Page 36: of Maritime Logistics Professional Magazine (Q2 2016)

35 37

RECRUITMENT & RETENTION “There are only two kinds of computers:

Those that have been hacked, and those that will be hacked.” – Emil Regard, Managing Director, BlueTide Communications vessels. The best aren’t there, but because the best laid plans mean nothing if practices for manag- nobody’s following through. “It has to start with the leader- ing the cyber threat ship ? rst – if they aren’t willing to effect change – you can’t are straightforward, educate employees,” says Michael Crean, CEO, Solutions and akin to the think- Granted, and Bluetide Communication’s security partner. ing and steps that go into “[Cyber risk] is a board-level governance issue which requires building an SMS. And who the engagement of the full executive leadership team to address. hasn’t rowed that boat? Effectively managing cyber risk today ... requires a comprehen- sive, multi-dimensional approach that looks at people, process-

It’s Complicated es and vendors – and includes response and recovery plans in

And yet cyber risk management is a little more complicated addition to prevention tactics,” said John Drzik, chairman, cy- than that. Gideon Lenkey, director of technology for EPSCO- ber risk working group, for insurers Marsh & McLennan Com-

Ra, which recently launched a full suite of managed cyber panies, in that organization’s “Cyber Risk Handbook 2015.” security network services, says there are companies that em- Coincidently, one of the top concerns coming out of a cyber ploy best practices and pass regulatory audits – and yet their security roundtable hosted by KVH Industries at CMA Ship- security is bad. “They are compliant, but they are a soft tar- ping 2016, was complacency by ship operators. The panel iden- get.” Conversely, he cites companies that were not technically ti? ed a need for training, contingency plans for dealing with a complaint, but their security practices were good. “I would cyber attack, and a set of best practices for minimizing risks.

hate for someone to think things are under control because Once executives are on board, it’s time to pull in the crew. they have met some minimum business practices.” Creating awareness involves more than giving employees a “And if you think you are safe because no one has ever heard heads up that cyber crime is heading out to sea. It’s letting of you, that’s no protection at all. The worst mistake someone them know that a successful in? ltration is only a click away, could make perhaps is to somehow convince themselves, ‘I that they themselves can inadvertently be the ships’ own worst have no risk,’’’ says the Coast Guard’s Tucci. cyber enemy.

Kim Hall, CLIA Director of Technical & Regulatory Affairs Another option is to takes the “What’s in for me” tack. One for Operational & Security, points out that it is not enough of the best approaches is to educate from a personal and fam- to secure individual systems or personal devices. “Looking at ily impact. The idea is to teach them how to protect their per- cyber security as a separate system ignores that it is part of an sonal data and identities online, how to keep viruses and mal- interdependent and interconnected system.” A good security ware out of their computers. You talk to them about creating plan must look at the entirety of the system and where parts multiple, strong passwords; about how not to click on links, interface internally and externally, including to third parties. download or open email from sites or people they don’t know.

And yet a new study, “Tone at the Top and Third-Party Risk’’ Then, you throw in, “Oh by the way, these same tips will help conducted by Ponemon Institute LLC, found that while com- keep ship – and you – safe, as well,” panies understand the third party security risk, it is rarely a pri- mary risk management objective – a costly error. “In the past A New Light 12 months, organizations represented in this research spent an Creating awareness and correcting behavior that can create average of approximately $10 million to respond to a security vulnerabilities is paramount. But there’s more to it than that. incident as a result of negligent or malicious third parties.’’ All crewmembers have to add the cyber threat to the way they think about risk management. Unlike most safety violations or

Start at the Top physical acts of crime, cyber attacks aren’t visible. You won’t

Cyber risk is not an IT issue. Managing the cyber threat see the launch of a denial-of-service attack or malware wend- is also dif? cult, not because the proven, technical solutions ing its way through your computer network. And while people 36 Maritime Professional 2Q 2016I I 34-49 Q2 MP2016.indd 36 5/19/2016 11:34:13 AM