For the last few years there have been an increasing number of experts and commentators saying that cyber security will have significant impact on the maritime industry, but is this true?
There is no denying that we use technology to assist us in almost every aspect of our business and personal lives, from smart phones to laptops and tablets, the internet and intranet; ship’s navigation systems and a plethora of digital management software and systems at sea and ashore to speed up processes, reduce mistakes and in some cases replace people.
In the same way that there are numerous conmen, pranksters and crooks waiting to take advantage of the vulnerable in every other area of life, with varying degrees of sophistication, it is exactly the same in the cyber domain.
But where is the evidence of cyber-attacks at sea? With the exception of a small number of high profile cases, reliable data on “cyber-incidents” in the maritime domain is not easy to find, which makes analysis very difficult and the identification of trends impossible.
It would appear that, while it is inevitable criminals are using the cyber domain to commit crimes across the maritime industry, companies are very reticent to report it for fear of reputational damage, which could result in losing clients (to a competitor who hasn’t reported their incidents) and/or failing to attract new business because your company is clearly an attractive target for cyber criminals. And if you do report a breach, how much additional work will that require, who’ll pay for it the additional time and effort and even if you do everything as we are told to will the perpetrators be prosecuted and punished? At the end of the day, where are the benefits to reporting incidents?
There are many similarities to companies being subjected to fraud, which many of us have experienced. The average loss to fraud of a company is about 11% of turnover, which in a dynamic and growing business is very difficult to spot, especially if the fraudster, who is often on the inside, has the ability to cover their tracks. When it is discovered, after the shock that it has happened, there is a reticence to admit it publically because of the business risk and damage to reputation.
The judicial system is not interested in taking on a case without significant compiled evidence (collected by the alleged victim). This can often result in the perpetrator of the fraud quietly moving on to the next vulnerable victim, and businesses tend to look upon the loss as one of those harsh lessons and part of life. Good companies will review their processes and procedures, carefully vet staff, reduce weaknesses, avoid exposure to threats and risks thereby engendering a new culture within the company making it harder for the fraudster who will move onto a new victim.
However reviewing the processes and procedures to reduce vulnerability to cyber-crimes is far more difficult because most of us don’t understand “cyber” and many of us stop listening when we hear the word. Consequently, we have real problems identifying the threats and risks, especially if, like me, you are sporting more grey hair than you wish to admit.
The most important thing for us all to take on board is that reliance on the cyber domain is going to grow. In a recent paper by Emerging Future LLC they note that “Every twelve to eighteen months, computers double their capabilities, and so do the information technologies that use them.” They also predict that we will be thirty-two times more advanced in just five years!
In his recent paper on ‘Smart Shipping’ Martin Stopford suggests we are approaching a ‘wave of change’ that will be even more dependent on cyber technologies looking at the supply-chain as a “whole” rather than “a collection of individual ships”. It is crucial therefore that cyber security is not a problem that is just passed onto the ‘IT guys’. This is a challenge that requires the vision and leadership from board level.
If your company has suffered fraud, you instantly take precautions to ensure it doesn’t happen again and probably invest a proportion of your loss to get some help to prevent a repeat.
While the human fraudster is imaginative and innovative the breath-taking advances in cyber capability will act as a force multiplier for criminals looking for weak businesses upon which they can inflict irreparable damage.
If however your company is proactive and you invest in a ‘cyber health check’ it will identify weaknesses and provide the basis on which new practices and procedures are introduced and cultural change is engendered which will make your company a harder target and not just save money but also livelihoods.
They say, “How fast you should run if you are attacked by a bear?” The answer is – “Faster than the next guy!” Make sure your company faster and more protected than the next business when it comes to cyber security.