Some 70% of senior maritime industry executives in the US believe their sector is prepared to respond to cyber attacks, but just half that number believe their own businesses are ready.
Of the 126 senior maritime executives polled in a survey by US-based law firm Jones Walker, only 36% said their business is prepared in the event they face an attack.
The levels of expectation around how prepared a company is for a cyber attack as well as the number of concrete cyber security protection measures companies have put in place are tied to company size, according to the survey.
“Small and mid-size companies are far less prepared than larger companies to respond to a cyber security breach,” the survey’s authors said.
And the difference is stark. While 100% of respondents from large organisations indicated they are prepared to prevent a data breach, comparatively only 6% of small companies’ (one to 49 employees) respondents and 19% of mid-sized companies’ (50 to 400 employees) respondents said they were prepared for a breach.
By their own admission, small and mid-size US maritime companies “lack even the most fundamental protections, exposing them to huge potential losses,” according to the survey’s authors.
“92% of small companies and 69% of mid-size company respondents confirmed they have no cyber insurance,” the report said, while almost all the larger companies reported having insurance.
However, larger businesses are facing the brunt of cyber attacks directed at the US maritime industry, according to the survey results.
Nearly 80% of large US maritime industry companies (with more than 400 employees) reported facing a cyber attack within the past year.
That information upped the total percentage of US maritime industry companies that have faced an attack to 38%.
Among the largest companies that participated in the survey, 18 of 23 surveyed had been subject to a cyber attack in the last year. For small and medium-sized companies, only 26 of 94 companies had faced a cyber attack.
When asked about their companies’ greatest cyber security exposure, respondents from large companies focused on external threats. Mid-size and small companies offered a more mixed assessment of current threats.
“The [survey] provides evidence of a worrying level of complacency among maritime industry operators about cyber attacks,” said Tulane University Maritime Law Center director Martin J Davies.
“Although the financial consequences of data breaches can be crippling, the survey shows that few in the maritime industry are adequately prepared to guard against them, or to respond effectively if an attack occurs. The survey shows unequivocally that action in relation to cyber security is urgently needed, by both industry and political leaders.”
Companies that had been targeted in a cyber attack during the last year reported increased preparedness measures taken in the wake of the attacks. However, 36% of small-company cyber attack victims remain unsure of the root causes of the data breaches that ensued.
On the whole, 10% of survey respondents reported that their systems had been breached in an attack over the last 12 months, while 28% reported they had managed to fend off attackers during the same timeframe.
In responding to the question, “How would your company deal with a cyber security incident?” the majority indicated that they were unprepared to handle the business, financial, regulatory, and public-relations consequences of a cyber attack.
Most companies said they do not have a written plan in place to deal with potential incidents, with the problem being most acute among small and mid-sized companies. Some 60% are unprepared to deal with negative public opinion, blog posts, and media reports after a data breach, 49% are unprepared to minimise the loss of customers’ and business partners’ trust and confidence after a data breach, 70% are unprepared to respond to a data breach involving confidential business information and intellectual property and 70% are unprepared to respond to the theft of sensitive and confidential information that requires notification to victims and regulators.
Nearly 80% of large US maritime industry companies (with more than 400 employees) reported facing a cyber attack within the past year
According the Jones Walker report, respondents’ assessments of their companies’ cyber readiness did not vary between industry subsectors.
The law firm polled three different industry groups: vessel owners and operators, port operators, and cargo shipping companies. The different groups all offered a similar range of responses, with shipping companies indicating slightly higher confidence in their preparedness.
Just 3% of vessel owners and operators reported being ‘very prepared’, with 39% reporting being ‘completely unprepared’. Port operators fared somewhat better, with 4% being ‘very prepared’ and only 7% viewing their business as ‘completely unprepared’.
The survey also explored the types of technologies, procedures, and best practices that are being used throughout the maritime industry to find that, by and large, companies were adopting basic procedural and policy measures but foregoing more sophisticated measures.
Mirroring readiness statistics, 100% of large companies reported requiring their employees to participate in cyber security training, while half of small companies said they never required employees to undergo training in cyber security.
Hansford Wogan, Jones Walker Maritime Attorney and co-author of the Maritime Cybersecurity Survey White Paper said, “The survey strongly illustrates that industry preparedness is dependent on two factors: company size and recent experience as a cyber attack target.”
“There are enormous risks to the industry as a whole. Yet, the survey indicates that only the larger US maritime industry companies seem to have this threat on their radar, while the smaller and mid-sized companies are mostly unprepared,” Mr Wogan said.
“An ounce of prevention in training is worth a pound of a cure in terms of cyber attack readiness, and if every company approached this cyber security issue with that mindset, the maritime industry as a whole would be far less at risk,” he said.
Jones Walker’s study authors suggested investment and industry collaboration were two key features needed to ensure a cyber secure maritime industry.
“The maritime industry has a well-established and impressive safety record. But when it comes to cyber threats, our study found that — particularly among small and mid-size companies — there is a considerable knowing-doing gap,” the report said.
“The industry is not as prepared as it must be to prevent and address damaging cyber attacks. Industry stakeholders should apply their history of establishing successful safety programmes to cyber readiness planning. Company leaders can use this experience to apply a systematic and proactive approach to enhancing their cyber preparedness and data breach responsiveness.”