Secure Communications On Board

The NCSC (National Cyber Security Centre) has published risk management advice on what organisations should think about before choosing and using communication and collaboration apps for use on ‘provisioned and managed’ devices. This guidance is currently supporting captains and crew looking to deploy and understand the risks of adopting a range of secure Software as a Service (SaaS) applications onboard their vessels and throughout their network.

Step 1: Establish the business context in which the app will be used
Users like the familiar. More specifically, they like what they use on their own devices, and they may prefer to use an app running on their personal phone instead of something that’s corporately available. Existing onboard solutions are usually rejected, providing a poor user experience, incorrect configuration, or sporting underlying architecture issues that can’t support effective and secure communication. Crew often turn to the use of free apps, like Whatsapp, which can lead to compromises on privacy and security. When adopting new secure software, the first step involves the question ‘is there a genuine business case for the app?’ will the adoption of a new communication process benefit the vessel as a whole?

Step 2: Research the app you intend to use
Have other organisations (such as other governments, academia, the IT industry and the technical media) conducted any security reviews of the app in question?

Be particularly wary of claims about end-to-end encryption, as it usually only refers to the data in transit, and will likely not apply to the backup of messages and related communications (i.e. the data at rest). Control of the metadata accessed by the app must also be assessed. Check the User Agreements to see what the supplier will do with the data and establish an acceptable level of risk.

Can the app settings on crew devices be controlled by your vessel? If they are wholly controlled by the user, then you will need to trust your crew to maintain the settings you advised to ensure the protection of your vessel. Finally, and importantly, you also need to make sure the app provider is GDPR compliant.

Step 3: Configure the app to minimise risk
So you’ve approved the business case and researched the app, and you still think the app is suitable for your vessel. In which case we’d recommend the following:

• Limit the use of the app to only those users who have a business need. The less people who use it, the less difficult the risk will be to manage.
• Understand the default privacy settings that the app applies and set these to ensure the most appropriate privacy settings are in place.
• Control system-level access permissions for the app so that only those accesses essential to your business use are required.
• How are messages and collaborative data backed up? If they are to a cloud service, are these provided by the end user device or the app? Are you confident this offline storage is secure enough for your business?
• Develop clear procedures so that users understand that it is their responsibility to maintain privacy settings. If possible, establish procedures that will allow you to audit these settings.

Step 4: Document your decisions
Record why you have chosen the app (rather than one that is already available on your enterprise). Record your risk assessment of what you require users to do when using the app, and what you will do should a breach occur.

As the cyber landscape evolves, we are encouraging our clients to reassess their communication tools and secure their digital footprint across both business and private life. Standard reactive support is no longer adequate to ensure privacy. Priavo Security provide market-leading technology for encrypted communications. This cloud-based secure platform can be tailored for use onboard superyacht vessels, and is fully ISO 27001 Certified and FIPS, NATO and CPA approved.

If you would like to learn more, contact us at enquires@priavosecurity.com and book a consultation with one of our experts.