Cybersecurity on Passenger Ships: Training a Crew That’s Never at a Desk

Most cybersecurity training assumes a fairly standard work environment: a computer, a fixed location, a regular schedule. For the crew of a passenger ship, none of that applies. They work rotating shifts, spend weeks at sea, share devices, and rarely have access to a stable office setup. Meanwhile, the threat picture for passenger ships cybersecurity is getting worse by the year. In the first half of 2024, security firm Marlink recorded more than 23,400 malware detections across 1,800 monitored vessels. By 2025, maritime cyber incidents had jumped 103% year on year. Nearly half of those incidents started with phishing. The same is true for cargo ships cybersecurity: the vessel type changes, but the human entry point stays the same.

STCW covers the deck. Not the inbox.

For seafarers on ISPS Code-compliant ships, a STCW Security Awareness certificate is a legal requirement. The training covers what you would expect: recognising physical threats on board, controlling access to restricted areas, understanding security levels, and knowing how to report suspicious activity. It is a solid foundation, and for physical security it does exactly what it needs to do.

Digital threats are a different matter entirely. The crew member who responds correctly to an unauthorised person at the gangway may not think twice about clicking a link in a message that appears to come from the shipping company’s management system. Physical security awareness and digital security awareness are distinct skills. STCW does not address phishing, social engineering, or credential theft. That gap is real, and it is increasingly being exploited.

NIS2 makes digital awareness a legal obligation too

European maritime operators now face pressure from two directions. The first is the threat itself. The second is regulation. Under the NIS2 directive, maritime transport companies are classified as operators of essential services. That brings with it a documented duty of care, incident reporting obligations, and an explicit requirement to invest in employee security awareness. What that looks like in practice is covered in Guardey’s NIS2 guide for 2026, which details the awareness training requirements that organisations in scope need to meet.

Training that works without a desk or a fixed schedule

This is where the practical challenge comes in. Annual e-learning modules were designed for office workers. Research shows that up to 90% of knowledge from yearly training fades within weeks, but for a crew member returning from four weeks at sea, the gap between training sessions can be far longer. Traditional formats simply do not fit the rhythm of maritime work.

The more effective model is short and frequent: weekly sessions of two to three minutes, available on any device, completable whenever the schedule allows. Guardey’s security awareness training is built around exactly that approach, with mobile-first micro-training that uses gamification to keep engagement up over time. For a workforce that is rarely at a desk, this is not a minor convenience. It is the difference between a training programme that actually reaches people and one that exists only on paper.

Passenger ship operators who have already ensured STCW compliance have the physical security layer in place. NIS2 now requires the digital layer too. The good news is that the format best suited to meeting that obligation also happens to be the one that fits maritime working conditions best: short, mobile, and continuous.