Soapbox – February
Let’s Reframe Cybersecurity as an Operational Issue
By Andrew R. Lee
From New Orleans’ waterfront pedestrian paths and park benches, the Mississippi River often looks placid and calm. Vessels ply these waters with stately grace, moving up and down the river and in and out of the Port of New Orleans as if performing a well-rehearsed ballet.
Experienced mariners, however, can tell you that the Mississippi is filled with threats—both hidden and obvious: strong currents, a changing riverbed, dangerous obstructions and high traffic. To ensure the safe movement of passengers and cargo, vessel owners and operators, ports and other industry participants have invested heavily in personnel training, top-of-the-line technology, and other tools and tactics that help minimize risks.
When it comes to maritime cybersecurity, the dangers are equally great. Unfortunately, the industry has not responded with equal force. In mid-2018, Jones Walker LLP commissioned its first-ever Maritime Cybersecurity Survey to gain an in-depth understanding of the current “cybersecurity state of the maritime union,” identify readiness gaps, and develop guidance for cost-effective, high-impact solutions that companies could implement almost immediately.
Skipping to the punch line, the maritime industry is aware of—and woefully underprepared for—potential cyberattacks. For example, 78 percent of large-company (more than 400 employees) respondents and 38 percent of all respondents reported that their companies were subject to a cyberattack within the prior year; only 36 percent of respondents reported that their companies were prepared for a cyberattack, but—revealing disconnect—69 percent believed that the industry, overall, was prepared; and nearly two-thirds reported that they were ill-prepared to address the negative public opinion and media coverage that often follow a cyber incident, and seven out of 10 expressed a lack of confidence in their ability to handle the aftermath of an event that involved the loss of sensitive or confidential intellectual property or business information.
The smaller the company, the less likely it was to take steps to prevent or prepare for a cyberattack. Of companies with 49 or fewer employees, only six percent indicated that they were prepared to meet cybersecurity challenges. Companies with 50 to 400 employees were only marginally more prepared; four out of five reported taking few or no steps to protect themselves. On a more positive note, the adage “once bitten, twice shy” seems to describe maritime companies. While the learning curve may have been steep and painful, our results showed that there was a correlation between having been the target of a cyberattack and higher levels of preparedness for future incidents.
Among companies that had been targeted by a successful or attempted breach, 73 percent of respondents reported that they were currently prepared to prevent or withstand another intrusion. It should be noted that many of the respondents who reported that they had never sustained a breach also lacked the technology to determine whether or not such a breach had, indeed, occurred. We can hope that many such companies have not had their data or systems compromised; realistically, however, there is a strong likelihood that at least some of them are simply unaware that they have transformed from a “potential victim” to an “actual” one.
A key motivation for conducting this survey was to help pinpoint areas in which maritime companies could take action, now and over the mid-term. Stakeholders must shift at least some of the focus from physical threats to information threats.
Perhaps the most important step companies can take is to reframe cybersecurity as an operational issue, instead of an information technology one. Software and systems are important tools in preventing cyberattacks, but many of the largest data breaches have been the result of simple human behaviors: unmanaged use of thumb drives and other portable data-storage options, failure to change passwords regularly, carelessly taking the phishing email bait, and unfettered access to company networks via mobile devices. Developing smart policies and providing effective training on cybersecurity processes can go a long way toward preventing future incidents.
Companies should consider increasing their cybersecurity budgets. According to our survey, more than a quarter of respondent companies had no resources allocated at all to cybersecurity. On an encouraging note, however, the majority of respondents from companies of all sizes indicated that their cybersecurity budgets will increase in the coming year.
Given the clear risks—to profits, resources, the environment and even human lives—it is our hope that this momentum toward greater cybersecurity preparedness will gather strength. If so, maritime companies will be as nimble at avoiding cyber threats as they are at navigating the waterways.
Andrew R. Lee is a partner with Jones Walker LLP in New Orleans and co-chairs its Privacy and Data Security Group. He advises clients on cybersecurity, records retention and electronic discovery. He assists with processes and programs related to the security of sensitive corporate data, recovery after cyber intrusions, litigation hold procedures, and electronic discovery of data in legal proceedings and internal investigations.