cyber risk

Navigating Cyber Risk At Sea

by
Cyber Risk

Navigating Cyber Risk At Sea  

The maritime sector is not immune from the every day cyber risks that other transport industry sectors experience. with a high reliance on technology giving rise to similar cyber risk profiles and the ensuing threats vectors.

Ships that are now built rely on software to run their engines and GPS navigational systems to move from A to B, the impact therefore of a cyber attack from a hacker has the potential to cause severe disruption to the running of the ship.

There is an apparent lack of under reporting of cyber attacks in the shipping world with the true extent of cyber attacks not yet really known.

Cyber risk does not only exist at sea , cargo handling and container tracking at ports are also very dependent on technology which forms part of the cyber threat landscape that ships face.

To help this sector manage safety and security The International Maritime Organization, a United Nations agency released a set of draft guidelines on maritime cyber risk management which identified the following key areas:-

  • Identify: Definition of the roles and responsibilities for cyber risk management of individuals in order to assess cyber risks
  • Protect: The implementation of risk control processes to manage cyber attacks
  • Detect: The installation of systems to detect new and existing cyber risks
  • Respond: Procedures in place to provide cyber resilience and the ability to restore computer systems
  • Recover: Effective recovery procedures to back up and restore shipping operations

http://www.imo.org/en/MediaCentre/HotTopics/piracy/Pages/default.aspx

Possible Types of Cyber Threats

1.Hackers accessing a shipping management systems so that data can be accessed providing details of future shipments and route.

2.Hackers utilizing a GPS system to direct a ship to unsafe waters which may lead to an attack from pirates so that cargo can be stolen

3.Cyber terrorist hacking into a cruise ships’ navigation system in order to cause loss of life or some form of physical damage to the ship.

4.Curtailment of a transportation ship by hackers accessing navigational systems and delaying the ship in reaching it destination and causing goods to perish.

5.The hijacking of a oil tanker via its GPS system by a hacker which leads to the tanker being taken to a different destination.

6. The cyber extortion of ships’ navigational systems that paralyzes it therefore making it is unable to move or reach its’ end destination.

The emerging cyber threat of the Internet of Things is also an new area of concern that will become more prevalent in the coming years.

Can Insurance Help?

The majority of Marine Insurance policies include a cyber attack exclusion clause which is likely to lead to the sector considering the purchase of a stand alone specific cyber insurance policy which will address a number of the associated cyber risks that the maritime sector faces.

It must be stressed that insurance is only part of the process of the cyber risk management process and should be treated as such.

Image : Shutterstock

The Human Factor in Cyber Risk

by
Deep Fake

The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……

Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.

The Facts

  • The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.

http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world

  • The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.

https://www.mimecast.com/resources/press-releases/Dates/2016/8/malicious-insiders/

A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..

1.Malicious 

Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.

As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.

The attacks consist of deliberate acts such as :-

Infection of Computer Systems with Malware  

An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.

Selling of Passwords

This could lead to corporate data being being stolen and passed to a competitor

Abuse of Internal Logins

The Ponemon Institutes’study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.

https://www.ponemon.org/

2. Accidental

These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.

Negligence 

An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system

The leaving of a laptop   on a train or in shop

Uploading of sensitive information that may be sent out into the public domain.

Social Engineering

An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.

Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.

Poor Password Housekeeping

An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.

Examples of Insider Attacks in the UK 

Tesco

40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.

Sage

The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.

Morrisons

An insider published details of the entire Morrison 100,000 employee database which appeared to be motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s

Ten ways to help manage the Human Factor  

1.Ensure that cyber security policies and procedures are in place

2.Introduce staff awareness of current cyber security threats

3.Robust training of staff on all aspects of cyber security

4.Employee conduct review prior to joining company

5.Monitoring of employees that are leaving the company in terms of their on-line activity

6.Monitoring of internal network activity and review of unusual activity

7.Assessment of large amounts of data being accessed or moved

8.Sharing of best practices

9.Restriction of  administrator login

10.Purchase of cyber insurance to help mitigate losses

The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.

Image : Shutterstock

A Defining Year for Cyber Risk

by
Cyber Security Threats

2016 has been a defining year for cyber risk….

There have been many events that have contributed towards shaping cyber risk this year however there are a number of stand out “Influencers” that have impacted on businesses during the year and will continue to do so in the future.

This has raised the awareness of cyber risk in the UK and within the business community as a whole.

Such “Influencers” that have had a bearing on cyber risk are the following :-

1.The Threats

Ransomware 

Ransomware is a form of malicious software that a hacker uses to encrypt the hardware of a computer, the hacker then extorts money normally in the form of bitcoins in exchange for the decryption code.

This form of cyber attack is now the most common in the UK with 54% of SME’s experiencing a ransomware attack. Surprisingly this is higher than in the US which is at 47%.

The impact is loss of income as a result of paying the ransom, loss of files, time spent by the business on remediation, downtime and the possible loss of life.

There is no sign of abatement of this form of cyber attack.

Phishing

Phishing is recognized as a method utilized by hackers to gain access to personal or business details in order too commit a crime. This is normally an act of fraud or used to cause disruption to a computer system. It can involve the sending of a bogus invoice sent by e-mail requesting the payment of money to hackers bank account.

The UK is one of the most targeted countries for phishing scams.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf

Internet of Things     

The Internet of Things is the internet working of “connected devices”, “smart devices” including buildings via embedded electronics, software or sensors. These then enables these objects to collect and exchange data.

When these devices are infiltrated by a hacker the potential to cause disruption is enormous. The treats are two fold which can result in  denial of service attacks or the compromising of security leading to a breach of privacy.

This year saw a cyber attack on Dyn through the malware strain Mirai which targets vulnerable Internet of Things devices. The botnet used in this attack was possible via a compromised digital video recorder.

These forms of attacks are only likely to increase in the future as “connected devices” do not have adequate security protection in place to prevent such attacks.

2.The Breaches

Yahoo

Yahoo announced in the space of a couple of months two major breaches of their user accounts . One occurred in 2014 and consisted of the theft of half a billion of their user accounts , the other in 2013 thought to believed to be nearer a billion. Both attacks are believed to be state sponsored.

These are two of the largest ever recorded compromises of personal information. It demonstrates that attacks of this nature are getting larger and that high profile companies are still a principal target for hackers.

Banks

Banks were hit hard by a number of cyber attacks this year ……. the list is a long one…..Bangladesh Central Bank where USD850M was stolen, Swift attacks on  banks in the Phillipines and Vietnam and the Banco del Austro, attacks also took place in the Ukraine and a number of US and Canadian banks.

In the UK , Tesco bank , HSBC and NatWest were all subject to cyber attacks but with limited losses to the banks.

Cyber attacks on financial institutions have increased dramatically over the past twelve months and good cyber risk management should be a key consideration for this sector.

SME’s and Public Sector are now a focus for Hackers

This year saw SME’s being the subject of increased cyber attacks and demonstrating that they too have a real cyber risk which cannot be ignored. Ransomware attacks were seen at businesses such as hairdressing salons to florists.

Local authorities and hospital were also targeted, the unluckiest county was probably Lincolnshire…… with the county council being hit by a ransomware attack and various hospitals in Grimsby, Scunthorpe and Goole where their computer network was compromised.

3.The Regulation

The Information Commissioners Office (ICO)

The ICO showed it’s teeth and fined TalkTalk GBP400,000 for various security failings following the cyber attack that took place last year.

It is likely that we will see the ICO exercise these powers more and more in the run up to the General Data Protection Regulations when they come into effect in 2018.

General Data Protection Regulations

These were finally adopted in April this year and will come into force on 25th May 2018

The clock is “ticking” and all business will need to assess what data they have, where it is stored and how they mange it, irrespective as to whether they are a data processor or data controller.

The fines for a breach are 4% of gross annual turnover so non-compliance is not an option.

Privacy Shield

The Privacy Shield is now “live” coming into force on the 1st August replacing the Safe Harbour. There have already been some challenges to this notably by Germany and its current framework maybe subject to change in the coming year.

What Else ….. ?

The Panama Papers, Brexit, Trump, the development of cyber insurance….. the list is endless.

This year has without doubt been a defining year for cyber risk….. 2017 will further shape the exposures and the vulnerabilities that businesses face from cyber risk.

 

Image : Shutterstock