The maritime sector is embracing new technology at an unprecedented pace, with advancements in automation, system inter-connectivity and data analytics all delivering new efficiencies and innovations across the shipping, ports and logistics industries. Yet harnessing modern technological advancements comes with it the growing threat of criminal activity targeting data and systems. These 'cyber' threats have already caused highly publicised and significant losses in the maritime sector – from incidents at major ports to crippling systems and the theft of sensitive commercial data.
One area of increasing cyber risk that should be on the maritime radar surrounds the expansion of protections of individual privacy, and particularly, the expanding legal protections over citizens' personal information. Around the globe, jurisdictions have been expanding privacy legislation with the aim of ensuring that organisations that use and hold personal information adopt appropriate safeguards for the protection of that information, and are otherwise required to notify individuals and authorities where that privacy has been breached.
In Australia, a mandatory data breach notification obligation was introduced in February 2018 under the notifiable data breach scheme (the NDB scheme). Shortly afterwards, the General Data Protection Regulation (GDPR) was adopted by the European Union in May 2018, introducing mandatory notification requirements and very significant penalties for breach. We have seen in recent times penalties in excess of AUD$300 million handed down under the GDPR and a significant increase in penalties under the Australian regime is imminent. Yet organisations need to appreciate not only the risk of penalties (and for cross-border breaches, the risk of penalties in more than one jurisdiction), but also the cost of compliance with mandatory notification procedures, and the direct or indirect impact on the business including the risk of significant reputational harm that may flow from adverse media or ill-conceived public relations responses to large scale privacy breaches. Published data over recent years suggests that these direct and indirect costs of a significant hacking event can be in the millions of dollars. Organisations also need to appreciate that where there has been, or there is suspected to have been, unauthorised access to their system, then the NDB scheme and foreign equivalents may apply even where personal information does not appear to be the primary target of the event.
In May this year, the Office of the Australian Information Commissioner (OAIC) released a report reviewing the first 12 months in the life of the NDB scheme which provided some compelling insights into the rising risk of cyber security threats, and some important learnings for organisations. The OAIC has reported there were 964 eligible data breaches in that period, the vast majority of which were relatively small events, where affected individuals numbered less than 1,000 (83%). Of the eligible data breaches, 60% were of a malicious nature and 35% were attributed to human error (the remaining 5% being attributed to system faults). The vast majority of the malicious events involved compromised or stolen credentials, enabling third parties to access email accounts or systems.
There are some valuable learnings that can be drawn from those statistics. First, over a third of all incidents are the result of human error, and human error can be reduced by appropriate training and employee guidelines. Ensuring employees follow IT security procedures, and providing comprehensive training will go a long way to reducing that risk. Similarly, the prevalence of incidents arising from stolen credentials is a lesson in the importance of adopting simple but effective IT security procedures for staff – regularly changing passwords and dual-factor authentication would have prevented many of the reported incidents, we suspect.
More targeted and sophisticated attacks will remain a risk, and appropriate level of cyber resilience (including a properly prepared data breach response plan and cyber insurance should be in place to manage and respond to such risks), but the starting point should be employee engagement and training. The best cyber resilience practices start with all employees understanding that their inadvertent actions, like clicking on a bogus link or responding to a fake email, are the greatest risk to your business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.