A strong security culture
I have been working at MGI since 2013. I was a Shipper Menu Project Manager and then head of the ARROW unit, which established the specifications for Ci5 in terms of design, security and future uses. In 2016, MGI was one of the first Digital Services Businesses (Entreprise de Service Numérique) and a pioneer in information security management, obtaining ISO 27001 certification in 2017, which was renewed in 2020.
At the time, I was in charge of quality and product qualification. I was already partially overseeing the information security management system and its continuous improvement at MGI.
In February 2021, faced with the threats of cyber attacks on our ecosystem, I was appointed full time to the position of Information Systems Security Officer (ISSO) and my duties now include cyber defence.
Cyber risk: there’s no such thing as zero risk
Cyber risks are now the fourth-ranking risk faced by the shipping industry, just after natural disasters, and even the largest companies are affected.
There are three types of risks:
- data breaches;
- ransomware attacks, where data is taken hostage by malware;
- computer mishandling by employees, due to a lack vigilance, which is increased by telecommuting.
These risks can often result in considerable costs due to down time and having to reboot information systems. To limit these threats, Ci5, the new generation Port Community System, was developed using the DevOps, Docker and Container concepts, the latest cloud technologies, and also includes blockchain components.
To secure the availability of our products, they are hosted by AWS (Amazon Web Services), with redundancy on several devices. Data is backed up on separate sites, which prevents customers from losing it, especially in the event of a fire in one of our datacentres.
In addition to these measures, AWS also has a highly secure software architecture that uses encryption. Certificates are exchanged to authenticate the user’s identity for each transaction. The end user does not see these exchanges and simply benefits from a highly secure solution.
Protecting the availability, integrity and confidentiality of our customers’ data is our priority, as covered in our Business Continuity Plan. Still, we’re not immune to a breach, which is why we have control and safeguard procedures that are evaluated on a regular basis, and we inform our employees about best prevention practices.
99% of cyberattacks are human-induced
For the past five years, we have been training our teams internally in information systems security, and we recently started simulating phishing campaigns using a new tool from our partner, MailinBlack, in an effort to show our employees how a virus can quickly penetrate, infect and paralyse our systems. For example, ransomware, which blocks access unless a ransom is paid, has been one of the most frequent types of attacks in recent months, with the increase in people working from home. Cybercriminals aren’t afraid to intimidate users by posing as banks, the police or tax authorities. Our teams are becoming increasingly aware of the risks out there and are adopting best practices to optimise our cybersecurity!
We’ve been using fun and motivating activities, like quizzes, where the winners take home a bottle of champagne, and ISO cafes that bring employees together over breakfast. There’s no better way to learn than in a good atmosphere. In terms of governance, we also hold monthly ISS meetings. Process project managers present their KPIs and we go over incidents and the corrective actions put in place. For new hires, we provide security awareness training.
Digital security: a culture that needs to be promoted
Cyber defence is ingrained in our own business culture and we want to share it with our customers and users. We have been thinking about ways to do this with professional associations like the UMF and/or the port of Marseille and government and public authorities such as ANSSI or the French General Secretariat for the Sea (SGMer) at a regional and national level.
To find out all the latest in cyber news, follow our newsletter!
For more information about cybersecurity or specific questions, please send an email to firstname.lastname@example.org
Our ISS regulations watch references: