IMIF BUFFET LUNCHEON
Date: Wednesday 5 April 2017
Venue: Watson Farley &Williams LLP, 15 Appold Street, London EC2
Host: Watson Farley &Williams LLP
Speaker: Andrew Fitzmaurice, Chief Executive of Templar Executives
Subject: Cyber Security in Action
IMIF Report by James Brewer
Alan McCarthy, who chaired the meeting, suspected that the matter of cyber security had yet to be taken fully on board by the shipping industry. What had been seen of cyber problems was the tip of an iceberg. Only that day there had been news that researchers at the UK’s National Cyber Security Centre, BAE Systems and PwC were warning of what they said was a global spying effort on an unprecedented scale by state-sponsored hackers in China.
Mr Fitzmaurice agreed that “the Chinese, Russians, Iranians, everybody is trying to get into our systems all the time.”
He insisted that implementing cyber security was “just part of good business.” He said: “It affects every element of your business. It also says the government cannot do this by itself.”
Mr Fitzmaurice heads a team at Templar Executives that has supported FTSE 100 companies and designed cyber security transformation programmes to address shortfalls in ‘holistic cyber security maturity.’ He established a Cyber Academy whose courses are accredited by GCHQ (the UK government intelligence and security organisation), the Institute of Information Security Professionals and the Chartered Institute for IT.
The UK was one of the first countries to have a national strategy in this field “and we have put our money where our mouth is,” said Mr Fitzmaurice. UK strategy since 2011 has been quite successful, he said, and this was taken a step further this year.
As part of GCHQ, the National Cyber Security Centre was officially opened by the Queen in February 2017, with approved spending of £1.9bn by 2020 to combat cyber-crime. GCHQ’s cyber security chief Ciaran Martin had said that the aim was to “make the UK the safest place to live and do business online.” The NCSC has been operational since October 2016 and already responded to many cyber-attacks. It is a point of contact for businesses seeking advice and offers support in the event of serious cyber breaches. Companies will be able to check worries about their websites, and the drive includes educational work among 14 to 18 year olds.
The internet was unregulated, emphasised Mr Fitzmaurice, and “any organisation needs to think about cyber-resilience.” The use of the internet was “just going to grow.” Prime minister Narendra Modi has said that India’s entire population of 1.2bn will be connected by 2020 – this in a country where 60% of the people still lack a proper toilet.
Mr Fitzmaurice detailed a list of sources of disruption, including criminals, hackers, hacktivists, spies and commercial espionage. Their activities could among other impacts hit a company’s share price. “Computers, innocents and insiders are perhaps the biggest threat.” The tools to cause damage could be bought for a few dollars on the internet. “The temptation to use them for a nefarious purpose is too strong for a lot of people.”
The human element tended to be forgotten. “Good old-fashioned honey traps are coming right back into fashion,” he asserted.
Criminals could gather a mosaic of information sent between office colleagues, for instance the strands could be put together to learn when a maritime company was going bust. In terms of Brexit, if your friends are relocating to the Continent you will be tempted to use of that information.
He cited a case study of a shipping company operations room where staff were absent, equipment was accessible, wi-fi unsecured, a draft manifest was in the waste bin, and there was a live feed on the position of ships in the Middle East Gulf. “We tend to get fixated about a ship being taken over. Far more important to protect the details about your insider database.”
A company should be careful about employees who might be unsettled: a typical insider who might commit cyber-crime was a male of 31-45 years old going through a mid-life crisis. Managements should ensure that information at all levels was being secured properly.
The Templar Executives chief urged great caution over the use of social media, showing a short video in which coffee shop assistants were serving beverages to customers unaware that they were providing “data to go.” One client was told: “we know everything about you.”
Among the dangers was that of impersonation, with people who gave their details to social media sits vulnerableto fraud. There were many false accounts on one of the most popular sites: “so social media is the way [fraudsters are] going to attack you.”
Accepting the usually unread “terms and conditions” of technology products meant“you are going to sign over virtually everything you have got,” he warned.
Too many people were taking their smart phones, which could collect information and siphon it to ‘the cloud,’ on to the bridge of a ship; and it was mad to allow anyone to take smart phones into a company boardroom.
Organised crime had really got its act together in relation to the ‘dark net’ and even had its own KPIs (key performance indicators, a measure used by legitimate businesses) for its services.
Normal due diligence was not enough. “Who watches the watchers? Who watches the administrators who have all the access to your ‘crown jewels?’” People moving jobs within the organisation were among those with opportunity to commit systematic fraud.
The maritime industry was “not doing all that much about it,” although BIMCO had a high-level summit on the question in November 2016. Equally, other industries had yet to get to grips with the issues, he said, admitting that the bar was high. “There is a little bit of ‘it is never going to happen to me,’ an attitude that is not unusual. I think the maritime sector has just got lucky so far.”
Mr McCarthy said that with shore people loading information on lap-tops, containers being handled by computer systems and companies processing millions of pieces of data, it was vital that the shipping industry, which was a linchpin of global trade, should not be compromised.
He thanked Mr Fitzmaurice for his extensive review of the cyber threat landscape, and the event hosts, Watson Farley &Williams, for their welcome and hospitality.