What can crew, guests and management do to increase security?
One of first places to start is education, of which first and foremost, it needs to be acknowledged and accepted that there is an issue in the sector, the threats do exist and they are real! We have heard all too often of late that Cyber Security is not an issue for yachts; ‘it’s made up by outside contractors to make a fast buck out of the Owners’…utter nonsense, not helpful and is only exasperating the problem!
Attacks, targeted and generic are being sent to the sector, be that Management Companies, Brokers, Insurers AND Yachts on an almost daily basis. The sector is not immune. We’ve been receiving and analysing many of these examples over the last few years and where we can, getting the links removed from the likes of Dropbox and Google Drive etc, reporting to hosting companies to close the services down and feeding that information back to sector to help protect, educate and reduce the success rate. By far the most common method we’ve seen in recent times is Email Address Spoofing. This is where the attacker will try and make the email seem all the more genuine appearing as if it’s from the true sender. Awareness of what is happening here and how some of these attackers operate can help immensely.
Crew and Management need to be very aware not just of the above, but also how they act, what they post online and in public while under the employment of a Yacht. If an owner is high profile and of ‘interest’ then certainly in our opinion and experience, the bad guys will go to great lengths in order to achieve their goal, whatever they may be. A great deal of information can be gathered freely via social media and social engineering. By ‘hanging around’ Marinas, or in bars where Yachts are anchored, any would be attacker could gain very useful information just by listening in to conversations or by befriending somebody.
Now we are not saying here that state sponsored spies and hackers hang around in the dark just waiting for yacht crew to turn up, but it can and does happen and crew should be acutely aware of what they post online and discuss in public in relation to their employment. All of that said, this should in no way distract from the fact that all yachts, regardless of owner or size, do carry information that is of value, be that personal, financial or both.
With all the above said, as a minimum all crew and anybody associated with this sector should pay close attention to all emails they receive, especially those that contain attachments or links. With the spoofing mentioned above, just because it may appear that it’s from a known and trusted contact, doesn’t mean it is. If you aren’t expecting an email relating to an ‘overdue invoice’ or if you have never performed any business transaction to warrant an invoice, if they are known to you, question it directly with them, preferably by phone as we have undeniable evidence of a company we now assist, thinking they were in email communication with a yacht when they were in fact talking directly with the hacker! If you don’t know the sender, then do not under any circumstances open any attachments or click any links, regardless of how tempting it may be!
If there is any doubt or suspicion at all, verify, or leave alone. We spend many hours analysing emails our clients send to us, most of the time they turn out to be fine, but better to take an hour or two to investigate and verify something than open it and face the tidy up!
Devices and computers on board, corporate and personal should all be kept up to date as vulnerabilities occur on a daily basis. Android devices in our opinion should have Anti-Virus installed and you should only install apps from known, trusted locations, like the Google Play store for example, but even then, as these apps are not as stringently checked as Apple applications are, they can and do contain malware, hence the Anti-Virus.
Tempting as it may be, do NOT jailbreak your Apple devices as this opens them up to a level of risk that in our opinion, isn’t worth it.
Seriously consider the use of a password manager to securely create and store passwords and other login information to ensure there’s little or no risk of password re-use, because nobody does that anymore do they!?
Avoid ‘Free Wifi’! you have no idea who else is on the network, or what they may be doing! If this cannot be avoided, the use of a VPN would be a necessity not a nice to have.
Consider making it mandatory that all staff regularly attend Cyber Awareness training, be that online or in the class room. These courses should cover all aspects including social engineering and should be measured to prove their effectiveness, because simply doing a course and not following it up may offer little benefit in the long run.
When it comes to guests, that’s more of a challenge. When a guest arrives on a yacht, we doubt very much they would want to be troubled by attending an awareness course or making sure their devices are protected and updated! They simply want to turn up, relax and enjoy. Regarding them personally and their own cyber protection and privacy is arguably a concern for them to deal with, not the crew and it would be unlikely you would change their habits overnight. This in our opinion is where a properly designed, segregated, secured network comes in as neither the owner, nor guests should really be troubled by it, it should just do its job well and properly.
To finish off, the above is not exhaustive, but it’s a place to start. We are no longer in the 90’s, the days of simply putting a basic firewall in place, installing Anti-Virus and never re-visiting are long gone! The threat is real, it is not going away anytime soon and we should not be distracted by just thinking the threat is from ‘State Sponsored Actors’ or evil doers taking ‘control’ of the ship, spoofing GPS to make a ship run aground or what has been mentioned above; ALL of it needs to be considered, the risks understood, mitigated, managed or accepted, but that’s for another article!