As well as highlighting the importance of ‘bringing in executives and doing tabletop exercises,’ Pat McCoy, director, Mandiant Consulting, said ‘It’s useful to do offensive testing … knowing the risk yourself before you become a news headline … is a great first place to start.’
The comments came during the ‘Ransomware and Maritime Cyber Security in the Post-Pandemic World’ session at last week’s Seatrade Cruise Global in Miami Beach.
Learn lessons from data breaches
‘Everyone can learn, one way or another, from the experience of others,’ according to Rob Pegoraro, contributor, USA Today and Fast Company, when it comes to breaches in cyber security. He referred to cruise ships as ‘a floating data centre,’ albeit recognising that ‘at least on a ship you have a culture of safety drills,’ implying operators may be more adaptable when it comes to implementing measures against emerging online threats.
‘Not if, but when …’
‘Not if, but when, is something we use all the time internally,’ continued McCoy. ‘Everyone’s a target.’ Describing himself as being ‘busier and busier and busier ... driven by awareness,’ he encouraged ‘cyber hygiene’ practices.
‘When we were attacked recently, our CEO was laser transparent about what happened, how it happened … We published everything that we learned about the attacker publically and burned their infrastructure down.’
On those responsible for cyber crimes, the director spoke of the role of government: ‘The challenge is attribution when it comes to setting sanctions.’
Cyber at sea
‘It’s a misconception that we can’t patch a ship in the middle of the ocean … there are ways 'round that,’ declared Georgios Mortakis, VP enterprise technology operations and chief information security officer, Norwegian Cruise Line Holdings.
‘Ransomware is nothing new. It's become much more visible recently but everyone is in scope.’
McCoy also warned: ‘They're looking for high visibility organizations, and no industry is immune from that.’