A shift in perspective

Editor Alt
Tanya Blake, SAS editor. Credit: IHS Markit

All too often people, especially crew, are identified as the weak link in cyber security. Let’s show that people are a company’s biggest strength

More than half of respondents to the Safety at Sea and BIMCO 2020 Maritime Cyber Security survey said “our people” are their organisation’s greatest cyber vulnerability. This is the fourth consecutive year that respondents to the survey have overwhelmingly declared that their staff and colleagues are the biggest cyber threat to their organisation, over IT systems, third parties, and operational technology (OT).

This does not come as a surprise, considering that nearly one-third of respondents (31%) to this year’s Maritime Cyber Security survey said their organisation had experienced a cyber incident in the past 12 months: phishing (68%), spear phishing (41%), and malware (33%) were the most common causes of cyber attacks.

Most of these attacks rely on tricking people into clicking a dangerous link in an email, or convincing them they are dealing with a trusted person rather than a malicious hacker. Knowing your company is highly likely to face these threats, it falls on its leaders to educate and train its people on the risks. Our workers, onshore and at sea, should be seen as our first line of defence, not as our biggest weakness.

If staff are told to stay vigilant for risks via emails and know who to contact if they suspect an attack is occurring, cyber attacks will be prevented or their damage limited. Quality training should be given to staff and reviewed at regular intervals to test their understanding, as well as providing feedback on areas where improvements still need to be made.

Most importantly, a no-blame culture is needed so that staff feel safe to report potential cyber slip-ups they have made without fear of retribution. There have been far too many instances of seafarers being blamed for safety or security incidents without companies digging deeper into its own safety culture, systems, technologies, procedures, or training that it has in place.

As Cris DeWitt, cyber-security expert from the Cyber Mariner consultancy, said, “our people” – or more specifically crew – are “at a disadvantage from the beginning”, with ship systems “cobbled together” without consideration for the human element.

Shipowners must carefully consider the design and inherent cyber security in every piece of kit on board a vessel, and how each system will interact with another. Instead of choosing an electronic chart display and information system (ECDIS) with USB ports on top of the console, for example, choose one that has ports underneath, in a harder-to-reach position, to limit the likelihood crew will be tempted to charge their phone in it.

Ultimately, though, no matter how cyber resilient a company is, it is almost certain that it will face an attack. How successful an attack is and how serious the consequences could come down to how well-trained and empowered a company’s staff is.

If you are a CEO, a captain, or a team manager, I urge you to view your people as a strength, empower them, train them, and utilise them to make your company more able to prevent and recover from inevitable cyber attacks.