Maritime cyber security
for Whitby operators.

Garmin GPSMAP, Raymarine Axiom, Furuno GP series and similar multifunction displays run embedded operating systems, increasingly with Wi-Fi, NMEA 2000 network connectivity, and over-the-air update capability. Key steps: enable automatic firmware updates where available; disable Wi-Fi when not actively in use; never connect unknown USB devices; do not share the onboard network password with transient crew or visitors.

Class B AIS (the standard for vessels under 300GT) broadcasts vessel name, MMSI, position, speed, and course without encryption. This data is publicly aggregated on sites like MarineTraffic. Be aware that your movement patterns are fully visible. Some fishing operators deliberately use their AIS visibility to establish documented presence in disputed or quota-relevant waters — this is a legitimate tactical use, but it means your track history is a permanent, public record that can be examined by regulators, insurers, and competitors alike. Spoofed AIS broadcasts — false vessel positions — cannot be authenticated by a receiver. If your AIS position appears unreliable or other vessels' positions behave anomalously, cross-reference against a second source.

Civilian GPS carries no authentication. A spoofing signal — which broadcasts false GPS data at higher power — can cause a receiver to report an incorrect position without any visible error indication. If something feels wrong (position disagrees with visual reference, radar, or expected transit time), trust your other senses and non-GPS navigation. Keep a paper chart.

VHF radio itself carries minimal cyber risk, but the MMSI number linked to your DSC controller is publicly registered and identifies your vessel. Ensure your MMSI is correctly registered with Ofcom (apply or update at ofcom.org.uk/manage-your-licence/radiocommunication-licences/ships-radio) and your radio licence is current. False distress calls via DSC are a separate concern — if you receive an anomalous DSC alert with an unrecognised MMSI, treat it with appropriate caution and report to the Coastguard.

Iridium GO, Inmarsat BGAN, Garmin inReach and similar devices connect to global satellite networks. The communication is encrypted in transit. Key risks are account-level: a compromised account could be used to rack up significant data charges or redirect emergency messaging. Use strong, unique passwords for all satellite comms accounts. Enable two-factor authentication where supported.

Many vessels now carry a router or mobile hotspot providing Wi-Fi to crew. Never connect navigation equipment to the same network as crew personal devices if avoidable. If separation isn't possible, use the strongest available encryption (WPA3 or WPA2-AES), change the default password, and change the password when crew changes.

If you use a Fishing Vessel Position app or digital catch recording system (MMO/IFCA requirements), ensure the device used is kept updated, password protected, and is not shared with crew for personal use. A corrupted or falsified electronic log — even through accidental malware — can create serious regulatory complications.

Email is the primary attack vector for invoice fraud, phishing, and credential theft. Enable two-factor authentication on every email account — this single step prevents the majority of account takeovers. Use a separate email address for supplier payments. Be extremely cautious of any email requesting a change to bank payment details.

An attacker gains access to a supplier's or your own email account, monitors ongoing transactions, and intercepts or substitutes a legitimate invoice with altered bank details. Call your supplier directly (from a number you already hold, not one in the email) to verify any payment destination before making a first payment or after any supposed change of account details.

Use a dedicated device for online banking where possible. Never access online banking from public Wi-Fi in the harbourside cafes, pub, or chandler. Enable all fraud alerts your bank offers. Since 7 October 2024, the Payment Systems Regulator (PSR) requires banks to reimburse victims of Authorised Push Payment (APP) fraud up to £85,000 per claim, within five business days. This is mandatory — not discretionary. You must report within 13 months of the payment. Your bank may only refuse if you acted with gross negligence or committed fraud yourself. This is a significant protection that most small maritime operators are unaware of. If your bank resists, cite the PSR mandatory reimbursement requirement and escalate to the Financial Ombudsman Service.

Use a password manager (Bitwarden is free and open source; 1Password is well regarded for small business). Never reuse passwords. A password compromised in one data breach will be tested against banking and email by automated tools within hours.

The only complete defence against ransomware is a good backup. Follow the 3-2-1 rule: three copies of data, on two different media types, one copy held offsite or in cloud storage. Test your backups. An untested backup is a guess.

Networked CCTV cameras are among the most commonly compromised devices in small businesses — typically because default passwords are never changed. Change the admin password on every camera, NVR, and door access controller you own. If it connects to the internet, treat it as a potential entry point.

The IMO's maritime cyber risk management guidelines require vessels subject to the ISM Code to address cyber risk. The ISM Code applies to vessels of 500GT and over. The Whitby inshore fishing fleet is largely below this threshold and therefore not covered — which means cyber practice is entirely self-motivated.

The MCA follows IMO guidance and has issued its own advice on cyber security for UK-flagged vessels. While no formal cyber obligation exists for inshore fishing vessels, MCA survey teams are increasingly aware of cyber risk. MCA's Marine Guidance Note MGN 728 covers cyber security for ships.

This applies to you if you hold crew employment records, customer data, CCTV footage, or any personal information. The UK GDPR and DPA 2018 require appropriate security measures, breach notification within 72 hours, and demonstrable compliance. The ICO takes enforcement action against small businesses.

The UK NIS Regulations 2018 apply to operators of essential services and relevant digital service providers. Port operators and certain harbour authorities may fall within scope. Individual fishing vessel operators and small quayside businesses typically do not.

This is where most operators are most exposed. Standard P&I cover and hull policies have low cyber sub-limits or exclude cyber loss entirely under war-risk clauses. Ransomware affecting an onboard system, a spoofed invoice paying away operating funds, or a data breach affecting crew records may all be entirely uninsured. Review your cover specifically for cyber. A typical exclusion clause reads something like: “This policy does not cover any loss, damage, liability or expense directly or indirectly caused by, contributed to by, resulting from, or arising out of the use or operation of any computer, computer system, computer software programme, malicious code, computer virus, or any other electronic system.” That single paragraph, buried in policy wording, can void your entire claim. Standalone cyber insurance for small maritime businesses is available from Lloyd’s market insurers. Ask your broker specifically — in writing — whether your current policy covers cyber loss, and keep the response on file.

If your business sends marketing emails or runs a website with tracking, the Privacy and Electronic Communications Regulations apply alongside UK GDPR. Less directly related to cyber security, but part of the same compliance landscape.