Cyber security has been one of this decade’s defining conversation points; everyone from the layman to the nation state is a target. Whilst the threat to all may be overstated by the mainstream media, the threat nonetheless exists, especially if you are a high-profile individual, wealthy and in business. Join us at the Global Superyacht Forum 2016 where Malcolm Taylor, Head of Cyber Security at G3, will explore how best to protect owner and vessel.
“There are two main cyber security threats to superyachts. The first is the theft of data; money, photos and various other valuable pieces of information. The second, which is also relatively easy, is to hack the boat control systems including the navigation”, says Taylor.
Taylor, who served with the UK foreign office for nearly 20 years in both GCHQ and MI6, explains that it is relatively common for ultra-high-net-worth individuals to have secured their homes, their businesses, their phones, iPads and various other spaces and devices, but for some reason their yachts go overlooked.
“I think that, like all technology, 10 years ago yachts didn’t have the capabilities that they have now with GSM, satellites, WiFi and so on. There has been a real acceleration in what people can do on board and owners haven’t ensured that their security systems are kept up to date,” continues Taylor.
The example Taylor cites as his eye-opener to the superyacht industry was an owner who already had land-based and mobile cyber security measures in place, but spent nearly a quarter of the year on board his yacht without considering cyber security for it. “He did business on his yacht, had his family and friends on the yacht, threw parties on board and allowed pictures to be taken. He wanted these to be private, and they were not”, Taylor explains. “He simply wasn’t aware of the risks which made him vulnerable to cyber attacks. Unfortunately, this is the norm, not the exception.”
In order to prevent cybercrime, Taylor and the team at G3 target three core areas: technology, governance and people. Technology refers to firewalls, configurations, encryption, passwords and so on, which, more often than not, “is the simple stuff.” Arguably more important to the security process is governance and the crew.
“Governance is about the policies that are in place on board; the use of IT and social media, it is about how the crew behaves”, explains Taylor. “On a number of yachts this is often already quite good because there are existing policies to ensure that crew doesn’t use mobile phones or social media and are not allowed to take photographs on board.”
However, even best policies fall short if those who are meant to implement them choose not to. “The third element, which is invariably the most important, is people. It doesn’t matter how good the technology is and it doesn’t matter how good the governance regimes are, cyber-attackers can usually find a way around them, typically through human ignorance. Around 90 per cent of successful cyber-attacks in 2015 involved a person inside a company compromising system security without knowing it. This can include really simple stuff like not choosing a strong password, clicking on links in suspicious emails, and not keeping personal information private”, says Taylor.
Information is key. Using personal details - such as names, dates, social circles, hobbies and interests - hackers can profile a crew member or owner and design attacks based on their traits. According to Taylor, the majority of attacks come through phishing emails. However, the more sophisticated of these will be personalised and designed to engage the interest of the recipient and trick him to click a link or open an attachment. Once the malicious software gets into to a device, its connectivity to the yacht’s IT allows the attacker to move sideways through the system, penetrating as deep as it can and gaining access to as much information as possible.
“I worked for the intelligence agencies for nearly 20 years and as a result I have a good understanding of how attackers work” continues Taylor. “If I was going to attack a superyacht, the first thing I would do would be to profile the crew, and find the ones that gave me the best chance of a successful attack. I would then design a malicious email, using the information I have gleaned about them, and therefore be pretty confident that I can trick them so that my attack succeeds. Then I simply steal what I want - photos, financial data, money, corporate secrets, or any other sort of sensitive information.”
At the Global Superyacht Form 2016, Taylor will be hosting a workshop entitled ‘Superyacht Cyber Security’, where he will discuss cyber security for superyachts and how best to protect the owner, the crew and the vessel.