Cyberattacks are on the rise. It’s a natural extension of our collective technological advances. We are as interconnected as ever, which naturally results in immeasurable benefits. But it also exposes us to bad actors who will try and benefit from vulnerable systems. The shipping giant Maersk can attest to the latter.      

In 2017 the Russian military launched a disk-wiping cyber weapon, NotPetya, with the intent of targeting businesses in Ukraine. Yet, the malware quickly got out of hand and Maersk was one of the companies caught in the crossfire. The firm was rendered defenseless and ended up having to reinstall 4,000 servers, 45,000 PCs, and 2,500 applications over an improbable 10-day period. To put this in perspective, installing something of this magnitude in normal times would take roughly 6 months. 

Maersk suffered $300 million in losses and the incident was a real wakeup call for the industry. The concern for shipping is not only individual business operations, but also the residual effects – namely, ports being closed and the subsequent supply chain severely hampered. Organizations worldwide have been conducting internal audits to see just how exposed they are. The measures are considerable, but the exercise starts with five actionable steps. 

First is conducting a disaster-recovery planning scenario that spans both physical and digital systems. A good disaster plan accounts for the “craziest” of scenarios and then action steps to mitigate the impact. For shipping, this training should incorporate onshore and at-sea elements to prepare for every potential scenario. 

The second is a controversial step – zero-trust. Digitization expansion has rendered the security perimeter obsolete. Personal computing and small-scale businesses rely on firewalls. Large-scale organizations in 2022 require authenticated access at every level. This is challenging for organizations working remotely or in a hybrid environment Yet, if implemented with a clear, shared security-first goal for the entire organization, zero-trust turns into a transparent policy that ends up fostering trust in the system. 

Third, and closely aligned with zero-trust, is security is now everybody’s problem. The National Institute of Standards and Technology (NIST) provides a host of resources on how to enhance cyber-security in organizations of all sizes. Much of their literature is free and also readable – something key if you’re seeking security buy-in from everyone at the firm. 

The Colonial Pipeline attack took down the largest US fuel pipeline in May 2021. After negotiation, the company paid a hacker group roughly $4.4 million in Bitcoin. It was a stunning turn of events, and believe it or not, an ineffective password policy is what let the hackers in. Simple steps such as mandating a multi-factor authentication process and regular compromised credentials screening could have stopped the hackers in their tracks. These are simple (and cheap) measures coupled with software updates and security patches. 

Lastly, training, training, training. All of the above will not work unless employees receive regular training. The arsenal of attacks is ever-changing and the cost-benefit analysis of failing to train can rear its ugly head at any time. These are critical first steps that large firms have the funds for and smaller firms need to budget for. Cybersecurity can no longer be something for future generations to address.