by Chris van der Deijl, Marketing Director at WORLDEMP
At the Maritime Information Services Shipping Summit in Athens, the final session of day one turned to a theme that surfaced repeatedly throughout the event: cyber security in the maritime sector.
The panel discussion, “From Bridge to Boardroom“, brought together regulatory, operational and behavioural perspectives to examine how the industry must respond to escalating digital risks.
Moderated by Dr Akanksha Batura Pai, Executive Director of Sinoda Shipping Agency, the session delivered a consistent message: cybersecurity is not an IT issue alone. It is an organisational challenge that touches leadership, governance, culture, training and operational resilience.
“It Won’t Happen to Us” Is a Risk in Itself
Dr Iliana Christodoulou Varotsi, Academic Course Director at Lloyd’s Maritime Academy, opened by challenging two persistent assumptions — that cyber security sits solely within IT departments and that smaller or less visible companies are unlikely targets.
Attackers, she stressed, pursue value rather than visibility. Data, operational systems and supply chain access points make any organisation attractive. Effective cyber resilience, therefore, requires a holistic approach encompassing ownership, governance structures, procedures, people and technology.
From Compliance to Organisational Resilience
From the shipowner’s perspective, Jose Milhazes, Business Process Innovation Manager at GasLog, urged companies to assume an incident will occur. The objective, he explained, is not to create alarm but to structure preparedness.
When cyber risk is framed in terms of reputation, financial exposure and operational continuity, it moves beyond compliance and onto the board agenda. Regular reporting to senior management — including threat volumes, incident levels and training coverage — becomes part of standard governance.
Milhazes emphasised that resilience often hinges on behaviour rather than complex technical solutions. Drawing on a personal experience involving a burglary enabled by social media exposure, he highlighted the practical risks of sharing vessel imagery and operational details online. Simple measures — security reminders, behavioural prompts and device-discipline practices — can significantly reduce exposure.
Artificial Intelligence: A New Layer of Risk
Albert Mulder, Human Behaviour Specialist in the maritime industry at WE EmpowerAI, addressed the accelerating role of artificial intelligence. Framing the discussion with humour before shifting to urgency, he described how AI is evolving beyond chat interfaces into autonomous, agent-based systems capable of acting independently. This development transforms “Shadow AI” from isolated experimentation into a broader organisational risk.
Mulder identified two misconceptions that undermine readiness. The first is the belief that “people are the weakest link.” While human error plays a role, systemic shortcomings — unclear procedures, missing frameworks and lack of safe alternatives — often drive risky behaviour. The second misconception is that organisations still have time to react. Given the speed of AI adoption and its open-source accessibility, he argued that immediate action is required.
Regulation Exists: Implementation Is Critical
From a legal and regulatory standpoint, Varotsi underscored that no single instrument resolves cyber risk. The international framework rests on IMO instruments integrating cyber risk management into Safety Management Systems, supported by class notations, ISO and NIST standards, and regional guidance such as ENISA recommendations. She also referenced NIS2, which designates water transport as an essential sector and may apply to a wide range of maritime stakeholders. The framework exists; the challenge lies in effective implementation. Resilience, she noted, includes the capacity to withstand, respond and recover.
From Awareness to Behaviour: The Role of Drills
The discussion moved from policy to practice with a focus on drills and behavioural testing. Mulder argued that resilience should be measured not by awareness but by observable behaviour. Just as companies conduct fire and abandon-ship drills, they should implement cyber drills — including phishing simulations and social engineering tests — to assess real-world responses.
Across the panel, one conclusion stood out: cybersecurity is safety. It is not a parallel function but integral to safe maritime operations.
Final Takeaway: Leadership and Action Now
In closing, practical recommendations were clear. Mulder encouraged organisations to engage with AI responsibly while providing structured frameworks and approved tools. Milhazes advised embedding cyber considerations into every digital investment and supplier relationship. Varotsi emphasised awareness, training and common sense as foundational pillars.
The overarching message was unambiguous. The maritime industry cannot rely on reactive measures. Building cyber resilience demands leadership, accountability and continuous professional development — from bridge to boardroom.
