COMMENTARY: It’s unfortunate when cyberattacks serve as a wakeup call for companies to start taking security seriously; especially when security teams and researchers have been sounding the alarms for as long as I can remember. 2024 has shown that the numbers still don’t lie. Rising geopolitical tensions have led to more targeted attacks against the shipping sector, with 64 state-sponsored incidents in 2024 alone. And this isn’t just amateur, opportunistic hackers, advanced cybercriminal campaigns are targeting these organizations — making it a matter of when, not if, a company will be targeted.
I’ve had many conversations with security leaders involved in the shipping industry, and they all recognize the same risks: the increased volume and sophistication of malware and ransomware threats. The challenge they face isn’t awareness of cyber activity and mitigation strategies, but how they can maximize budgets and technology for success. To make matters worse, 2025 is unlikely to present a significant economic incentive that will drive these companies to boost cybersecurity spend on new technologies unless it allows for consolidation of technology, cost reduction, or the ability to leverage existing security staff more efficiently.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The conversation I’ve had with these teams, and the one I’d like to have today, is how to enhance cyber resilience by augmenting an existing security strategy, especially one that may be rooted in legacy approaches, so that organizations get the most bang for their buck.
Out with (some of) the old
Band-Aids don’t fix bullet holes. They may mask the problem, but not for long. This is to say that you can’t rely on what has worked in the past to work in the future, especially when so much technological modernization has occurred.
For starters, digital infrastructure has rapidly expanded across the sector. Whether security teams like it or not, artificial intelligence and automation technologies are being considered across all facets of logistical operations to improve processes, communication, and cost optimization. There’s also the growing cloud ecosystems and data storage environments that are at risk of being misconfigured or poorly monitored, especially when security is often not included in the architecture process.
The tools currently used to secure legacy devices and systems — old school antivirus, firewalls, or vulnerability scanners — aren’t equipped for this new era of threats and lack the sophistication needed to deliver organizations with the necessary level of protection demanded by today’s data sprawl.
Know your weak spots
For many teams, an internal security audit can do wonders to get the ball rolling. Start by taking inventory of which security products you have, the technology deployed across your organization, and all third-party supplier and partner connections, then map out where you have gaping holes or significant overlaps. At this point, you’ll likely find that you’re not as secure as you thought you were and to get to a point of confidence, you’ll need to purchase numerous tools that you don’t have the budget for or the resources to properly maintain. Perhaps that makes your budget your biggest weakness, and this data you spent time collecting isn’t going to move the needle with your Board.
Be a (smart) advocate
Trends have shown that logistics companies have drastically increased technology spending or have plans to further their investments. These investments align with what I’ve discussed earlier, including increasing spending on areas such as supply chain management, automation, and digital documentation. Yet, cybersecurity investments don’t necessarily match. A report issued last year found that a third of companies surveyed within the maritime sector are spending less than $100,000 annually on cybersecurity management. In a recent Gartner survey, the majority of respondents note that they budget between $1,000 and $2,000 on cybersecurity per employee. If your company only has 50-100 employees, then you would be on pace with some of your peers, but many of these shipping companies employ thousands across the globe. That may cut it for an SMB, but we’re talking about massive corporations that are critical to the global supply chain.
While I encourage making the most out of the budget you are given, I also want to empower you to be an advocate for your security department. Executives and Boards communicate in terms of business impact — profitability is arguably number one — and will best resonate with conversations that are centered around risk to revenue and brand loyalty. Cyber risk is likely not top of mind, especially when many of these institutions are experiencing operational impacts due to physical attacks on vessels by militant groups, sanctions affecting imports and exports, labor strikes, or damage/delays due to natural disasters.
When having budgeting conversations, make sure to speak their language and communicate how cybersecurity incidents impact the business from a financial and reputational lens. For example, cybersecurity breaches can lead to organizations facing long-term compliance issues that lead to massive fines and mandatory corrective action — talk about an expensive endeavor. Investigations conducted by regulatory authorities could lead to massive financial penalties if negligence is found on the breached company’s part. That’s a headline you don’t want to come out.
Important security strategy components
Now, let’s talk about what’s important to focus on from a security strategy perspective. The International Maritime Organization (IMO) encourages organizations to build a cybersecurity risk management framework that focuses on the following key pillars:
- Identifying the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations. This is a big one. Often, organizations lack visibility into what systems are connected to their network—thanks to Shadow IT—or where their data is traveling across their organization. There needs to be an emphasis on data protection technology that looks at data at-rest (cloud storage) and data in-motion (moving throughout endpoints). And when you prioritize efforts in these areas, you must focus on the facets that have the potential to cause the most damage. Remember, Rome wasn’t built in a day!
- Implementing risk control processes and measures, and contingency planning to protect against a cyber event. Rather than “protect,” this pillar is better served when read as “prevent” against a cyber event. Deploying preventative frameworks, like the Zero Trust model, allows you to be proactive versus reactive.
- Detecting cyber incidents in a timely manner. Real-time alerts to activities happening within your network and data-intensive environments are critical. Ideally, you’d have a solution in place that has already safeguarded your company. However, having visibility into threat attempts helps make your security (and preparation) stronger in the future.
- Restore and recover systems necessary for shipping operations or services impaired due to a cyber event. Backups and incident response plans are important! Doing some extra leg work ahead of time will make you more prepared for the future. You’ll be able to resume daily business and tackle challenges faster than you would otherwise, saving you time and your company money.
As someone that has seen the evolving nature of cyber threats and their consequences, I see all of this as a baseline framework for a successful cybersecurity strategy. Deconstructing your tech stack and digging into the unique digital infrastructure that houses your most sensitive data and powers critical operations will give you further guidance into where you need to prioritize investments.
With all that being said, my advice is this: don’t be afraid to ditch the status quo. Not only is cybersecurity growing exponentially — both in terms of vulnerabilities and opportunities —t here are many new vendors in the space that provide holistic services. However, there are also solid options via managed services that can provide greater support when it comes to cybersecurity management at the scale that critical infrastructure demands.
