A simple solution to a massive problem

30 November 2020

Cyber security, it’s a topic we probably all are sick of hearing about but equally one that cannot be ignored. The issue should be high on shipping’s agenda as the IMO requires that cyber risk management be integrated into existing management systems under the ISM Code for DOC’s issued from 2021 onwards.

Where we always like to start, is to demystify what we actually mean by cyber security.  In its simplest form, it’s all about four key threat actors:

  • Hacktivist - are threat actors who gain unauthorized access to a computer system and carrying out various disruptive actions as a means of achieving political or social goals
  • Nation state - actors are government-sponsored hackers. They usually are the most sophisticated, capable, and have access to the greatest resources. Their efforts are mainly focused on other governments’ information, but they can also target foreign companies and businesses.
  • Insider - an insider threat is a security risk that originates within the targeted organisation. This doesn’t mean that the actor must be a current employee or officer in the organisation. They could be a consultant, former employee, business partner, or board member. 
  • Organised crime unit – are criminals who gain unauthorised access to a company’s information, usually for financial gain.

These threat actors are in some way, shape and form, applicable to most sectors, their particular motivation and capability varies though. As you reflect on the shipping sector, start to imagine how they may apply to your specific organisation.

The key point here to think about is the data you hold, in respect to your customers and what you transport, more importantly who your customers actually are.  Our experience and key observations gathered from our incident response activities have shown that threat actors may indirectly target organisation given their upstream customer base.

Within the shipping sector, we would expect to see nation states and organised threat actors most prevalent, with their objective being to target the industry to enrich country or nation owned industries or gain unauthorised access to shipping information for financial gain. 

The most common cyber-attacks in the shipping sector include data breaches, ransomware incidents, malware contamination and invoice frauds. In the last three years, we have seen large organisations within the sector falling victim to cyber-attacks. This includes most recently the CMA CGM group being subject to a ransomware attack and the IMO to a “sophisticated cyber- attack”. Before that, the world’s largest ship broker, Clarksons suffered a cyber-attack when an isolated user account was compromised providing unauthorised access in their systems. Though the hack did not affect the group’s operations, it impacted their view of the importance of increased cyber security measures.  Similarly, in 2017, Maersk group suffered a major cyber-attack, which cost the group up to $350 million in lost revenue.

To avoid the feeling of Fear, Uncertainty and Doubt (FUD), we would like to end with a bit of story. Like all good stories there must be a beginning and an end. The story for us seems be the same on most days and it’s a story we seem to repeat over and over again. 

How in most cases do these breaches start and how can we try to put an end to the story. It’s the story of security awareness training and before we start the story, we are in no way saying this is a silver bullet that will magically resolve all your cyber related issues. However, it is a silver bullet that will most likely resolve over 80% of breaches involving the threat actors mentioned above when organisations are targeted using social engineering. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Examples include sending fake emails to gather information such as clicking on links or cold calling individuals posing as IT. Phishing is one of the most successful type of social engineering and plays on targeting generally the weakest link in our cyber defence, the human. There is a simple remedy to this issue, which is User Awareness Training. 

It’s probably the most under invested component of our cyber defence strategy but when properly implemented, the most effective against Phishing attacks. Many of your organisations will have anti-phishing technical controls in place, but attacks of this nature are becoming more and more sophisticated.

We often do Phishing exercises or campaigns for our clients to assess the awareness of their employees. What is particularly interesting about the results of the exercise is the polar opposites, where some clients have effective security awareness campaigns (and the frequency thereof) versus those that don’t. 

One of our most recent tests was performed on a client who had not performed any awareness training in the last 18 months. The overall results were quite telling across the 668 phishing emails sent: 

  • 36% of users opened the phishing email
  • 62% clicked on the link
  • 75% submitted data
  • 0% reported the email as being suspicious.

As we reflect on the above results, there may have been a number of contributing factors that may have skewed the results, however the key point to focus is the last point.  It illustrates that the users whether they realised it or not, didn’t report any suspicious activity. This overall is the greatest risk your organisation may face.

The results of our phishing exercises when performed for organisations with robust security awareness campaigns are contrast in nature. In most cases the number of users who opened the emails or clicked on the links are very low, data submission below 10% but the reporting of the incidents is generally above 90%...and the data is consistent across our clients.

So let’s end the story, where we began. Security awareness training is key in your organisations cyber security defence. Start with it, end with it and repeat.