A company’s own staff is often cited as a company’s biggest cyber threat, but this can lead to scapegoating and turning away from other areas where cyber risk is being introduced.
Each year Safety at Sea runs a cyber-security survey with international shipping association BIMCO to gauge the maritime industry’s approach to cyber risk. When asked what respondents see as their biggest cyber threats, ‘the human element’ always tops the list. This year’s preliminary results from the survey show the perceived threat is no different: 48% of respondents have so far said their ‘people’, their onshore staff, and seafarers, are their organisation’s biggest cyber vulnerability.
As the editor of Safety at Sea, which has a predominantly seafarer readership, it is often of concern to me to see how this widely held view impacts seafarers. Crew often cite having access to internet at sea as key to maintaining their wellbeing; they can feel less isolated from their families by being able to chat to them daily and also feel less isolated from the world as they can keep up with current affairs and popular culture. It can also give them ways to access help from charities or mental health organisations if they feel unable to go to an employer.
I worry that if crew are seen to be a cyber threat that companies will restrict their access to internet or cut them off from it altogether. Further, as is unfortunately all too often the case, I fear that crew who do accidentally introduce a cyber threat by clicking on an email attachment or plugging in a USB to an onboard system, may not feel able to admit their error for fear of retributions or losing their job.
Neither of these solutions will ultimately be good for a company in the long term. Instead the focus should be on quality cyber training, and I stress the word quality as all too often cyber training can be a basic tick-box exercise. Ultimately it should be about those at the top ensuring a strong safety culture that pivots from blame and rewards openness and willingness to admit mistakes.
Comfortingly, the resounding agreement from all the industry experts at the event was that crew should not be scapegoated for cyber issues that they might inadvertently cause as this would only stop crew from timely reporting of potentially damaging cyber attacks. A novel suggestion was that companies should shift their mindset to view their crew and onshore staff as ‘white hat’ hackers and any problems they uncover should be welcomed as then companies can fix the gaps in their cyber security and improve their overall cyber resilience.
While good cyber behaviours should be taught to company’s staff, it is worth those at the top considering the, perhaps extreme but necessary, route of ‘baby proofing’ vulnerable information technology (IT) and operational technology (OT) on board so that it becomes infinitely harder for crew to accidentally introduce risk or purposefully bypass security measures. This shifts the responsibility and the blame away from crew.
There is also a real risk that in focusing so much upon their own employees’ behaviour maritime companies might overlook other threats facing their company, from third-party risk to OT, all of which you can read more about in the August edition of SAS.
Ultimately, cyber security must be viewed as responsibility that everyone in the maritime industry holds, from the CEO to seafarer, to dock workers, third-party suppliers, and the ports themselves; one weak link in the wider maritime supply chain is all it takes for a cyber attack to enter a company’s IT or OT systems. The key to make individual companies more cyber resilient is to share information to the wider maritime industry about the risks we are uncovering and the attacks we are experiencing. By doing so, we will ensure we are as robust as possible and able to recover from attacks swiftly.