When did you last wear your seat belt? The last time you got in a car, obviously. By force of habit, you have probably stopped thinking that you wear it because it will stop you flying through the windscreen in the event of an accident – and because it’s required by law. In fact, the behaviour of fastening your belt has become second nature.
It wasn’t always like this. It’s hard to imagine now, but there was a time when seatbelts didn’t even exist. Even when they did, and even when it became mandatory to wear them, many people didn’t bother. The fact that everyone now instinctively understands that they must wear a seatbelt proves that behaviour can change.
Andrew Ross, Director of Cyber Governance, Risk & Assurance at Wärtsilä likes to use this analogy when explaining how behaviour related to safety and security is changing and conveying the essential benefits of cyber security to his Wärtsilä colleagues.
“It is a question of sticking to the rules, even when no one is checking up on you,” he says. “Following cyber security is just like wearing a seatbelt – not just because you want to but because you know it’s the right thing to do. It’s about encouraging others around you to do the same thing and follow the same rules. That includes your colleagues, your boss, your family and your friends.”
It is important to think of three key strands of cyber security – people, processes and technology – says Andrew. Where people often go wrong – and human error is inevitable, even in Wärtsilä – is that they believe cyber security is all about complicated technical wizardry and that it is ‘something the IT department will deal with’.
Of course, there is a need for technical controls whether they be firewalls or antivirus softwares, but the best, most secure network in the history of mankind becomes useless as soon as you click on a phishing link or insert a questionable USB stick that might contain malware.
As Andrew points out, “The best designed, top of the range, most expensive seatbelt in the world won’t stop you from disappearing through the windscreen if you don’t put it on before you start your journey.”
“Cyber security is not just limited to ones and zeros,” adds Thomas Dewilde, Manager, Cyber Governance, Risk & Assurance. “The digital and physical worlds are converging as we speak and just recently Kirstjen Nielsen, the secretary for the US Department of Homeland Security stated the value of cybercrime damage is expected to hit USD 6 trillion annually by 2020.”
That represents nearly 10% of the world economy, according to research by Cybersecurity Ventures.
The term ‘Cyber Maturity’ refers to an organisation's ability to protect its information assets and respond to Cyber threats. So, how does Wärtsilä make sure its employees achieve Cyber Maturity? By providing them the right tools and knowledge and then keeping cyber security on top of everyone’s minds.
In February 2019 a mandatory Cyber Security Awareness Training (CSAT) was launched for all personnel (and is to be repeated every year). The training covers incident response, passphrases, malware, safe surfing and human firewalls, social engineering and phishing, backup and preventative care, privacy, non-technical and physical security, policy, mobile and the Cloud. The completion rate of the training has been impressive, which indicated that Wärtsilä employees are taking cyber-related issues seriously.
There are other initiatives too. A voluntary learning path in the Wärtsilä transformation application called WeLeap, which was launched in March, includes a more lighthearted interactive video that allows the viewer to choose good cyber behaviours in the workplace.
In addition, the last Friday of each month is called Cyber Friday at Wärtsilä. It is marked by the publication of a Cyber Friday intranet article, each of which covers a specific topic that warrants raising awareness on. The company’s Cyber Security Yammer group is also a lively forum to get advice on anything cyber-related. E.g.: Suspicious emails.
Renewed governance documentation comprising updated cyber policies is about to be launched and they are a critical milestone, covering training, acceptable use, travel, personnel security, business continuity, risk management, due diligence, change management, and supplier relations.
“All our employees now need to do the refreshed ‘entry-level’ cyber security awareness training,” says Andrew. “It is mandatory for everyone. But that is not where it ends. We invite employees to explore additional aspects of cyber security via all the other resources that we provide them with. Why not encourage more cyber expertise and collaboration? Raising our understanding across the organisation is paramount in delivering end-to-end cyber-secure products and services.”
Clear business benefits derive from Cyber Maturity, including safeguarding intellectual property and customer data, competitive advantages, performance and efficiency improvements and increased profitability.
“This is more than just about how we respond in the workplace,” says Andrew. “These newly-acquired cyber behaviours must also extend into our homes and our personal lives. Cyber security is all about people and keeping them secure and safe, that includes staff in their leisure time and people we care about.”
Cyber security underpins every aspect of business transformation. Smart marine and energy ecosystems rely on data, Wärtsilä’s as well as that of its customers, and how it is stored, analysed and transferred. If these processes cannot be carried out securely, the data itself and everything related to it is at risk.
“By proving to our customers that we are proactively looking after their data and the networks into which they connect,” Andrew concludes, “they are able to trust us, now and in the future.”
