Key Takeaways
- Trusted access and compromised credentials are now the dominant attack vectors, accounting for 69 % of observed risks versus only 12 % from traditional technical vulnerabilities.
- IT/OT convergence in remote maritime, energy, and industrial sites is expanding the attack surface, with many undocumented or poorly secured connections and a large share of OT assets remaining unknown or unmanaged.
- Human error remains a critical weakness: phishing simulations show 20 % of users click malicious links and 11 % disclose credentials, while only 11 % report incidents.
- Ransomware activity is rising sharply, with detections growing from 5,740 in 2024 to 7,793 in 2025, over half targeting transportation, energy, and manufacturing sectors.
- In maritime environments, 82 % of security alerts occur in crew‑network zones, highlighting user‑facing systems as the primary attack surface.
- Marlink urges an identity‑first security approach, including multi‑factor authentication, network segmentation, continuous monitoring, and targeted awareness programmes to mitigate these trends.
Overview of Marlink’s Cyber Intelligence Report for Remote Operations 2026
Marlink has released its Cyber Intelligence Report for Remote Operations 2026, underscoring how evolving cyber threats are heightening the risk of disruption across maritime, energy, enterprise, and critical‑infrastructure sectors. The analysis draws on continuous monitoring from global Security Operations Centres (SOCs) and more than 200 cyber‑security assessments conducted in 2024‑2025. It reveals a clear shift in attacker tactics, moving away from reliance on purely technical exploits toward the exploitation of trusted pathways, integrated IT/OT environments, and human weaknesses. This evolving threat landscape amplifies safety, operational, financial, and reputational risks as organizations become increasingly dependent on digital systems in remote and often isolated settings.
Trusted Access and Credentials as Primary Attack Pathways
One of the report’s most striking findings is that trusted access and compromised credentials now serve as the main gateway for cyber intrusions. Specifically, 69 % of observed risks were linked to compromised user credentials, compared with only 12 % stemming from traditional technical vulnerabilities such as unpatched software or misconfigured firewalls. This indicates that attackers are prioritizing the theft or misuse of legitimate login information—through credential harvesting, password spraying, or the abuse of privileged accounts—rather than developing sophisticated malware. Once inside with valid credentials, malicious activity can blend with normal operations, making detection far more difficult and increasing the likelihood of prolonged network or operational downtime.
IT/OT Convergence Expanding the Attack Surface
The growing integration of information technology (IT) and operational technology (OT) in remote sites is further enlarging the attack surface. In 2025, 60 % of assessed locations relied on shared infrastructure between IT and OT systems, while over 70 % exhibited undocumented or inadequately secured connections. Additionally, 30‑40 % of OT assets were initially unknown or unmanaged, creating blind spots that adversaries can exploit without triggering traditional defenses. These gaps are increasingly being leveraged through trusted access routes rather than through malware delivery, underscoring the need for visibility and control over all interconnected devices, especially those governing critical physical processes such as propulsion, power generation, or cargo handling.
Human Factor Driving Initial Compromise
Despite advances in technology, the human element remains a decisive factor in cyber risk. Phishing simulations conducted as part of the report showed that 20 % of users clicked on malicious links and 11 % disclosed their credentials when prompted. Alarmingly, only 11 % of those who experienced a phishing attempt reported the incident to security teams, indicating a significant gap in incident‑response culture. This low reporting rate hampers timely threat intelligence sharing and allows attackers to maintain footholds undetected. The data reinforce that technical controls alone cannot secure remote operations; robust user awareness, clear reporting procedures, and a security‑conscious culture are essential complements to any defensive strategy.
Ransomware Trends and Sector Impact
Ransomware continues to escalate in both frequency and impact across Marlink‑monitored environments. Detected ransomware incidents rose from 5,740 in 2024 to 7,793 in 2025—a 35 % increase year‑over‑year. More than half of these incidents targeted the transportation, energy, and manufacturing sectors, reflecting the high value attackers place on disrupting logistics and power supplies. In maritime settings, the report notes that 82 % of security alerts were concentrated in crew‑network zones, reinforcing the idea that user‑facing systems—such as email, welfare internet, and onboard communication platforms—are the primary attack surface. Once ransomware gains a foothold in these zones, it can laterally move to OT networks, potentially jeopardizing navigation, engine control, or cargo‑handling systems.
Strategic Recommendations from Marlink Leadership
Nicolas Furgé, President of Marlink Cyber, emphasizes that addressing these structural weaknesses requires more than simply adding new security tools. He advocates for an identity‑first security model that places strong controls around trusted access, including mandatory multi‑factor authentication (MFA) for all privileged and remote accounts, robust credential‑management policies, and continuous monitoring of authentication anomalies. Network segmentation between IT and OT environments is also critical to limit lateral movement should a breach occur. Furthermore, Furgé stresses the importance of aligning cyber‑security initiatives with operational infrastructure—ensuring that security policies are practical for crew members and site operators, and that awareness programmes are tailored to the unique challenges of remote, often isolated workforces. Continuous monitoring, threat‑intelligence sharing, and regular red‑team exercises are highlighted as vital components for maintaining resilience.
Conclusion: Building Resilience in Remote Operations
The Marlink Cyber Intelligence Report for Remote Operations 2026 paints a clear picture: cyber threats are increasingly exploiting the very trust that underpins modern digital operations. Compromised credentials, expanding IT/OT integration, and human error together create a fertile ground for attacks that can disrupt safety, productivity, and revenue. To counter this trend, organizations must move beyond perimeter‑defence thinking and adopt a holistic, identity‑centric approach that couples strong technical controls with vigilant user engagement. By implementing MFA, enforcing strict access governance, segmenting critical networks, fostering a culture of prompt incident reporting, and continuously monitoring for anomalous activity, maritime, energy, and other remote‑sector operators can reduce their exposure and bolster the resilience essential for safe and reliable operations in an increasingly interconnected world.