Every once in a while an article (or series of articles) really catch our eye and we have to share with our network. Matthew Roberts from Riela writes such incredible pieces. Please see below the latest in a thread of ‘Superyacht Cyber Insights’. The original can be seen here.
We are all responsible for the cybersecurity of the industry and therefore, the protection of the economy it sustains. A recent article published on shipip.com discussed ‘why cybersecurity should start in the shipyard‘.
I agree that cybersecurity requirements of any vessel will need to be considered from the design stages, throughout construction and until delivery. However, the number of ships this applies to makes up a small proportion of the potential targets. Superyachts already in operation need to retrofit cybersecurity which, depending on the vessel size and complexity of systems, can be a significant undertaking.
The best lesson derived from the article was produced by Ms Tani, Deputy Manager of Cybersecurity at ClassNK:
“Aim high, but start small.”
Although Ms Tani was making reference to vessels and their Ship Owners, much like the IMO’s MSC.428(98) resolution, the guidelines should be embraced by all other industry stakeholders.
Focus spending on the highest cyber risks and the solutions that provide the highest ROI.
Every person and every business ultimately wants to be as secure as possible. Unfortunately, cybersecurity can come at great expense, and the more controls and solutions there are to implement, monitor and maintain the cost quickly becomes eye-watering.
However, enabling good cyber hygiene does not have to cost the earth. My advice is to start with the basics and the best-practises and work your way up. Enabling 2FA or better yet MFA in conjunction with cybersecurity awareness training for employees are time and again referred to as the best return on investment for cybersecurity spend.
Rather than trying to comprehend how to reach the highest standard now, set a realistic timeframe and work backwards. Whether its a year, two or even ten it will dictate the pace and the budget you will need to allocate to start with the smaller tasks now.
For the protection of your business, clients and employees; suppliers need to realise that in their current state, they perhaps pose a more considerable risk to Superyachts than they would like. Superyachts and ISM managers are busy preparing and actively engaging in activities to tighten up their security postures, and some of their identified cyber risks may include your business.
Ensure the longevity of your company by investing company time and money into cybersecurity now. The maritime cyber risk management guidelines published by the IMO and BIMCO both reference the NIST cybersecurity framework. The framework can be applied to all businesses, no matter how big or small. It is one of the most cost-effective processes to help companies identify their systems, their cyber risks and threats, how to detect and protect them, as well as respond and recovery appropriately to a potential cyber event or data breach.
For Superyacht suppliers (some of whom I hope are reading), here are some certifications and reading material for you to mull over:
- Cyber Essentials / Cyber Essentials Plus – a UK Government-backed certification scheme to protect organisations from the most common cyber attacks. A Cyber Essentials assessment is approx. £300+VAT.
- IASME Governance – The IASME Governance standard was developed over several years during a government-funded project to create a cybersecurity standard which would be an affordable and achievable alternative to the international standard, ISO 27001.
SHAMELESS PLUG! The team of cybersecurity experts I have the pleasure of working with at Riela Cyber are certified Cyber Essentials and IASME Governance Assessors. For suppliers considering either accreditation, opting for IASME Governance includes Cyber Essentials and GDPR requirements. The cost of the assessment is £400+VAT (only £100+VAT more than Cyber Essentials only), not including the potential additional fee for any assistance required to ensure your business is ready to successfully pass the assessment.
Further reading material:
- NIST Cybersecurity Framework v1.1 – link to the full version on the NIST website.
- NIST Small business cybersecurity corner – precisely what it says on the tin, aligned to the NIST CSF.
- Small business cybersecurity: An essential guide – a concise summary, including 3 case studies.
If you would like me to send the article directly to your inbox as soon as they are published, please subscribe here.