THE URGENCY TO CYBER SECURITY: WHAT COMPANIES NEED TO KNOW
Interview: Manolis Lazaridis, CEO of the Diaplous Group
“There are two types of companies, those that have been hacked and those that will be” said Robert Mueller FBI Director “….and there is a third type, those that have been hacked and simply don’t know it yet” added Mr. Lazaridis, CEO of the Diaplous Group, already having a long and rising carrier in the maritime industry. The Diaplous Group started out as a private maritime security company (PMSC) in 2010, providing services to the owners and operators of vessels in high-risk areas. Over the decade, Diaplous has grown into the world’s most compliant, approved and certified MRM provider serving stakeholders of the maritime industry. The group maintains six offices internationally and a client base of over 930 shipping companies globally.
Q: What triggered you to establish DIAPLOUS-CYBER?
A: During the last decade, there was a rapid growth and evolution of cybercrime. Attackers developed more sophisticated tools and techniques to penetrate into a company’s network, which increased both the number of cyber-attacks and data breaches.
Therefore, DIAPLOUS-CYBER was born to apply cutting edge cyber security technologies and holistic solutions for companies to maintain
business continuity in adverse conditions. We carry the vast anti-piracy experience of the Diaplous group from the physical world over to cyberspace, and are able to draw on leading providers in our service offering. Our NATO-trained experts brought over engineering capabilities and we are now able to monitor vessels via the Cyber Defence Operations Center (CDOC) and implement countermeasures in near real-time.
To enhance our services further, we are also partnering with Alpha Marine Consulting in offering Cyber Risk Assessment and Cyber Risk Management.
Q: Is cyber security expensive?
A: “Cybersecurity is not expensive is priceless” compared to the overall damage a company can experience after a cyber security incident. Recovering from such an incident can cost a company even a six-digit amount of money, let alone the reputational damage, putting many out of business.
One of the most known examples is the cyber-attack targeting Maersk, which cost the company almost $300 billion.
This is why we are firm believers that businesses should take a proactive approach to cyber security and invest on it before a cyber incident takes place.
Q: What is the situation in the maritime industry?
A: Our experience so far has shown that, unfortunately, the majority of the Greek shipping companies is not aware of the importance of cyber security and does not consider cyber-attacks as a potential threatening risk. A common misconception is that only large businesses are a potential target for cyber attackers. This is a myth! In fact, cyber-attacks on smaller businesses are more common than many might think.
Through our series of webinars, we are trying to raise the Greek industry’s awareness about cyber security and educate our participants as much as possible on this topic. We have already organized successfully three webinars and we are planning to offer more during the following months, covering different topics around cyber security and defence.
Q: How should a cyber incident be handled? Is there an analogy with the typical “marine incident”?
A: A cyber incident should be treated as a marine incident, and the measures to be taken to deal with it will depend on its severity. In fact, in every Management System there must be a categorization of events based on their actual or potential impact. Each category of events will mark defined actions and reaction times, the manning of the crisis response team and other actions on the part of the company and the ship.
There is, therefore, an obligation for each company to organize a Response Plan, which should be combined with the existing Emergency Response Plan.
At the same time, we must stress the importance of the mandatory annual drills and readiness exercises which can be combined with penetration tests. It becomes clear, then, that the success of dealing with a cyberattack depends on the training and preparedness of the participants and their familiarity with the procedures and obligations.
Q: How useful and necessary is the penetration testing?
The penetration test is an essential tool for any company in order to identify the vulnerabilities of its IT and OT systems as it offers the ability to detect all the effects of a cyber-attack. It is also the most useful tool for risk assessment as, from a technical point of view, it will provide us with more complete information than any other method of approaching and assessing weaknesses.
The penetration test must be done in the company and at least in a percentage of its fleet and must be repeated at regular intervals to confirm the effectiveness of the corrective actions taken each time.
It should be noted that charterers, and especially oil companies, now require penetration testing during both TMSA Office Audits on both the company and the ships.