“Cybersecurity isn’t down the hall. It’s an enterprise problem.”
With those words, Donald E. Hester of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) opened one of the most critical sessions at Manifest: The Future of Supply Chain and Logistics conference.
Manifest brought more than 4,000 supply chain/logistics professionals to Las Vegas for a series of sessions on issues critical to the supply chain.
National Motor Freight Traffic Association’s (NMFTA) Jim Mullen, chief strategy officer, and I were pleased to join with Hester and Steve Hankel, vice president of technology at Johanson Transportation Service, for a panel discussion about the critical importance of cybersecurity in the industry.
As much as we have focused on cybersecurity in this space, it was powerful to join with Hester and Hankel to bring the message home in front of such an important and strategic audience in Las Vegas – and for me, it was rewarding to represent NMFTA in such a public setting for my first time since joining the organization in November 2023.
I referred to Hester’s crucial quote when I started this column because the leaders of our industry must understand that cybersecurity is not primarily the concern of the IT staff, although they obviously play an important role in achieving it. As Hester said, cyber threats are an enterprise problem.
No one knows that better than the truckload or less-than-truckload carrier that’s been held hostage to a ransomware attack, or telematics vendor whose vulnerability shut down a major customer, or the load board that got compromised because one person was fooled into inputting their log-in data to an imposter site using a lookalike domain.
The insight the panel shared was so valuable, I would like to use this column to summarize the high points for those who missed it:
Start by identifying all your critical business processes
When an organization endeavors to tackle the issue of cybersecurity, Hankel pointed out that identifying all your business processes – and knowing which technology everyone is using – is a vital place to start. And remember, that doesn’t only include your technology. It also includes that of your vendors since some of the major attacks on carriers over the past decade have come through industry suppliers.Once a company’s leaders understand their technology landscape they can identify and address security vulnerabilities.
Employee education is essential
Hankel pointed out that any company, no matter how sophisticated its security technology is, can be a victim of a phishing attack. Johanson Transportation Service holds frequent phishing drills designed to test employee readiness. They will send a fake e-mail to employees asking them to take a certain action, which would be disastrous to the company if it came from a real hacker.He pointed out that Microsoft 365 identifies recipients who open suspicious emails, aiding targeted training for vulnerable individuals.
Hester went into more detail about what’s known as “social engineering,” which is basically using deceptive social interactions to trick people into letting cyberattackers into an enterprise. An especially troubling example is the deep fake, which can create convincing audio or video that appears to be a trustworthy person giving a directive. In one case, a deep fake imitated the voice of a company CEO, leaving a voicemail that instructed an employee to verify a funds transfer.
For an example of just how convincing these deep fakes can be, take a look at this.
Threats from nation-states are on the rise
Hester shared information from recent congressional testimony by Christopher Wray, FBI director, and it should send chills down the spines of everyone in the trucking industry. When private actors launch a cyberattack, they’re usually after money. When a hostile nation-state launches one, it’s an attempt to cripple our nation’s critical infrastructure. And nothing exemplifies that more than the trucking industry.They have the resources and the expertise to leverage large attacks, so the industry must be relentlessly vigilant.
This is one of the reasons API security is so important. When the technologies that connect the industry digitally are vulnerable, it becomes that much easier for hostile nation-states to penetrate our cyber defenses.
Test regularly, and don’t stop
Activities like table-top exercises and pen-testing show enterprise leaders where they are vulnerable. An investment in the services of white-hat hackers who can show you the leaks in your system – before the bad guys find them – will inevitably pay off in the form of attacks that never succeed. (And we recommend not going the cheapest route. Investing in the readiness of your company is important and should be treated as such.)Don’t wait until you’re hacked to call CISA
Hester pointed out that CISA exists to collaborate with industry partners by doing assessments on vulnerabilities to cyberattacks. CISA also helps companies develop a business continuity plan in the event they are hit with something like a ransomware attack.Cybersecurity is an everyday issue for the top executives of every enterprise. The more digitized the industry becomes, the truer that will be.
The time to make it a priority is today and NMFTA is here to help. Connect with us today at [email protected].
Joe Ohr is chief operating officer at the National Motor Freight Traffic Association.
