Cyber security – a technical inconvenience or a critical strategic risk?

As the world adapts to new ways of digital working, conducting much of its business remotely, supported by newly discovered web tools, many of us may feel we have stepped up a gear in our ability and competence operating in cyberspace. It is no longer purely the domain of the Instagram generation.

However, with this increased access and online presence comes increased exposure and increased risk to cyber threats. We are used to regular reminders to update security software and protocols from our home and/or work network providers, but have we really stopped to consider ‘What if?’

What if… the smart interconnected system I have at home that enables me to communicate with the outside world, order food for home delivery, order gifts for family members that I am unable to visit at present, and lets me watch any number of films and documentaries for my sanity, education and relaxation… what if all of that stops? What if nothing works? What if by hacking my system, someone sends spurious unpleasant emails to all my contacts? What if they redirect my groceries or family gifts elsewhere? What if I don’t receive the important medical report from my Doctor on my pre-existing condition? Or the track and trace message, highlighting I am now at enhanced risk of COVID?

In the maritime world, we have seen recent examples where the business equivalent of the above domestic situations has put whole fleets of ships at risk, disrupted communications and supply chains, and increased the risk to the safety and well-being of crew members.

We are familiar with the technical solutions to reduce the risk and we rely on our information system or operational technology system providers to keep us advised and protected. However in our role as executives and board leaders responsible for the safety and operations of large shipping fleets or port operations, the questions are more strategic:

How do I assess the cyber risk alongside other risks I need to form a judgement on?

How can I make a decision on something on which I have little experience to fall back on, given the exponential rise in this issue in recent years?

I am comfortable with the majority of risks presented by the risk committee as I have direct experience in most of these areas. In cyber, other than avoiding clicking on a link that may or may not look suspicious or remembering to change my personal passwords with ever increasing frequency, these issues seem to have escalated exponentially in recent years.

As a CEO, board chair or risk committee chair, I am inundated with offers of technical assistance. I am aware of the IMO and IACS guidelines and BIMCO risk framework, but am I really comfortable that we would know how to react if we were the subject of a malicious attack?

These are the questions that a programme, co-sponsored by the LRQA Foundation and the UK National Cyber Security Centre, are currently addressing. Cyber Readiness for Boards is a two-year programme, led by the Research Institute for Sociotechnical Cyber Security at University College London and supported by an international team of business specialists in cyber security and board-level operations.

The programme takes a number of inputs into account in its work. These include capturing the current experience and practices of board members and non-executive directors through confidential and anonymised one-on-one interviews with senior specialists, research on the effectiveness of current guidelines and training methods, and analysis of board-level roles, responsibilities and decision-making practice on cyber security topics.

The outputs of the programme will include recommendations for future updates of guidelines, a revised best practice toolkit for board members to access. This is also an option for board members to undertake a training exercise whereby a situation relevant to your specific board will be role‑played to investigate thinking and decision-making when presented with a cyber threat to your business.

If you are a board member or non-executive director interested in participating, please get in touch. The more engagement we have, the more value will be added to the updated guidelines and training exercises helping us all in engineering a safer world.