Beyond the classroom: keeping crew cyber-safe

The crew is commonly blamed as the number one source of cyber risk to vessels. The reality is that the vast majority are not malicious. They just lack the incentive to behave. Classroom training helps to an extent. But “carrots” and “sticks” will encourage and incentivise the seafarer to stay safe. Sign up here to get exclusive access to a series of articles and tools designed to power up your journey toward managing the cyber risks on-board your vessels.

All the speakers at our Cybersecure at Sea event in April agreed that crew behaviour was a significant area of cyber risk in shipping. To help counter this risk all are developing cybersecurity policies and planning training for seafarers. This approach is consistent with practices used ashore with office-based staff; but will it be successful at sea?

The vast majority of crew are of course not malicious and not intending to risk vessel cybersecurity with their actions. When we detect insecure practices and report them to our customers the underlying reason is generally well intentioned. For example, we might see installation of unapproved applications because the crew have been sent a document by a port or other authority which they need to process but lack the necessary software tools to open.

What works on land may not work at sea

There are several factors which potentially exacerbate the risk of adverse user behaviours at sea and could undermine the effectiveness of simply replicating or extending shore-based practices:

  • Lack of visibility and enforcement – Experience suggests that security policies are most effective where users believe they are monitored and may be held to account.

  • Crew language and transience – Shore-based policy deviations are often associated with temporary or contract workers. One reason is that they have conflicting training from different organisations. Another is the perception that they would have moved on before any policy violations are uncovered and attributed to them. The transitory nature of some crew suggests this may also be a common problem at sea.

  • Imperative to get the job done – Seafarers’ priorities will be on safely operating the vessel and meeting the required schedule. If a system problem is stopping them meeting these objectives they will likely prioritise fixing the issue and work around any security constraints.

  • Lack of local system administration support – The lack of a security or system admin resource onboard means users are more likely to make changes themselves than wait for support from shore.

These challenges are not insurmountable, but for best results some groundwork is required before rolling out new policies and training.

Activate policies and training with “carrots” and “sticks”

There are PhD’s worth of data proving that policies are easily ignored, training quickly forgotten.  Poor or careless behaviour often persists despite ever-growing policy documents or annual training sessions.

The key is to activate them by aligning with incentives and holding the crew accountable. Some practical approaches which can help ensure policies and training are a success:

  • Firstly, ensure the technology makes it easy for the crew to do their job – The easier the systems and processes are to use, the less the crew will try to work around limitations or constraints.

  • Adopt industry standard training material but tailor to your environment – The more consistent cybersecurity training is between firms the more likely transient seafarers are to follow it correctly.

  • Ensure policy is unambiguous and aligns with crew incentives where possible – it should be clear how good cybersecurity hygiene ultimately reduces the risk of outages which could impact the ability of the crew to meet their objectives.

  • Define clear compliance metrics backed up with monitoring and real-time feedback – users should know how they will be measured and if they deviate from policy then rapid feedback helps to reinforce their training.

  • Use trend data to review effectiveness and iterate – no system will be perfect and so it is important to plan for continuous improvement.

Monitoring is crucial to the last two points but should be easy to achieve if you are already planning to deploy a monitoring solution as a technical control for detecting cyber-attacks.

How are you improving crew cyber behaviour? Sign up here to get your free consultation on how to make the most of your crew cyber polices and training.

We are developing a series of practical advice blogs and tools that are free to access and designed to help fleet operators start or “power up” their journey to managing the cyber risks to their vessels. Check out the other blogs in this series and sign up here to be updated on future blogs and tools.