Survey: Two-Thirds of U.S. Maritime Firms Unready for Cyberattack
Maritime law firm Jones Walker has released a new, comprehensive survey of cybersecurity preparedness at American maritime companies. The survey attracted responses from 117 firms in all major industry segments, and the results are sobering: nearly 40 percent of respondents said that they had suffered a cyberattack or an attempted attack within the last year. Despite the evident risk, nearly two thirds of these firms said that they are not prepared to prevent a data breach, including nearly all of the smaller firms with fewer than 50 employees.
According to co-author Andrew Lee, a partner at Jones Walker, cybersecurity is often treated as a low priority in the industry because of the perception that it is merely an IT issue. "A cyber threat is a business risk; if the attitude doesn’t align to acknowledge this, cybersecurity won’t get the organizational attention that is needed," Lee says.
This attitude means that the industry's response to cybersecurity threats is often reactive. But waiting for a breach means accepting risks, potentially including the theft of customer or employee data; the operational impact of a ransomware attack, like those at APMT and Cosco (North America); and potential state-level compliance issues, which vary by locality.
In the future, cyberattack preparedness could also become a matter for federal regulators. "The regulatory authorities are talking about [cyber requirements]. The Coast Guard has not yet issued any regulations, but in its guidance, it is suggesting very strongly that maritime stakeholders have to become cyber ready," says Lee. "If there is a maritime incident that is caused by inadequate cyber protection, a company could get written up, which could result in civil liability as well."
Since cybersecurity is an operational problem, companies need a wholistic solution, Lee says. As a first step, a firm can work with its IT team to determine where its operations are visible on the internet and where it has vulnerable points of entry. On the human-factors side, Jones Walker offers consulting services to help firms formulate practical cyber policies, training programs and breach response plans. "Companies often handle breaches poorly, and we can help them put together a written plan to guide their activities in the event of a breach," Lee says. "Once the plan is developed, we can help them conduct trainings and tabletop exercises on breach response."
Small firms, special issues
Responses from smaller firms stood apart in Jones Walker's survey. About 30 percent of large firms reported that they had been successfully hacked in the past year, but none of the small firms surveyed said that they had suffered a data breach. Only one small company was aware of an attempted attack.
This pattern raises the question of whether the smallest firms have the capacity to detect a cyberattack, and 14 percent of the small firms acknowledged that they were unsure whether they had been attacked or not. In part, this could be a question of budgeting: about one in ten survey respondents, almost all from smaller firms, said that they are not spending any money to address cybersecurity.
"Small companies may not even be aware that they have been attacked. They can't really diagnose the problem if they don't understand the problem, and a significant proportion are devoting little or no budget to the issue," warns Lee.