Maritime Cyber Security: Tackling the weakest link in cyber risk management
Cyber-risk is no longer a matter that can be offloaded to or handled exclusively by the company IT department. It is an organisation-wide challenge. Crew at sea and staff on shore all have to be taught what risks to look out for and what mitigation actions they ‘own’.
Training is essential in tackling what is consistently considered to be the weakest link in cyber-risk management: the human element (i.e. people). This cyber security trend is one of many identified and explored in the free to download Safety at Sea and BIMCO cyber security whitepaper. In 2017, the year in which Maersk’s global operations ground to a halt as a result of NotPetya, more than one-third of those polled in the annual survey were not providing awareness training or distributing guidance to their shore-based staff or crews at sea.
It would be reasonable to assume that a headline-grabbing incident of that magnitude would spur vessels owners to teach their personnel how to manage cyber-risks into action and incentivise those with some sort of training already in place to explore ways of enhancing it. Yet the responses from the 2019 IHS/BIMCO annual cyber security survey (see infographic) suggest that enthusiasm for education is in decline – or at least tailing off. The decrease in those offering training to their staff is quite small, so this trend may simply be a blip.
Half of those providing cyber training in 2019 said that this was delivered using a course developed and run by an in-house team, while one-fifth sent their staff to an external training provider. One in ten went the extra mile by carrying out cyber crisis management exercises to prepare their staff to respond in potential scenarios.
When considering the curriculum and materials used in cyber-risk training it is easy to fall into the trap of treating the shipping industry as a single homogenous entity. However, the reality could not be less true. Not only are there multiple stakeholders – each with their own roles, motivations and responsibilities – but each of these stakeholders consists of different elements, all of which have distinct characteristics.
For example, a fleet operator depends on its seafarers but also on a large team working on shore. These groups can be further divided in terms of characteristics. On board ship, ratings’ perception and exposure to cyber-risk will differ markedly from that of senior officers. On shore, operational staff will view risk through a different lens to internal IT departments, and so forth. Commercial teams, HR teams, legal and finance departments will similarly each have their own perspective, right up to the senior executives running the company and charged with making strategic decisions on how cyber risk is treated across the organisation’s various regional and global offices.
Neglecting to consider and cater to these differences will significantly diminish the usefulness of the training programme. Clearly, for example, the requirements of a rating who has newly joined the fleet will not align with those of an IT manager who has spent the best part of his career at the company, or match the needs of those taking bookings or managing financial transactions.
Additionally, a one-size-fits-all training solution may signal a perfunctory approach to the problem, prompting employees to question whether cyber-risk is really as important as everyone says. Naturally, this is detrimental to fostering the buy-in needed to engender a long-term change in attitudes.
To learn more about the key cyber security issues facing maritime, past major incidents and industry-best practice, as well as practical advice on prevention and recovery, download the Safety at Sea and BIMCO cyber security whitepaper.
An essential read for anyone in maritime - the paper combines an analysis of four years of cyber survey findings and matches them to behaviour and investment trends observable in the wider maritime industry.
Download your free copy of the white paper today.
- Crude Oil Trade: Colombia targeting production growth of 4% in 2020
- Crude Oil Trade: South Sudan focusing on nearby importers
- Crude Oil Trade: Algerian exports back on track
- Crude Oil Trade: Russia reducing production but not meeting their obligation
- Crude Oil Trade: Iraq exports declining along with Suezmax market share
- Crude Oil Trade: Nigeria shipped less in October, but demand for Suezmax increased
- Crude Oil Trade: Mexico recovering, with a limited impact on shipping
- Crude Oil Trade: Great potential for Canada, although obstacles to overcome first