworkers and employees.
Concluding, cyber security is not a problem that will soon go away, given that the shipping industry has entered the world of digitalization. Thus, it is best you keep up with the changes, know the risks that there are out there and educate your employees around smart issues, building trust and ensuring that they feel free to express themselves and report any mistake.
AWARENESS OF EVERYTHING IS VERY IMPORTANT FOR EVERY CREW