It is widely known that digitalization is here to stay and the shipping industry is showing great signs of development, from the use of drones, to the now remote surveys’ and inspections’ implementation due to COVID-19. However, cyber incidents are still being reported, so what is the industry doing wrong?
October is annually recognized as Cyber Security Awareness Month (NCSAM). Yet, the latest striking cyber-attack was against the International Maritime Organization (IMO) on October 1st. The Organization itself commented that “its official website is down and its IT team is working on resolving the situation”.
The list of those having been cyber-attacked in 2020 goes on and on, from CMA CGM that was recently attacked, to Carnival Cruises and Toll Group that was attacked in May.
The attacks themselves highlight the importance of having a resilient cyber security plan that will ensure the companies’ safety from cyber frauds. Yet, the industry seems to be waiting for IMO’s guidelines when companies will have to report any cyber risk in their ISM Code no later than January 1, 2021.
Some may also argue that 2021 will be too late, given the recent attacks that took place. Specifically, the Maritime Transportation System – Information Sharing and Analysis Center (ISAC) executive director Scott Dickerson argued that companies are now more focused to complying with the IMO regulations concerning cyber activity, than focusing on security and effective risk management. This means, that they are more interested in the regulation itself, than building a risk management agenda.
Therefore, below we share some dos and donts that may help you keep up with the technological changes and developments.
Dos | Don’ts |
DO use hard-to-guess passwords or passphrases. A password should have a minimum of 10 characters using uppercase letters, lowercase letters, numbers and special characters. It is also important to have different passwords for different accounts. In that way, if one password gets hacked, your other accounts are not compromised. | DON’T share them with others or write them down. |
DO pay attention to phishing traps in email and watch for telltale signs of a scam. | DON’T open mail or attachments from an untrusted source. If you receive a suspicious email, the best thing to do is to delete the message, and report it to your manager and Information Security Officer (ISO)/designated security representative. |
DO lock your computer and mobile phone when not in use. This protects data from unauthorized access and use. | DON’T leave devices unattended. It is advised to keep all mobile devices, such as laptops and cell phones physically secured. |
DO be alert to things that don’t feel right. | DON’T install unauthorized programs on your work computer. Malicious applications often pose as legitimate software. Contact your IT support staff to verify if an application may be installed. |
DO educate yourself and others on cyber security tips. Cybersecurity awareness is crucial to avoid any attack. | DON’T plug in portable devices (such as USB) without permission from your agency management. |
DO implement a cyber security plan. Put effort into your plan, review it seriously on a regular basis, document that review, and make sure that all staff are regularly trained and updated on cybersecurity policies and procedures. |
Overall, each employee has to be a Security STAR, by following the steps below
STOP: Even though the message claims to be urgent, you do have time to stop and catch your breath before you act.
THINK: What is really happening here?
ASK: Take the time to ask a colleague, or in this specific example: your regular contact at Gard. Is this really from you? What is my gut feeling trying to tell me? Do not ask by responding to the message itself, the attackers will assure you that everything is in order and that it is safe to do what they want.
REPORT: If applicable, report to the party the attackers proport to represent so they may follow up. In this case, we were grateful to the correspondents who alerted us to the email. Also, report to your own IT- or IT security department to help alert other users who may be targeted in your organisation.
If you suspect that you may have been tricked, please remember that targeted phishing can be very hard to detect, and even the security experts have been known to fall for it. It is never too late to report and get help to reduce or even fix the damage.