On April 14th, 1912, the RMS Titanic sailed into history books for all the wrong reasons. On this day, the 46,000-tonne vessel struck an iceberg, and 2hrs and 40 minutes later sank, with the loss of 1,523 lives.
It was a tragedy which has captivated our collective imaginations ever since.
But are there lessons for us to learn from this disaster in our modern data-driven world? I believe so.
Adherence to outdated regulations
The trade regulations of the day did not require ocean liners to have enough lifeboats for every passenger onboard. The number of lifeboats required was based on the weight of the ship. Simply put, the regulations needed to be in touch or keep up with modern technology's advancement.
Does that sound familiar? Are our current regulations leaving us at risk because we’re doing the bare minimum for ‘compliance’ with an outdated regulatory system?
Third-Party Risks
Some claimed that Harland & Wolfe, The Titanic's builders and designers, cut corners and used substandard materials to save costs, contributing to the disaster. However, comparing modern shipbuilding with those available 100 years ago is unfair. But risks were indeed considered by suppliers, who were experts in building ships – not sailing them. The suppliers were trusted to build a ship that met the regulations and the client’s brief – Luxury at all costs.
Suppliers aren’t always thinking about what is right. They are doing what they’re told or providing what is being asked for. Supplier agreements are vitally important to ensure we’re being clear about the safety and security of data processing.
Overconfidence in advanced technology
The RMS Titanic was equipped with state-of-the-art technology for its time, not only for comfort but for optimal performance. She was said to be practically unsinkable due to her double-lined hull and water-tight compartments.
It was a time of significant industrial advancement, with modern wonders like the Marconi wireless communication system. This allowed the ship to communicate with other ships and stations on land. However, the ship's operators received many messages in that short journey, and acting upon critical warnings of icebergs in the ship's path wasn't seen as a priority. The radio operators were employed by Marconi, not the shipping company (The White Starline). They were there to facilitate sending and receiving messages by and for passengers.
In essence, safety was a lower priority for the radio operators.
All of this points to several failings. Not only the lack of understanding roles and responsibilities but our overreliance on technology and how we use it. The overconfidence led to complacency in preparing for potential disasters. Similarly, overconfidence in one's organisation’s cybersecurity measures can lead to complacency in implementing and maintaining strong security measures.
Remembering that there was a general feeling of confidence in the ‘unsinkable’ Titanic, not only amongst the passengers but also the crew. Their faith in the technology led them to abandon evacuation drills in favour of attending a church service to sing hymns(!)
Training on using the davits led to a slower evacuation of the Titanic and clarity about how and whom to evacuate. Some crew misinterpreted the order “Women and children first” with “Women and children ONLY”, which led to some lifeboats launching half full.
Sounds crazy, right? Doesn’t it make sense to train people BEFORE the ship sinks?
But when did you last train your staff on emergency procedures? Evacuation plans? Data Breach processes? Cyber attacks? When do you think is an excellent time to teach them? When the boat is sinking or before?
Safety vs commercial gain
The Titanic received seven warnings of ice in the region throughout the day. Some of these made their way to the crew on the bridge. Some of these didn’t reach the Captain, so he wasn’t aware. But why? Because as stated, the priority of the Marconi radio operators wasn’t on safety; it was on sending and receiving messages for the passengers. Commercial imperatives were put before safety. But even when the Captain received the messages, he was encouraged to ignore them and press ahead at more incredible speeds.
Why? Because it would make for a great story and publicity for the liner. Ignoring risks for commercial or marketing opportunities seems like folly, yet we see it still happening to this day.
How often do we hear AFTER a Data breach that “Security is of primary importance to us!”? But is that true? With the volume of breaches we see, I very much doubt it. Most organisations are prioritising commercial objectives over security and placing us at risk, which could lead us all to disaster.
Are you a ‘customer-centric’ company? If so, are you placing security higher on the agenda than the profits of the business? Are commercial imperatives taking precedence over the safety and security of your customers? An excellent way to evaluate this is to ask what percentage of your budget you have allocated to Cyber Security. Or Business Continuity? Not IT… that’s different. What have you spent to ensure the Confidentiality, Integrity, Availability, Privacy and Safety of your services?
Conclusion
The sinking of the Titanic had catastrophic consequences, resulting in the loss of over 1,523 lives. Similarly, a cybersecurity breach can have devastating consequences for an organisation, including financial loss, damage to reputation, and loss of customer trust.
Overall, the story of the RMS Titanic offers several interesting parallels to cybersecurity, including the importance of advanced technology, avoiding overconfidence, and managing insider and third-party risks.
For me, the most significant risk we face is pretending that ‘it can never happen to us’. Of course, it may not. But it might.. we are not ‘unsinkable’. And that’s worth remembering before we are put to the test.