Rapidly evolving technologies deployed throughout the U.S. maritime industry to increase efficiency and competitiveness present significant cybersecurity risks that the industry is unprepared to shoulder, according to the Jones Walker LLP Maritime Cybersecurity Survey.
The law firm’s survey reflects the responses of 126 senior executives, chief information and technology officers, non-executive security and compliance leaders, and key managers from U.S. maritime companies. The respondents represent key sectors in the maritime industry and include professionals from small, mid-size, and large companies.
The survey found that nearly 80 percent of large U.S. maritime industry companies (those with more than 400 employees) and 38 percent of all industry respondents reported that cyber attackers targeted their companies within the past year. Ten percent of survey respondents reported that the data breach was successful, while 28 percent reported a thwarted attempt.
Small and mid-size companies are far less prepared than larger companies to respond to a cybersecurity breach. All respondents from large organizations indicated they are prepared to prevent a data breach, while only 6 percent of small company (1 to 49 employees) respondents and 19 percent of mid-size company (50 to 400 employees) respondents indicated preparedness.
The survey discovered that many small and mid-size companies lack even the most fundamental protections, exposing them to huge potential losses. Ninety-two percent of small company and 69 percent of mid-size company respondents confirmed they have no cyber insurance. In contrast, 97 percent of large company respondents have cyber insurance coverage.
Survey respondents indicated that they have largely adopted basic policies and secure IT solutions, but they also demonstrated that there exists a real need to embrace more robust cybersecurity policies, processes, and tools. Respondents from small and mid-size companies consistently report that basic policies have been adopted and procedures have been implemented. Small and mid-size companies report regular use of automated intrusion detection and diagnostic tools such as records management, background checks for new hires, and applications inventory.
However, at companies of all sizes, there are notable gaps in more sophisticated policies. For example, less than 15 percent of companies are using multi-factor authentication for remote access, or providing off-site backups in physically secure locations.
When asked how their companies would deal with a cybersecurity incident, the majority of respondents indicated that they were unprepared to handle the far-reaching business, financial, regulatory, and public-relations consequences of a cyber attack. Sixty percent said they are unprepared to deal with negative public opinion, blog posts, and media reports after a data breach; 49 percent are unprepared to minimize the loss of customers’ and business partners’ trust and confidence after a data breach; 70 percent are unprepared to respond to a data breach involving business confidential information and intellectual property; and 70 percent are unprepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators.
Andrew Lee, partner and co-chairman of the Data Privacy Group and co-author of the Maritime Cybersecurity Survey White Paper, Jones Walker LLP, describes hackers as “modern-day pirates who have the ability to sink maritime industry sectors.”
The majority of respondents (69 percent) expressed confidence in the maritime industry’s cybersecurity readiness, while a minority (36 percent) believe that their own companies are prepared. Lee says there is a real disconnect between how stakeholders view the maritime industry’s overall preparedness level versus how they see their own shops. “By and large, they view the industry as prepared, but their own companies as unprepared. That is like saying that my neighborhood is safe, but my house is a hotbed of crime,” he said. “What I take away from this is that the respondents are likely wrong about the industry, and right about their own companies.”
What steps can maritime companies make right now to start preparing their own operations? Lee said a change in approach to the problem needs to occur. “Stakeholders need to recognize that cyber isn’t an IT issue; it’s an operations issue. A cyber threat is a business risk: if the attitude doesn’t align to acknowledge this, cybersecurity won’t get the organizational attention that is needed,” he said.
“Practically, an important first step is to inventory electronic systems. Companies need to know what is in use, and how their operations are visible to the internet and vulnerable points of entry. Only one of those is needed for a devastating breach to have a crippling effect.”
There are 50,000 ships worldwide and hundreds of major ports. By many estimates, shipboard electronic systems are 20 years behind office-based systems and those of competing industries. Meanwhile, as Lee says, the maritime industry is suffering from a strong bias in favor of protection and physical security rather than information and cybersecurity, and this will be difficult to overcome.
But as Lee’s Jones Walker colleague and co-author of the Maritime Cybersecurity Survey, Hansford Wogan, said, “An ounce of prevention in training is worth a pound of a cure in terms of cyber attack readiness – and if every company approached this cybersecurity issue with that mindset, the maritime industry as a whole would be far less at risk.”