Yacht cyber security: 5 essential onboard practices

An Inmarsat study showed that nearly half of the 200 maritime businesses surveyed reported having been subject to a cyber breach since 2019. Of those breaches, 3% resulted in a ransom being paid to the attacker, at an average cost of US$3.1million. With financial gain being the key motivator behind these attacks, multi-million-pound vessels are a prime target for attackers looking for weaknesses in networks and systems to exploit.

This growing and concerning trend resulted in the implementation of the IMO’s cyber risk management guidelines, introduced in January 2021, designed to set an industry standard for all vessels over 500 gross tons to follow. To become IMO-compliant and secure flag state approval, yachts must have cyber security mitigation methods built into their safety management system (SMS).

When it comes to yacht cyber security, the defence and mitigation methods required are generally dependent on the number of vulnerabilities and the level of risk these vulnerabilities pose to the yacht’s security. A 70m charter yacht will likely require more extensive management than a 30m private yacht.

There are various services and products available to superyacht owners and crew, but here are five essential tips we believe every yacht should follow as a basis for any onboard cyber risk management framework.

1. Training your crew is crucial to yacht cyber security.

Human interference has long been associated as the greatest weakness resulting in cyber security attacks. 40% of superyacht professionals do not know the difference between anti-virus software and network endpoint security, according to a 2022 Inmarsat report.

Crews with little awareness of cyber-criminal tactics are more likely to fall victim to social engineering attacks such as phishing, which is currently the leading cyber threat. Even the most robust cyber management policy is likely to fail if the crew are not trained and equipped with the knowledge to identify a potential threat. A simple opening of an attachment on an email from an unsuspecting stew could be the root cause of a significant data breach or ransom attack.

In addition to the threat of social engineering, crew (and guests if the vessel is a charter yacht) will bring on board their own personal devices. Yachts may have a BYOD (Bring Your Own Device) policy, which allows crew to work from their own devices. However, this means the vessels IT department has less control. In this environment, more responsibility is placed on the crew, so training them to act responsibly is essential. In this scenario, key advice would include avoiding suspicious websites, installing updates, and removing any unused software.

Crew can be trained to spot these threats and malicious tactics through CyberSafe, our modular cyber awareness training course, which supports IMO policy requirements.

2. Keep your systems and hardware updated.

Out-of-date equipment is vulnerable equipment. Software updates are not only important from a performance perspective, but they are also crucial for strong security. Updates often contain security patches and other features to fix flaws in software/systems that have been identified as vulnerabilities that attackers may exploit. A software patch is a repair for a piece of programming designed to resolve functionality issues, improve security or add new features (TechTarget).

3. When it comes to emails, act with caution.

90% of cyber-attacks infiltrate an organisation via email, so we always urge caution when clicking on any links or attachments, particularly on emails you were not expecting. If the sender requests personal information, the email claims to be urgent or contains poor grammar, proceed with caution, as these are key indicators of a phishing email. If in any doubt, we urge you to send the email to your designated cyber officer, or if you are a client of OceanWeb, contact our engineers.

Ensuring you have a solid email security system in place will support you in avoiding malicious emails. Anti-virus, advanced attachment sandboxing and daily lists of quarantined emails are all features of our OceanWeb-managed email service. Simulated phishing is another prevention tactic. This allows you to see how your crew respond to a phishing email and evaluate the effectiveness of your cyber awareness training.

4. Effective password management

Last year, over 61% of data breaches involved compromised password credentials or brute-force attacks. Therefore, ensuring you have a strong password policy in place is another cyber security basic. Passwords should never be shared, never be reused, and not be related to you or your life. They should be easy to remember and hard to guess. Two-factor authentication (2FA) should always be activated where available as a second layer of protection. Enabling 2FA means that two verification methods are required, strengthening protection against stolen passwords.

Due to the vast number of systems required onboard a yacht, we would highly recommend implementing a password management system. This system stores all organisation passwords (and other sensitive information such as bank account details) in a secure, encrypted environment. This limits the use of weak passwords and recycled passwords, with the management system storing all the data for you.

5. Lost or stolen devices must be reported.

Whether a device is lost or stolen, crew must be trained to report this to an onboard security officer (or the equivalent). Lost devices mean both personal and company data is vulnerable to interception by cybercriminals. As mentioned earlier, yachts are often BYOD environments, which means that when crew lose their mobiles, company data may be lost or vulnerable.

Adding a Mobile Device Management (MDM) provides an effective data protection solution in cases of lost or stolen devices. MDM enables remote management of devices throughout a vessel, which includes security, encryption, and remote device wiping. An invaluable tool in the event of a stolen device.