We at Cyberstar observe too many organizational cultures lacking attention to fundamental cybersecurity principles across the maritime sector. This is understandable: in common with other industries with a long and storied past (“pre-digitization”), the maritime industry was and still is quite conservative in its business methods, and a gap was formed between the rapid digitization, and the adoption of respective cybersecurity standards.
Many of us work in organizations. Every company has a set of shared, often implicit, values and beliefs about how things should be done – a.k.a an “organizational culture”. This impacts two of the most common cyber-risk vectors (which are human factors): user account compromise and errors configuring or using information systems.
At the same time, improving security culture is among the most cost-effective cybersecurity mechanisms. Managers have the ability to change their firm’s corporate culture, raising awareness and improving the practice of cyber hygiene.
EMPOWER YOUR EMPLOYEES WITH CYBERSECURITY
A top-down security policy may not get you too far, as your staff will probably sense it only hampers their work. This undermines any security policy – As long as people do not understand the risks, you cannot expect them to think and act securely. To improve the security culture within the company, empower your employees with dedicated awareness-raising and training programs.
- Implement cyber literacy, awareness, and capabilities training for all employees and contractors to achieve a company-wide minimum awareness level of relevant cyber hygiene. Everyone should understand business email compromise (BEC) risks.
- The actions of C-Suite, Finance, IT administrator, HR are of higher consequence. The privileged users are more risky, and require more tailored and perhaps more intensive training programs to achieve higher cyber literacy and capabilities
- Implement modern, engaging activities that ignite employee cybersecurity awareness. Governments and businesses offer a range of awareness-raising and training programs, often at no cost. Tedious security drills are perceived as another box-checking burden that hampers work. The premium of an engaging program is well justified.
- Review capabilities annually to encompass inevitable changes in technologies and working practices.
Organize engaging cybersecurity awareness training: one for privileged users and a shorter one for all employees and contractors.
Cost: Low – Medium. Impact: Very High
EMPOWER YOUR EMPLOYEES WITH IMPROVED USABILITY
Your employees use corporate IT systems to work with suppliers and customers. Your employees (hopefully) desire to succeed at their job. Too often, corporate information security comes with user-frustrating security practises, which could make work harder for employees. Overloaded, exhausted staff inevitably make genuine errors, and even when not tired, humans will try to sidestep unjustified burdens… Take one such common practice: the password. It is very much sticking around, 16 years after Bill Gates predicted its demise. Moreover, counterproductive password management guidance remains in many firms:
- Password expiration at regular
intervals, typically every 90 days.
- Password complexity rules, typically
gibberish and ##$*&!~ .
Typical core business applications include:
Office productivity – Office365, Microsoft Exchange, Google Workspace.
Customer Relationship Management (CRM) – Salesforce, SAP, SugarCRM, Microsoft Dynamics, ZOHO
Accounting software – Sage Intacct, Oracle NetSuite, Intuit QuickBooks. Enterprise Resource Planning (ERP) – Oracle, SAP
Forcing users to adhere to these guidelines places an extra burden on them but offers no benefits. Staff will write hard-to-memorize passwords on paper or digitally, exposing them to bulk leaks. People will reuse unnecessarily complex passwords, changing only a single character. Shrewd workers will find ways to keep the systems constantly working, just to reduce the burden of recalling and typing their credentials.
The US National Institute of Standards and Technology (NIST) password guidelines (also known as NIST Special Publication 800-63B) and the UK National Cyber Security Centre (NCSC) have changed the recommendations. Adopt the current gold standard to help your employees get their jobs done.
Review the current security mechanisms’ usability. Simplify workflows with better security and higher usability mechanisms, leveraging new technologies.
Cost: Low. Impact: High
Most maritime businesses have yet to prioritize cyber hygiene. A good security culture is often more important than higher (fire)walls. This blog has presented two MVPs in the People and Procedures category: empower your employees and lead the organizational change. These complement the (add LINK)-> software MVPs in our previous post: multi- factor authentication, automated patching, and automatic backup. It’s high time your business benefited from a culture which values and practices cyber hygiene as an integral part of Best Practice working procedure.