Chris DeMillo, head of information technology at the 500-truck Leonard’s Express out of New York, remembers a three-day period in June 2017 vividly. “Like it was yesterday,” he said. That was when he realized Leonard’s networks had been exposed in a phishing attack, and malware had made its way across the company’s networks, touching nearly all points of the operation over a three-day period.
"At one point we brought everything down that was plugged into an outlet,” DeMillo said. “We were running on phone calls and paper notepads.”
The company was able to fight off the attack and restore its operations in those three days without major ramifications, other than lessons learned.
Fortunately, said DeMillo, it wasn’t a ransomware attack – one that holds data at ransom until a company pays. Rather, it was another, less dangerous malware that sought to mine the company’s data, potentially to steal and sell on the black market.
Attacks like the one Leonard’s experienced in 2017 are growing more pervasive and more costly. An attack can cripple a trucking company’s ability to operate and expose its most sensitive data to criminals. And as the recent high-profile cyberattack launched against the U.S. government and companies like Microsoft and Visa reveal, even the most sophisticated organizations can be at risk of a breach.
That attack on the federal government and businesses raised awareness, said Luis Rodriguez, chief information officer at asset tracking firm PowerFleet, among the company’s fleet customers about potential vulnerabilities in their systems. “It woke up a lot of people,” he said.
Research conducted by cybersecurity and antivirus software firm Bitdefender suggests Server Message Blocks (SMBs) this year will face a record number of data breaches, as misconfigurations and unpatched vulnerabilities exposed by the transition of employees to work from home creates security blind spots and become the hunting grounds for would-be cyber attackers.
Security and privacy were ranked by global IT leaders as their top technology risk in 2021, according to a survey by Protiviti and ISACA, with "cyber breaches" listed as the top concern. Similarly, two-thirds of respondents to Frost & Sullivan's IT Decision Makers Survey said remote working brought on by the pandemic had a significant impact on their business, and more than a third noted dealing with security concerns was their top challenge in the next two years.
"Transformations occur and security just gets left out, or gets left behind," said Kevin Cross, vice president and chief information security officer for Dell Technologies’ Security and Resiliency Organization.
Kevin Linardic, chief technology officer for LTL and final mile TMS provider Carrier Logistics, said 95% of all security breaches are the result of human error, with cyber attacks occurring in some form every 39 seconds.
Google flags 18 million phishing attacks every day, and according to the AV-TEST Institute, the number of malware programs has climbed from around 65 million in 2011 to 1.1 billion by the end of 2020. Patrick Morley, senior vice president and general manager of VMware's Security Business Unit, said his company analyzes 1.3 trillion security events everyday across its customer network. Companies started to study their security vulnerabilities more heavily after the first three or four months of the pandemic, he said, having spent the early onset of the coronavirus spread simply preparing systems for remote work.
"We've definitely seen this event forcing organizations forward," he said, "to dramatically rethink security."
To develop a security plan, Cross suggested companies step back and plan based on risks and threats.
"Is what we're currently doing still working," he asked. "If you had a ransomware attack tomorrow, how would you handle that?"
But simply having a security plan in place isn't enough. Cross said everyone in the organization has to understand it and the role they play in it. "There's a marketing element to it," he said.
After the malware attack Leonard’s faced in 2017, ongoing education of company’s associates became a primary focus, said Mike Riccio, the company’s chief marketing officer. “It was assumed that cybersecurity was an IT issue prior that situation. What that situation did was bring to the forefront that it’s everybody’s issue,” he said. In addition to ongoing training, the company also performs phishing testing of its employees as a training tool.
"Security by obscurity is not the best protocol,” said Linardic. “It's being vigilant from the president down, having that strong security corporate culture.”
Also, in today’s environment, hiring a third-party to perform penetration testing on a company’s network is paramount, said PowerFleet CEO Chris Wolfe. “There are third parties that will do penetration testing on all layers of your architecture,” he said. "Those tests are intended to find weaknesses and vulnerabilities before criminals do.”
PowerFleet, even with its robust infrastructure, “had six months of work to do” after it hired a third-party to perform penetration tests.
It was also a step taken by Leonard’s when it overhauled its systems after the 2017 compromise. “They came in and exposed everything and showed us where we’re vulnerable,” said Demillo. “That was something we never did before. Not that we didn’t find value in it, but we thought we were protected.” The company also created cloud-based redundancies with its data, invested in more security protection programs and developed plans for if they’re hit again.
While some attacks, like ransomware – which Linardic said is the No. 1 cyber threat carriers face – are designed only to disrupt a carrier's day-to-day operation, others seek to crawl their way into networks of information and extract that data for use in subsequent attacks – as was the case with Leonard’s Express.
"It's all about data," Linardic said. "Once they have your data, they can hold it hostage. They could even use it simply to get to other people's data – your customer's data. People say 'why do I care about me? I'm just this little transportation company, but your data is valuable – invaluable – and your customers are invaluable to [hackers]."
Practically everything we touch generates some kind of data – a connected vehicle, for example, can generate and consume more than a terabyte of data through onboard cameras and sensors per hour – but in order for companies to insulate themselves from attack, Bernard Marr, founder of Bernard Marr & Co., an independent think tank and consulting organization, suggests being calculated about the kind of data that is collected and stored.
"Treat data as a strategic asset for the organization," he said.
He suggests being clear about what data companies want to keep, how it will be used, and making a plan to "collect 20% of the data that's going to make 80% of the difference." Make use cases for every bit of data, he said, and identify "how does it help us with our business, and should we be collecting it in the first place?"
Linardic advised carriers not to be lulled into a false sense of security simply because they've migrated hosting duties to a cloud-based platform, adding it's important to evaluate the age of cloud software and ask providers what they are doing to protect their end customers.
“It requires constant vigilance,” said Riccio.
PowerFleet’s Rodriguez agreed. “You’re never done,” he said. “It’s a constant process. Hackers get smarter, their tools get smarter. It never ends.”
This is the first part of a two-part series. Read the second installment next week.