Nearly half of the respondents to a survey on maritime cyber security said they were spending less than $10,000 a year on security per year.
Philip Thomas, Partner at international law firm Reed Smith described the findings as “striking” in a webinar held yesterday (Thursday) to reveal the results of the 18th Annual Maritime Cyber Security Survey, conducted by Fairplay and BIMCO and sponsored by ABS.
“That doesn’t seem to be very much,” he said. “That may be because historically they haven’t suffered very much by way of breach.”
Mike Dyer, of Anson Resolution, who was giving a security viewpoint, said: “There are still a lot of people who haven’t implemented basic measures such as a firewall.”
The survey, conducted between June and August this year, attracted responses from more than 350 participants from across 257 companies, made up of ship owners, managers and seafarers.
Just one fifth said they had experienced an attack – 93% on their IT systems – but Mr Thomas said he suspected this was higher due to a degree of under reporting. However, he was not surprised that just 6% of companies had shared information with the public and believes there are two reasons for this. Cyber breaches can cause reputational damage and, under GDPR, they are only obliged to report a data breach to the individual that has been affected if it will cause a high risk to the rights of that individual.
Also on the panel of the webinar, moderated by Fairplay Executive Editor Nicola Good, was Kimberly Tam, Research Fellow at the University of Plymouth, who gave an OT (operational technology) overview.
“I think the results did a very good job in showing the threat landscape today,” she said.
She said the challenge was to keep up to date with the risks as they evolve.
SMI posed the question ‘Do you foresee ship owners being called on more to prove the cyber element in their sea worthiness and how will this develop?”
Mr Thomas said he believed cyber security was very much an aspect of a vessel’s sea worthiness and Ms Tam said it was something the University was actively working on. Part of what the University has been doing is looking at the systems and coming up with a risk for each case. “From that, you can decide whether a ship is sea worthy,” she said.
There was some positive news from the survey in that respondents said nearly 80% of incidents were detected on the first day.
This could be down to a better awareness, and both Mr Thomas and Mr Dyer agreed training had improved over the past year.
Mr Thomas said Reed Smith had seen companies investing more time in training employees in cyber risks.
“I think that flows from a recognition that employees are probably the highest vulnerability risk for companies,” he said.