Security - BIMCO Bulletin


SECURITY December 2019 How to prepare your company for a cyber attack: Maersk By Mette Kronholm Frnde, Communications Manager and Editor at BIMCO 1 A.P. Moller-Maersk learned some valuable lessons when the group was attacked by the devastating NotPetya malware in June 2017. Today, the nature and aim of cyber attacks has changed significantly and shipping companies approach to the cyber threat must change with it. The Chief Information Security Officer of A.P. Moller-Maersk, Andy Powell, shares seven pieces of advice on how to protect your business from a cyberattack and more importantly how to recover. Andy Powell, Chief Information Security Officer, A.P. Moller-Maersk Focus on recovery, not on avoiding the unavoidable We have to accept that we cannot stop all attacks; they are too complicated and too advanced. We also have to understand that we cannot build 100% protection. If we try, we will spend a lot of time and money trying to do something impossible. Therefore, you must focus as much on how to recover and operate, should an attack occur, as you do on prevention. To do this, you must identify and protect the most critical parts of your business to minimise potential loss. It doesnt mean you should give up trying to reduce the likelihood of an attack, but key priorities must be responding to limit the damage and then on recovery. 2 Never pay a ransom Never pay a ransom. Firstly, there is no guarantee that the criminals will unlock whatever they have locked. In fact, nine times out of ten, they do not. If you pay, two things happen: the criminals will probably not unlock anyway, and, even if they did unlock whatever they have targeted, they would have left something behind to lock it again. They have been inside, and while they were, they have planted other things there. Paying a ransom does not relieve you of the problem, and you are setting an unhealthy precedent. Once others know you are weak, they will attack you too, knowing that you pay out. It is never worth paying a ransom; it is much better to accept the impact of the attack, rebuild and recover. 3 Understand your business Another important piece of advice is to understand how your business operates and how it flows. If you dont know this in detail, it is hard to protect it. You would be surprised how many businesses have not fully modelled their business processes and decided how their technology supports each one. For most smaller companies, this is not a difficult task. You cannot protect everything, so you need to know the riskiest areas and prioritise defending those. Nine times out of ten, that will stop most of the attempts. Cyber security can be very expensive, but if you invest in understanding your business, it can pay off tenfold. 4 Back up and store offline If you fall victim to an attack, most companies can actually recover all their data. If you back up all data and store it offline, you will always be protected, as you can reload that data. Most companies can do that, even small companies. A comparatively small investment in offline backup pays off massively. In fact, its one of the best investments you can make. 5 Smaller companies should pull together While bigger companies are racing ahead in investing in security, smaller organisations are falling behind, leaving them vulnerable. There is an opportunity here for smaller companies to get together and buy some of the more high-end solutions to share. I suggest they invest in a Security Operation Centre (SOC), where five or six smaller businesses share the costs of a big solution that is run independently for them. This model works well in the energy sector today, and I hope it will spread to the shipping sector too. 6 Dont buy the magic solution This takes me to the next piece of advice: do not overbuy. Purchase the right solution for the size of your company. Cyber security vendors will try to sell you a magic solution that will protect you from everything. There is no such solution. You cannot stop everything, and you need to be pragmatic about what is important to you. Investment in recovery is not as expensive as investment in highend protection solutions that do not always work, and that are too difficult to operate. Many smaller companies will buy a solution they can neither sustain nor operate. If you buy really high-end equipment and something goes wrong, it is very expensive to repair. You can spend millions of dollars on cyber security solutions, but you dont need to. 7 Stay open and transparent One of the key lessons we learned from the 2017 attack was to be open and transparent. Early on, we went out to say what was happening that we were under attack. We explained to clients what we were doing to try to move their cargo. It is a hard decision to make, because there is a brand and reputation issue if you are attacked, and you will worry that your brand may get damaged. But a golden lesson learned by us was to talk to your clients first, be open and transparent and never try to hide anything. This approach will pay off in the end because your clients will know that they can trust you. Photo (top): iStock AvigatorPhotographer & matejmo Read Andy Powells view on what the cyber threat looks like today and whats coming here. Connect with BIMCO Facebook Twitter Linkedin YouTube