Page 13: of Maritime Logistics Professional Magazine (Jul/Aug 2019)
Breakbulk Issue
Read this page in Pdf, Flash or Html5 edition of Jul/Aug 2019 Maritime Logistics Professional Magazine
M
A
Y
G
E
R
While there is no silver bullet and no one solution to cyber safety, layered defenses are best practices and rely on multiple measures to detect and protect against cyber dangers tripwires or safety barriers. By applying the bowtie to cyber budget across all industries is approximately one-quarter of risks, we can visualize their impact and mitigating activities, one percent of revenues. For instance, a USD 3 billion dollar creating a clear differentiation between proactive and reactive industrial company should target approximately USD $8 mil- risk management. lion yearly on cybersecurity.
The starting point of any bowtie analysis is the hazard, that Privacy concerns and breaches have resulted in the Europe- which has potential to do damage, a successful attack. A suc- an General Data Protection Requirement (GDPR). The Cali- cessful cyberattack results in an event (represented by the cen- fornia Consumer Privacy Act (CCPA) takes effect on Janu- ter), and in this case, the event is data loss of sensitive infor- ary 1, 2020. Both regulations have far-reaching tentacles and mation. Threats (on the left) are whatever will cause the event. teeth. Non-compliance with GDPR can result in ? nes up to 20
Consequences are to the right, the result of the event (the im- million Euro or 4 percent of annual global revenue, whichever pact). In the case of sensitive data loss, there may be ? nan- is higher. CCPA will levy ? nes of USD $7,500 per violation cial, legal or reputational impact or all three. Prevention and if the business does not cure the violation within 30 days of protection measures (safety barriers) can prevent a successful being noti? ed. An effective security program is a necessity for attack. If the attack bypasses the countermeasures and there is multiple reasons including good governance and, to be sure, a successful attack, identi? cation and response measures are no company wants to be in the cross-hairs of regulators. critical in mitigating the impact of a successful attack. An experienced security practitioner can frame security in
All cybersecurity risks and events can be illustrated by four terms of risk, the language of executive management. While bowtie analyses. These include: the amount of security (and budget) depends on the company’s • Data loss of sensitive information; risk appetite, insuf? cient security elevates risk. The migration • Malicious software infection; of applications to AWS or Azure adds a new layer of complex- • Distributed denial of service (DDoS); and ity. A cybersecurity consultant can help companies meet their • Physical Information & communication technology security needs including cloud app security, network security (ICT) perimeter intrusion & unauthorized access architecture, governance and regulatory compliance, business to ICT equipment. continuity planning, assessments and audits, or augmenting
Since best practices for information security involve layered staff to close temporary skill shortages to name a few. defenses, security programs should deploy multiple preven- It used to be death and taxes were the only certainty. Today tion, protection, identi? cation, and response measures. These it’s also about getting hacked. English author Aldous Huxley best practices are relevant to any network environment such said that cynical realism is the intelligent man’s best excuse as process control networks, industrial control systems or cor- for doing nothing in an intolerable situation. Doing nothing is porate networks. One very necessary measure is the establish- not an option in cybersecurity. ment of a Security Operations Center (SOC), which monitors, detects, investigates, and responds to cyberattacks, around the clock. A SOC for 10,000 employees costs about USD $1 mil-
The Author Jeffery Mayger lion annually. But among all the defensive measures, a SOC lowers the risk exposure from cyberattacks the most.
provides cyber security advisory services at Concord, a consultancy for information technology integration and security services. His cybersecu-
Another necessary measure, Security Awareness Training is rity background includes Chief Information Security Of? cer (CISO) for critically important because one-third of cyber breaches are global mining company Sibelco and information security services to up- caused by employees/insiders. stream oil/gas customers. In addition to his B.S in Mechanical Engineer-
Cybersecurity budgets vary depending on the industry and ing, Mr. Mayger also holds a Master of Business Administration (MBA) risk. Defense companies are high on risk because of nation- from the University of Texas. His Information Security background in- state spying. Utilities supporting critical infrastructure have cludes designations as Certi? ed Information Security Professional (CIS- elevated risk pro? les as well. Banks tend to spend more than
SP) and Certi? ed SCADA Security Architect (CSSA). Mr. Mayger can be construction companies, but the average annual cybersecurity contacted at [email protected].
www.maritimelogisticsprofessional.com 13
I