Maritime companies lack robust cyber-attack recovery plans, industry survey finds

Credit: Getty Images

Despite the majority of respondents (77%) viewing cyber-attacks as a high or medium risk to their organisations, few appear to be prepared for the aftermath of such an attack, an industry survey shows.

While 64% of respondents to the 2020 Safety at Sea and BIMCO Maritime Cyber Security survey said that their organization has a business continuity plan in place to follow in the event of a cyber incident, only 24% claimed it was tested every three months, while only 15% maintained it was tested every three to six months. Another 15% said that it was tested every six to 12 months. Without regular testing of a cyber response and recovery plan employees may be less likely to remember what to do in the event of a real attack.

While the results showed an increase in the implementation of a continuity business plan, up from 52% in 2019, there was a 9% decrease in the three to six month and 3% decrease in six to 12 month testing of that plan. This decline in regular testing suggests less importance is being given to the practice.

Continued revision and testing the effectiveness of plans are, however, essential, even after an attack, to mitigate damage and maintain business continuity. “There will always be a need to keep revisiting the approach to training and awareness, both in terms of audience engagement, but also as the dynamic threat landscape evolves,” said Rachael Bardoe, director operations and cyber center of excellence, Digital Container Shipping Association.

On a positive note, the overwhelming majority (80%) of respondents said they would alert their IT team if they discovered a potential cyber incident. Further, 65% of respondents said their company had a dedicated internal reporting channel in place for staff and crew to report an attack. Both are signs that the maritime industry is taking cyber-security reporting seriously. However, the survey found there was no increase from 2019 in the number of respondents who said that their company protects vessels from operational technology (OT) cyber threats, which remained at 42%. Some respondents even went so far as to describe their company policy to OT cyber risk as “careless”.

Bardoe thinks that cyber issues will be increasingly at the forefront of safety and security concerns for maritime as the shipping industry moves closer to the International Maritime Organization deadline, imposing the incorporation of cyber security management in a vessels’ safety management system by 1 January 2021. “The IMO 2021 regulations have been a major force in terms of influencing industry adoption. The push towards a more risk-based approach to maritime cyber security will assist the industry in moving from a reactive to a more proactive stance,” said Bardoe.