DCN AUGUST Edition 2019
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
MARITIME CYBERSECURITY<br />
Published data over recent years suggests that these direct and<br />
indirect costs of a significant hacking event can be in the millions<br />
of dollars.<br />
Organisations also need to appreciate that where there has been,<br />
or there is suspected to have been, unauthorised access to their<br />
system, then the NDB scheme and foreign equivalents may apply<br />
even where personal information does not appear to be the primary<br />
target of the event.<br />
NDB SCHEME<br />
In May this year, the Office of the Australian Information<br />
Commissioner released a report reviewing the first 12 months<br />
in the life of the NDB scheme which provided some compelling<br />
insights into the rising risk of cyber security threats, and some<br />
important lessons for organisations.<br />
The OAIC has reported there were 964 eligible data breaches in<br />
that period, the vast majority of which were relatively small events,<br />
where affected individuals numbered less than 1000 (83%). Of the<br />
eligible data breaches, 60% were of a malicious nature and 35%<br />
were attributed to human error (the remaining 5% being attributed<br />
to system faults). The vast majority of the malicious events involved<br />
compromised or stolen credentials, enabling third parties to access<br />
email accounts or systems.<br />
VALUABLE LESSONS<br />
There are some valuable lessons that can be drawn from those<br />
statistics. Firstly, over a third of all incidents are the result of<br />
human error, and human error can be reduced by appropriate<br />
training and employee guidelines. Ensuring employees follow IT<br />
security procedures, and providing comprehensive training will go<br />
a long way to reducing that risk.<br />
Similarly, the prevalence of incidents arising from stolen<br />
credentials is a lesson in the importance of adopting simple but<br />
effective IT security procedures for staff – regularly changing<br />
passwords and dual-factor authentication would have prevented<br />
many of the reported incidents, we suspect.<br />
More targeted and sophisticated attacks will remain a risk, and<br />
appropriate level of cyber resilience (including a properly prepared<br />
data breach response plan and cyber insurance should be in place<br />
to manage and respond to such risks), but the starting point should<br />
be employee engagement and training.<br />
The best cyber resilience practices start with all employees<br />
understanding that their inadvertent actions, like clicking on a<br />
bogus link or responding to a fake email, are the greatest risk to<br />
your business.<br />
Matt Ellis, insurance partner and<br />
co-head of Norton Rose Fulbright’s<br />
cyber insurance and incident<br />
response practice in Australia<br />
Global shipping makes<br />
the connection on<br />
cybersecurity<br />
Whether in pursuit of personal data or money,<br />
cybercrime is now a big and highly automated<br />
business, ready to strike at the most vulnerable<br />
part of an organisation’s defences 24/7, writes<br />
Inmarsat’s Peter Broadhurst<br />
Speaking on a panel at the World Economic Forum earlier<br />
this year, A.P. Møller-Maersk chairman Jim Hagemann Snabe<br />
revealed that responding to the NotPetya ransomware attack of<br />
June 2017 had required the reinstallation of 4000 new servers,<br />
45,000 new PCs, and 2500 applications, all within ten days.<br />
During this period, the company reverted to manual systems.<br />
In hitting a company equipped with experienced cybersecurity<br />
specialists, NotPetya showed the cyber threat is as real for<br />
shipping as it is for any other connected business, especially<br />
where legacy systems proliferate.<br />
THE STATE OF IOT-BASED SOLUTIONS<br />
If the warning should be sinking in, an Inmarsat research<br />
program report, The Industrial IoT on land and at sea suggests<br />
maritime minds are slow to change. The unique study drew<br />
on testimony from 750 survey respondents across a range of<br />
industries to establish preparedness and perceptions regarding<br />
the adoption of IoT-based solutions.<br />
The survey found 87% of maritime respondents saying they<br />
believed their cybersecurity arrangements could be improved. It<br />
also saw more of them identifying data storage methods (55%),<br />
poor network security (50%) and potential mishandling/misuse<br />
of data (44%) as likely to lead to breaches in cybersecurity than<br />
outright cyberattack (39%).<br />
Given the self-diagnosis, it is perhaps surprising to find just<br />
25% of maritime respondents said they were working on new IoTbased<br />
security policies.<br />
In fact, Inmarsat’s research exposed ambivalence as one of<br />
shipping’s leading feelings towards IoT-based solutions. With<br />
some owners engaging at the level of blockchain, others take<br />
their lead from their need to comply with regulation: this is<br />
an industry which simultaneously sustains just over 30% of<br />
shipping respondents as ‘IoT leaders’ and just under 30% as ‘IoT<br />
laggards’, the report says.<br />
For every owner signed up to the benefits of condition-based<br />
monitoring and predictive maintenance based on real-time<br />
connectivity, there appears to be another for whom maintenance<br />
is something that takes place at regular and predictable intervals,<br />
or whenever is most convenient.<br />
Inconsistent views on cybersecurity also appear free to coexist<br />
with immature ones. Around 70% of respondents identify<br />
reducing marine insurance premiums as a main driver for<br />
Norton Rose Fulbright<br />
48 August <strong>2019</strong><br />
thedcn.com.au