In the maritime industry, rescue training is routine – why don’t companies bother to train for cybersecurity emergencies?

Waves are crashing around me; the wind is howling. Where is the sailboat I fell off? Floating in the water, I turn around. Cold rain pours horizontally on my face. I can barely see the boat and two figures on the deck. I try to grab the rescue harness thrown in my direction. Will I survive? Phew. Fortunately, it is just an exercise.

A recreational sailor’s rescue course I recently attended gave me tough learning on how to act, especially in a man-overboard situation, that is, when someone has fallen from the boat. In the large pool, there was a real sailboat, waves raised by a machine, a strong breeze created by a wind machine, and artificial rain. The wildest moments were climbing up a rope net hanging on a five-meter wall to the deck of a “ship”, jumping back into the pool, being lifted with a rescue rope onto a “helicopter” nine meters above the pool, and two minutes of hypothermia training.

The all-day intensive course instilled confidence that saving others and one’s own life at sea is possible. Similar but more demanding and comprehensive training in the same place belongs to the regular routine of maritime professionals.

Cyber simulation provides readiness for a cyber crisis

Recently, I also got to experience a completely different, but very realistic simulation. I was involved in internal training where we got a taste of the H72 cyber crisis exercise, which we provide to our customers.

The cyber simulation began in an everyday atmosphere with safe routines guiding the work. Gradually, however, messages began to trickle in from different directions that deviated from the norm. First, I heard that one of my colleagues had lost her phone. I figured that something should probably be done because of it, but what exactly and in what order? We ended up holding a quick internal meeting, informing the management and calling IT support.

But that wasn’t all. The atmosphere became intense when social media channels reported that the company’s website was spewing horrible rubbish. What on earth?! Together, we decided to immediately inform customers that our site had been hijacked. We reassured them by saying that the matter was being investigated and a police report has been filed.

Moment by moment, I became increasingly nervous. I was afraid that the situation might not be under control. Especially, when news began to pop up in the media and various outlets were calling. It didn’t take long before someone was ranting on TV news that my company was lousy at protecting customer data. Oops! This way, reputation is soon lost…

Finally, the exercise itself was followed by a debriefing session with evaluations. Our team performed better than average, especially in joint decision-making and communication, both internally and externally, and no major areas for development emerged. Of course, there was room for improvement. A relieving result!

An emergency endangers business and reputation

For recreational sailors, a rescue course is voluntary and only a few bothers to take one. All other safety factors are voluntary as well, starting with the fact that boating is allowed for everyone without any formal qualifications or even knowledge of water traffic rules.

In professional shipping, regular emergency drills are mandatory. They prepare for a life-and-death struggle, but emergencies often also jeopardize business continuity and the reputation of a maritime operator.

A cyber crisis poses similar dangers to a company’s business. It seems strange why so few companies practice cyber threat situations where the looming threat materializes. It’s as if companies were recreational sailors who prepare merely if the bother to care.

Could it be that many companies are lulled into assuming that cyber defenses are enough and in order, believing that their company is of no interest to cyber attackers? It would be bad if that were the case. Even in professional shipping, it is not enough to be satisfied with solidly built vessels equipped with lifeboats, rafts, and life jackets. When at sea, nobody can assume that distress will never affect them.

Now, at the latest, the EU’s NIS2 regulation creates compulsion and pressure to practice cyber crises. It obliges to test and develop capabilities and train personnel. NIS2 sets clear time limits for how soon authorities and stakeholders must be notified, for example, of a data breach. A notification of a detected deviation must be submitted within 24 hours. If a company fails to communicate in any way within 72 hours, the consequences can be severe.

Without a rehearsed process, the requirements are very hard to meet. In practice, a cyber crisis simulation is the only way to test how the organization would cope in a real crisis and to develop functional capabilities. The fast-paced simulation implemented by Netprofile is always tailored to the organization’s needs. The background is the H72 cyber crisis management model which we have developed and is also used internationally.

Prepare for surprising twists and turns in cyber now. Contact us and arrange an H72 cyber crisis simulation!