In its latest edition of Phish and Ships, Be Cyber Aware at Sea presents Professor Keith Martin, from Royal Holloway, University of London who supports that ‘Cyber security needs both a ʻbottom upʼ and ʻtop downʼ approach.’ Specifically, the bottom-up approach reflects the common thinking that the personnel presents the greatest risk to cyber security.
Thus, Be Cyber Aware at Sea supports that the personnel is also the easiest risk to remedy through education, in order to improve cyber hygiene. In other words, making the crew aware of the cyber risks and informing them on what procedures to follow in order to react correctly and safely will help limit the mistakes, commonly coming from the human factor.
Professor Martin highlights that accomplishing a strong cyber resilience throughout the shipping industry, the latter should build a knowledgeable and savvy workforce operating in companies more attuned to the risks and invested in prevention, striving to meet tighter and more realistic worldwide regulations..
As the professor notes
I think the bigger mistake is to design a system that does not take the likelihood of human error into account.
He continues that if the crew and the human factor in general, seems to be the greatest threat to cyber security, it is important for the maritime sector to understand that steps should be taken to better-educate their crew. In other words, cyber protection and boost should be based on cyber training for staff, investing in more secure IT systems, software and hardware, or establishing dedicated cyber teams to take responsibility.
In addition, the professor comments that widespread use of legacy equipment and the staffing onboard vessels, are two of the most important weaknesses the industry faces, when it comes to an easier cyber attack.
The general picture is that the maritime industry should have a dynamic multifaceted approach to cyber security. Regulatory bodies should be upholding tighter standards that enforce cyber resilience while companies should be examining every potential weak surface point and investing in their preventative security and backup procedures should they suffer a breach.
What is most notable for the industry to realise is that they cannot pick one approach but must commit to several to ensure effective security. Everyone is a stakeholder in this industry, it must matter to all that security is upheld.
