10 Steps to Cyber Security

Part 11: Perspectives on Safety in Yachting
To see the full schedule click here.

Much of the language used in the media around cyber is designed to spread fear and uncertainty. It’s deliberately emotional, and the intention is to cause some form of reaction. For most media, the reaction required is to read the article and share the worry.

This is a distortion of the truth.Cyber as a term just means “something to do with computers”, and it’s attached to emotive words like “attack” or “hack”, because they sound scary.

A website which is defaced by having the images or text changed is just an act of vandalism. Yes, it could lead to more, but the point is that in the real world defaced posters would be called vandalism, and this is no different.

At the end of the day, cyber security is all about managing risks, in the same way as other aspects of security are. This article is intended to help dispel some of the myths, remove some of the uncertainty and show you how to manage some of your risks.

There is a perception that cyber security in a maritime environment either doesn’t happen or is not required: neither of these are true. Moller-Maersk was recently caught up in a cyber ransomware incident which targeted multiple systems, and they estimate the cost to the company is in the region of $200-$300 million.

In 2014, Sir Iain Lobban, the then-director of GCHQ – the UK’s national technical authority for cyber security - stated that:

About 80% of known attacks would be defeated by embedding basic information security practices for your people, processes and technology.

This is true for all systems, not just land based ones. The basic Information Security practices he is talking about are based on the UK Government’s 10 Steps to Cyber Security, introduced in 2012. These are described in generic terms below.

10 Steps to Cyber Security

1) Risk Management
This is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures (also known as controls) based on a cost benefit analysis and your company's risk tolerance. Risks are constantly changing, and your company’s tolerance may also change over time.

2) Secure Configuration 
Put simply, this is all about making sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you've documented a standard build for all your devices.

3) Network Security
This section is aimed at preventing unauthorised access to your network and connected devices, and the controls are typically the use of firewalls, content filtering and ongoing monitoring, as well as regular penetration tests of your network. For example, it is widely assumed that Wi-Fi only works over a short distance, but it can be accessible up to five miles offshore.

4) Malware Prevention
This is partly covered in 2 above, but also includes ensuring you have processes in place for dealing with things like USB sticks and other removable media.

5) Removable Media Control
Closely tied to 4 above, it covers whether removable media is permitted and under what circumstances. It also looks at whether only specific users have access or is it generally available to all users.

6) User Education and Awareness
This shouldn’t merely be a tick-box exercise, but should be carefully designed to ensure that employees know what behaviour is expected of them. Done properly, it can have a positive impact on your business and the risks associated with it. It should help explain the risks of certain actions in a way that matters and affects the individual; it should explain the "what's in it for me" question. Humans are the weakest link in any security solution, so we should help them get it right by helping them understand what's at stake.

7) Managing User Privileges
The different systems in use in your business almost certainly allow you to grant different levels of access dependent on the role. Most users should not have administrator level access because of the risks that they install malware, or uninstall key components. Malware often spreads by escalating privileges to the highest level and this is one way to slow it down.

You should review who has access to what on a regular basis, and amend their access as necessary. For example, why would someone in HR or Operations need access to Finance data? This is known as the principle of least privilege and is good practice.

8) Incident Management
This is not only about how you deal with an incident when it occurs, but about being prepared for one when it happens. Document your processes, and test them regularly, whether by doing a full test or a table top exercise. Ensure that your staff know what to do and who to contact – this could be covered in your training described in 6 above.

9) Monitoring
This is how you identify a potential issue before it becomes more serious. Start by documenting what you need to measure, then implement monitoring of systems and networks which should be continuous, so you'll need a way of identifying anomalies/ unusual behaviour. This may be through log analysis or you may look for software which helps to visualise the data, which make the anomalies stand out.

10) Home and Mobile Working
This section concentrates on the controls around working remotely from your main office. Those controls might look at what security is in place to protect data, both at rest and in transit (i.e. when being sent across networks - do you use Virtual Private Networks, encryption, two factor authentication etc), and all of this would be included in your awareness training at 7 above.

These steps are relatively straightforward, and there is a degree of overlap between them. For the most part, it all boils down to how you protect your data, how you ensure the data cannot be tampered with, and how you get access to it in the event of an incident. Cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive, but without it your entire operation remains open to personal and financial risk.

About the Author
Steve Mair is Senior Cyber Security Consultant at Protection Group International (PGI). Steve is an experienced security professional with a background in risk and governance, training delivery, consultancy and IT. He has worked with clients ranging from SMEs to national governments.

Steve is one of PGI’s GCHQ Certified Trainers, delivering their GCHQ Certified Executive Cyber Awareness, Cyber Security Awareness and Cyber Security Fundamentals courses, as well as CISSP, CISM and ISO 27001 Lead Auditor courses. Steve’s career includes over 20 years with a FTSE100 company, initially in IT before transitioning to Group Risk and Security, creating corporate security policies and delivering awareness training courses. 

Related Articles:
Cyber Security: Are You on the Radar?
Cyber Security: Are You Protected?
Cyber Security Onboard: The Legal Implications