The world is different from a year ago. What are the top maritime cyber risks and top recommendations to mitigate these risks?



Geo political changes in the last year has led to an increase in cyber risks. During a recent top meeting in Barcelona top CEO’s in the maritime sector agreed that secure digital communication platforms are essential for fast and efficient information transfer cargo handling in the ports but that at the same time cyberrisk is becoming a hot topic for port communities around the world to avoid operational chaos, business disruption and financial loss. According to the World Economic Forum, economic loss owing to cyber crime is representing 3,4% of global GDP.

Cybercriminals and digital warfare attackers are increasingly searching for the shortest and easiest way to get access to the digital crown jewels in the mainports of the world. They buy userid’s and passwords on the Darkweb, the ‘underworld’ of the internet. They scan computer systems on missing patches to find an easy way to get access to the Crown Jewels of the maritime sector.

The top 3 risks are unavailability of Port infrastructure caused by ransomware. (remember the Maersk incident), or an internet infrastructure which is damaged, or take over of internet of things systems like locks, bridges and or vessels.

The main mitigation actions are multi factor authentication (a second factor besides a password e.g. a code in your smartphone, fingerprint etc), excellent cyber hygiene (e.g. patching procedures, pen testing), prediction of cyber attacks (e.g. Secure Development Life Cycles), Business Continuity Plans (e.g. playbooks) and Top management attention on Cyber Risk Management.

In case of cyber incidents companies and organisations will be asked to explain how this could happen, CEO’s will need to proof that guidelines (e.g. IMO), frameworks (e.g. NIS, ISO27001) were implemented to prevent this kind of incidents. Legal explanations will be requested by the companies who suffered damage.

Companies should not start flying without parachutes. Digital transformation in the Maritime Sector needs to be facilitated by leading frameworks such as ISO27001.

The question is not whether a severe cyber incident will happen, but when it will happen.

To increase protection of your digital systems against cybercrime the services of can protect you in an efficient way.

Services we offer vary from Ransomware protection, consultancy, business continuity workshops, Implementation of ISO27001:2022, Internal Audit.

Your first call and our first visit is free contact us

Top 5 Business Risks of Cloud Computing

cloud computing (1)

Cloud computing has a lot of business benefits, such as cost effective, flexible and a fast time to deploy. But there are also at least 5 major risks any business should try to mitigate  before using a ‘public’ cloud service.

Risk 1: Vendor Lock-In

Will your organization be able to migrate “cost & time effective” to another cloud service ?

Most cloud providers benefit intentionally or unintentionally from vendor lock inkeeping things proprietary as long as possible. Providers can also suddenly announce cost increase or be bought out by a larger company resulting in policy and or location changes.

Therefore your organization should define a clear exit strategy and include the ‘exit’ costs into the initial cost analysis.

Risk 2: Insecure of incomplete data deletion

Will your cloud provider be able to delete your data securely on your request ?erasure of data

Cloud providers store your data safely by making multiple copies. The data is stored on multiple disks that are shared with and reused for other customers. So they cannot simply shred the hard disks. A request to delete data, as with most operating systems, may also not result in true wiping of the data.

If a Cloud provider does not (securely) delete data before reassigning space, leaking personal or strict confidential data of your organization especially in case of multiple tenancies could represent a high risk.

Risk 3: Loss of governance

Is your business still in control over the availability, performance, data integrity, resolution times of incidents and problems  if the outsourced service is delivered by a Cloud provider?

Most cloud services have pre-defined service levels and do not offer negotiated Cloud Service Level Agreements. However to stay in control during Handshakecontract negotiation at least the following important criteria needs to be agreed: availability (e.g. 99.99% during work days), performance (e.g. maximum response times), portability of the data (e.g. ability to move data to another provider) and resolution times of incidents.

As a cloud consumer you need to be sufficiently in control of your IT systems. For more help click here.

Risk 4: Loss of control on your encrypted data

Who really owns your data if you as customer do not own the encryption key?

While a cloud provider may agree to keep the data confidential (i.e., they encryption keywon’t show it to anyone else) that promise does not prevent their own exploitation of the customer data e.g. to improve search results, to deliver ads or to mine data for their own purpose . Also, If the user encrypts the data, it’s more difficult for the cloud provider to deliver some cloud services (e.g. search).

However the fact that you are not in control of the keys to encrypt or decrypt your own data is a substantial risk that companies should try to avoid.

Risk 5: Insecure virtualization layer

How secure is the virtualization layer used by your Cloud provider?

Most cloud providers use virtualization– inside physical device virtual hypervisorsystems are built. This virtualization enables the provider  to use physical devices in a more economic way. However virtual firewall support that exists today is very limited and attackers learned how to compromise the virtualization layer to gain control of the operating systems on virtual machines.

A compromise like this could give attackers complete control of your data. Together with your Cloud provider, organizations should agree on measures to mitigate this major risk.



How to create secure e-banking services in an agile world?


Banks gained the trust of their clients by the delivery of secure banking solutions. Client information and financial transactions are continuously protected against data leakage and cybercrime. But the IT world is changing……


IT departments adopted ‘Agile’ ways of working. So called ‘devOps’ teams deploy changes to banking solutions continuously. On a daily or monthly base all kind of new features and improvements are added to the banking apps and e-banking solutions.


Because Agile is faster and less expensive. Focus is on new functionality and the question “is the solution still secure?” comes later and sometimes  too late. Penetration test show vulnerabilities which because of a lack of budget and time are not resolved before the ‘Go Live’. Risks are accepted based on good intentions, which are often not fulfilled due to the focus on new innovations.

Schermafbeelding 2015-12-03 om 19.47.02How to solve?

The same as for functionality testing, security testing has to become part of the day to day work of a developer. Security Officers have to provide security test tooling (SAST, DAST) so that developers can deliver secure apps based on defensive coding.

At the same time, the backlog should get sufficient attention of Agile Risk Managers. Per feature in the backlog, stakeholders should assess the risks of a new feature. The secure devOps teams should also create (evil) user stories and other controls. In this way business can check concepts and identify risks in a timely way.

Instead of waiting for the results of the Penetration test, it is Continuous integration of risk management and security from backlog to delivery  which will deliver ‘secure user stories’ and ‘secure apps’.