The majority of Danish shipowners have increased their spending on cyber security in recent months, with 70% of survey respondents stating they had been a victim of a cyber attack in the previous 12 months.
The findings come after Danish Shipping, formally known as the Danish Shipowners’ Association, conducted a survey on cyber security among its members in November 2017.
Twenty seven out of the 36 shipping CEOs that the organisation contacted responded to the survey, with the companies they represent accounting for 79% of the Danish fleet, Danish Shipping said in a statement.
Of the responses, 69% said that their IT systems had been attacked in the period from November 2016 to November 2017. In addition, 69% said they had increased spending in cyber security in the same period, while 27% retained their level of spending and 4% said they had reduced it.
Cyber security is a strategic area of the business of shipping and everyone in the industry must understand one’s personal responsibility of this, said Maria Skipper Schwenn, executive director at Danish Shipping.
“The first reaction to the findings is that they really show that cyber security really is an agenda for our CEOs,” Schwenn told IHS Markit. “The year 2017 was indeed a year of increased awareness [of cyber risks]: if it can happen to the largest container line in the world, it can happen to anyone,” she said, referring to a cyber attack that hit the A.P. Moller-Maersk (APM) group in June 2017, although its actual target had been the Ukraine.
The attack came after the Danish Defence Intelligence Service had published a report in March 2017, in which it said that the shipping industry faced a very high level of risk from cyber criminals and that an attack was more likely to seek to damage the shore-based commercial part of the business than vessels at sea. In case of the attack that hurt the APM group, it was indeed the land-based part of the business that was affected, exactly as the military intelligence report had forecast.
However, it is not just criminals that can trigger a cyber attack: members of the staff of an organisation can do this and no criminal intent is needed for this to happen, Schwenn pointed out. The Danish Shipping survey found that 35% of the respondents regarded staff as the principal security risk, placing it second after hackers with a 54% share and well ahead of outdated equipment with 12%.
The findings are in line with a survey conducted by IHS Markit in October 2017, which showed that two out of three respondents had opened an email from a stranger that could have inflicted the IT system in question with malware, and that 75% of seafarers that responded to the survey said they received no training in cyber security.
Schwenn said that, while part of the additional cyber-security funding that its members have put in place has been used towards equipment and software, training of staff is also a matter of major importance. “Everyone is responsible for cyber security. We do not want our private equipment to be affected by cyber crime. The same thinking must be expanded to the IT at work. It’s not something that the IT guys will take care of,” she pointed out.
In modern life, people are used to accessing the Internet from wherever they are and working from almost anywhere. This poses great challenges to cyber security, although some very basic aspects of it can be looked after in a simple way.
A company policy could, for instance, state that all IT staff check portable and mobile devices used at work to make sure that all firewalls are up to date. The strategic importance of cyber security should also mean that it be integrated in existing and developing systems, the purchase of equipment, and even ships, Schwenn said.
An email can arrive to a CEO that looks like as if it had arrived from a partner with whom a company is doing business or a member of staff, yet it can actually be a phishing email. “We can work from anywhere and be on line all the time, but we tend to forget that by doing this, you risk making yourself vulnerable [to cyber threats],” Schwenn pointed out.
Cyber security should be seen in the same light as safety at sea: it is a journey, not a destination. “You can never be 100% sure and say nothing can happen to us, but you can do a lot of things better,” Schwenn pointed out.