Cyber security best practices: Identifying and reporting a cyber breach

Cyber threat was identified as the top global business risk and a top three peril in most countries by Allianz risk barometer 2022, as well as one of the two main risks along with the environment by the World Economic Forum’s Global Risks Report 2022.

As a main fragment of the global business landscape, shipping industry makes no exception. The four biggest shipping companies, including Maersk, MSC, CMA CGM, COSCO, have suffered a cyber breach in the last five years, but an increasing digitalization trend, as indicated above, has also increased cyber incidents. In the second quarter of 2021, the Obrela Security Industries SOC team reported a 33% increase in cyber-attacks on ships compared to the same period in 2020.

How can I identify a cyber breach?

Every second is valuable for mitigating damages after an organization has suffered a cyber breach, so recognizing the early warning signs is of critical importance. However, it is not uncommon that a company today will need more than 200 days to detect a cyber breach.

An often-useful way to help identify threats in the network are breach detection tools, in the form of either software or hardware capable of recognizing active threats, such as suspicious user behavior or any vulnerability in the network, and thus notifying the cyber security staff that they need to take action.

However, technology is not always enough to identify cyber breaches, so human insight can make all the difference. Therefore, cyber security teams and everyone engaged in network traffic monitoring should be trained in the early warning signs of a data breach. In general, key points to watch include, but are not limited to:

• Unauthorized IP addresses on wireless networks;
• Multiple failed login attempts for system authentication;
• Loss of access to network, social media or email accounts;
• Suspicious network activity after-hours;
• Unusually slow internet connections;
• Inexplicable system reboots or shutdowns;
• Unauthorized launch of services and applications;
• Inexplicable changes in the design, layout or content of your website;
• Inexplicable changes in the website traffic volume; and of course
• Anti-virus or anti-malware tools alerting for infections!

Recently, the EU Agency for Cyber Security shared guidelines specifically for port operations on how to identify and evaluate cyber-related risks. These include:

• Contextualize the risk identification and evaluation process;
• Identify separately the cyber-related threats, the vulnerabilities to assets and services, and the internal and external dependencies;
• Assess the possible likelihood and impact of a cyber security incident;
• Adopt a specific methodology for identifying and evaluating risks (e.g. scenario-based,empirical, data driven, workshops/brainstorming sessions etc.); and
• Develop indicators (qualitative or quantitative) to evaluate identified risks

Reporting a cyber security incident

Once a cyber security incident has been resolved, formal reporting will often be required to both internal and external stakeholders. In the UK for example, there are certain incidents that companies are legally obliged to report to the Information Commissioner’s Office (ICO), regardless of whether their IT is outsourced or not. The steps in this stage, as highlighted by the UK National Cyber Security Centre, are:

• Report to law enforcement: Several cyber incidents go unreported due to personal embarrassment or because they are not considered serious enough.

However, if a cyber incident has been committed against you, someone else may have suffered a similar crime. The more individuals report, the more likely it is that perpetrators will be arrested, charged and convicted,

…NCSC advised.

• Keep everyone informed: High integrity and consistency of an organization is partly shown by how it reacts to unexpected situations and emergencies. In this respect, it is important to keep both employees and customers informed of anything that might affect them, e.g., their personal data leak as a result of a cyber breach.
• Consider legal advice: You might want to consider seeking legal advice if the incident has had a significant impact on your business and/or customers. If you have a cyber insurance policy, they will be able to provide you with more advice.

In the example of port operators, lack of communication between the departments responsible for physical security and cyber security is a common challenge for cyber hygiene. Poor communication is frequently exacerbated by the fact that, in most cases, personnel responsible for physical security risk management fail to communicate with and/or involve cyber security or IT experts in security planning, coordination, and preparation activities.

A key common factor…is how cyber security is positioned in the maritime sector. Cyber security is still mainly viewed as an IT problem. Isolating cybersecurity in the IT department and lack of appropriate reporting lines for cyber risk within the organization results in limitations in terms of responsibility, competences, approach, resources, budget, etc.,

…ENISA pointed out.