Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group
Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity maturity What does success look like? Characteristics of Successful Organisations Quick wins
Introductions
Context Organisations cannot ignore the potential benefits of emerging technologies Efficiency savings & effectiveness gains Dynamic data driven decision making Context specific data to myriad of devices Optimise business processes Understand & predict behaviour Innovate or go out of business
Context However, using these technologies changes your security environment A new security model is needed Concept of perimeter changes Detection & Response becomes as importance as Defence Security exists within and enables an agreed organizational risk model
Context Cyber-attacks are growing in scale, scope, and sophistication Hardware & software are targeted, often in the supply chain Attackers range from disaffected employees, single-issue activists, hobbyhackers, criminals, terrorists, and nation states It is safe to assume that you are a target
Context Getting it wrong is expensive & can kill your business 5 % of business-related privacy and security breaches result in more $20 million in direct costs and damages Those costs include legal expenses and legal settlements, business interruption costs, investigating and remediating problems, as well as possibly paying for crisis communications and other specialized services Aon Corp
Context Just having insurance isn t enough The average cost for a breach is $7 million. Yet, the average portion of that cost borne by cyber-risk insurance is just $3 million If you consider all revenue classes, only 8 percent (of U.S. businesses) buy cyber coverage Aon Corp
Context This isn t just a data protection & privacy issue What harm could an attacker do if they chose to disrupt your infrastructure? Manipulate your connected equipment? Disrupt GPS & navigation systems Remotely change the mixing formula in your supplier s factory?
Cyber Security in the Maritime Sector The maritime sector is particularly vulnerable to a successful cyber attack Reliance on complex embedded systems Complex hardware & software supply chain with dependence on remote management Challenges of achieving skilled 1 st, 2 nd & 3 rd line support Lack of proximate third party or emergency support
Impact Assessment Regulators, Markets & Media will judge your organization based on: How long it took to detect a breach How long the attacker had been in the system & level of access obtained The quality of control, monitoring & cyber hygiene measures in place & supported by policy The effectiveness of the response plan The time taken to resume key services The effectiveness & speed of the post breach communication
Impact Assessment An increasing number of governments, insurance companies & enterprises are establishing minimum standards of cyber security if your organization is to be part of their supply chain or to seek insurance Only 1 in 3 supply chain vendor contracts contain security provisions Only 1 in 3 supply chain vendors have any security certification or accreditation
Developing Cybersecurity Maturity The key here is to strike the right balance enabling your organization to exploit the potential of emerging technologies effectively & securely? Most organizations lack the skills at board level to do this effectively & in-house IT alone is not enough Who is advising you?
Developing Cybersecurity Maturity Organizations which regularly review cyber threat & response planning at Board level are subject to fewer successful attacks, and respond more effectively when attacked This is not a technology issue, it is a business change issue driven by strategic risk & organizational imperatives It has to be enshrined in policy & process to succeed
Cyber Economics Goal: increase attacker costs Attacker s ROI = (G x T) (CV + CW)
Characteristics of Successful Organisations Assume Breach is the operating principle & systems are tested against this Situational awareness & assessment inform strategy & operational decision making Supply chain & dependencies are understood & mapped Coherent & rehearsed dynamic response plan Enshrined in policy, training, and process Owned & reviewed at Board level
Quick Wins Reduce the number of privileged admin accounts to the absolute minimum, reduce the scope of the ones left, and use multifactor authentication Patch & Update promptly Cyberkeel Maritime Sector survey April 2015 37% failure rate Control physical access to your network & devices and establish gateway identity & health checks for network connections
Quick Wins Application whitelist Baseline normal activity on your network & look for outlier behaviour Have an alternative communication system ready for when you are attacked Understand who will help you on tactical & strategic recovery & have the relationship in place. Have 24/7 contact numbers for key personnel & vendors
Quick Wins Most attacks require some user interaction. Writing clear policy, training & educating staff, combined with visible sanctions for breaching policy works!
Conclusion The maritime sector is particularly vulnerable to cyber attack, and the consequences of a successful attack could be more severe than other domains Organisations in the maritime sector should be treating this as a high priority The processes of Protect, Detect, Respond are mature in other sectors & will work equally effectively in the maritime sector.
Robert Hayes Microsoft Global Cyber Security Group robert.hayes@microsoft.com The difficulty lies not in the new ideas, but in escaping from the old ones John Maynard Keynes 1883-1946