“Humans have adapted to predation, but aren’t so good at defence,” believes Pelion Consulting's CSO Campbell Murray. And he’s not wrong. As all aspects of our lives continue to move online, scammers, hackers and fraudsters have all enjoyed greater opportunities to strike. No where is this so prevalent as in the superyacht industry.
Campbell has previously written about Predator Theory in the context of cyber security in IT Wire and CSO and here Richard Hodder, MD of Pelion Consulting, explains the relevance to superyachts in an industry which has so far been reluctant to get to grips with cyber security.
What is Predator Theory?
Humans are the most successful predators to have ever existed, unrivalled by no other species. They have the ability to work in teams to attack teams of the same species. Predator Theory suggests that as humans we are more adapted to attacking than we are at defence.
How might it explain different perceptions around threat levels?
Throughout history, humans have built physical defensive structures. However multiple ways of attacking and infiltrating that structure would soon be thought up. Even though the structure might give an illusion on complete safety, it would also guarantee that inventive ways were already being thought of to breach the defence.
The same situation exists in the virtual word and the same theory can be applied to cyber security. People are always out there trying get your stuff. Some say data is the new oil.
What most influences captains/owners in their understanding of their own risk levels?
When it comes to yacht captains and owners, the understanding and perception of risk is likely determined by existing regulations, standards and their previous experience. There are so many factors that need to be taken into consideration when running a yacht that it’s inevitable some items get overlooked, especially if not properly regulated.
Cyber security has been covered a lot in both the yachting and mainstream media, so why are so few yachts taking it seriously?
The tide is gradually turning, especially with all the coverage recently. There’s a big difference in attitude towards cyber security on board and the defining factor seems to be whether a yacht is commercial or private.
As you know, commercial yachts are bound by regulations whereas the private yachts can operate as ‘best practice’. It’s the private yachts that are looking at the cyber risk regulations and saying let’s check this out, implement security and safety mechanisms, ensure the crew are well informed and that the owner is protected as can be. Commercial yachts, on the other hand, generally see the regulations as an extra burden, more bureaucracy and in many cases, are just doing the bare minimum to comply.
What are the barriers – is it time/cost, or simply the notion that it will never happen to me?
A combination of factors is at play here which are all linked together. The biggest thing is a lack of awareness to the threats and a lack of appreciation of the risks posed by cyber crime. That obviously contributes to the perception and of time and cost being too great.
A small outlay is required to prevent a big issues and larger financial breaches when there is eventually an attack on a yacht or organisations assets and people. This leads us to the” it’ll never happen to me” attitude which I think we are all guilty of at some point in our lives. It’s like leaving your bicycle outside for months without locking it up. Complacency sets in and one day the bike disappears. Only then is a secure place and a locked gate considered. The same applies in the cyber world; the bike is our data and the locked gate constitutes the measures we put in place to secure that data.
Campbell argues that cyber security takes a village - what constitutes the village in the context of a superyacht?
The village, as we used to know it, in its traditional context is one of community, protection and validation of the belief system. In a close-knit village, there would always be someone that brings to your attention if you are wrong, even if you weren’t.
The proliferation of the Internet has seen us turn to the web to fulfil our evolutionary desire for community, competition, and domination, however we do not have the mental capability to adapt to the new onslaught of ideas and intense levels of information available to us. Campbell suggests our villages protected us, filtered opinions, verified news and were safe places to discuss new ideas.
Now we have a deluge of data and information, and we’re not evolving and keeping up with the new ways of validating and understanding. Technology has developed so quickly and continues to do so, our evolutionary development can’t keep up.
This is particularly true for yachts where the Internet has really only been big for the past 10 years, so this is where the focus has been. Provide connectivity at any cost without thinking of the implications of a hyper connected vessel.
This leads us back to the “it won’t happen to me” situation.
Do the new IMO regulations apply to all commercial vessels worldwide and are they rigorous enough in today’s world?
The regulations apply to certain types of ships and yachts, however private vessels and those under required minimums are choosing to implement some form of cyber security policies. The regulations provide a good base from which yachts and other types of ships can start building their cyber security culture on board.
The process of doing this, the follow-up checks and defined responsibilities are still in their infancy and will develop over the coming years. However, with the yachting industry, it has increased focus in the media, increasing global tensions amongst other things.
The regulations and progress made so far is not rigorous enough, however it’s moving in the right direction.
What are some of the most basic things that any yacht can do to reduce their risks of a cyber attack?
Training and awareness are the key things that can be implemented - all crew need to understand the threats posed to not only the yacht, but themselves personally. We’re all targets for cyber criminals, and practicing good cyber hygiene in our daily lives will ensure we’ll bring those same practices into the workplace.
Something we all need to be aware of is the scams that utilise technology to have a bigger impact on a business - yachts and individuals. It starts with us as humans. We’re also the target.