A vulnerability management (VM) program is probably not the first thing most trucking companies think of when they set their priorities. They’re concerned with maintaining vehicles, retaining drivers, working well with shippers and 3PLs, and managing issues like fuel costs, routing, delivery schedules and so forth.
That’s understandable. But if these companies realized how vulnerable they are without a patching plan or VM program, they might add patching to the priority list without sacrificing the others.
My hope is that this column will make you fully aware and spur others to take that action.
What is Vulnerability Management (VM)?
VM is simply a program to apply, in a timely manner, security updates called patches to all Operating Systems (OSs) within an organization. It’s merely the ongoing commitment to cybersecurity updates. We call it patching because the nature of a digitized world requires so many system updates, and that requires constant actions to address security holes.
This is one of the most glaring vulnerabilities that hackers exploit. They know that every trucking company’s operating system requires frequent updates, which means old patches have to be replaced by new ones. Some use Linux. Some use Microsoft. Often, you’ll see a combination of the two since many trucking companies have multiple operating systems.
The designers of these operating systems come up with updates frequently. Once a month is not out of the question. Microsoft has Patch Tuesday where they push out patches the second Tuesday of each month.
If only it were that easy
The trouble is that applying the patches is more complicated than merely telling your computer, “Okay, fine. Run the update.” Indeed, patching can break things if it isn’t done correctly. The average person who starts recklessly patching everything in sight can produce more problems than solutions.
Even though companies have automated tools, the use of the automated tools often requires someone who possesses system administrator skills. Also, the scans to determine what should be patched/updated is normally done during non-production hours like nights or weekends. Remember, hackers absolutely possess this level of skill, and they don’t restrict their hours to nights and weekends. They know exactly what they’re doing and they’re on top of it. They are typically more diligent about looking for security holes in your system than you are about closing them off.
A trucking company’s network typically has multiple systems that need to update their patches. They have multiple servers. They have a great many workstations. They have employees working from home with company computers.
From the perspective of a trucking company, executives who are trying to handle day-to-day priorities, it’s easy to understand why this doesn’t appear to belong at the top of the list. Not only does it concern a seemingly invisible threat, but it’s also complicated.
Varied threat levels
For example, there are different levels of what we security people call criticalities. All patches are important, but they can be categorized as low-, moderate- and high priorities. And within those three groups, you have some elements of your system that are Internet-facing and others that are not. If something is Internet-facing, you need to patch it as soon as possible. If it’s high-priority and Internet-facing, you need to patch it right now.
That’s because anything Internet-facing presents a clear path into your network for hackers. And the hackers will find the unpatched security hole. It’s what they do.
Elements of your system that are not Internet-facing, and are low or moderate priority, afford you a bit more time. But we’re talking about a difference of 14 to 30 days. We’re not talking months. Some things are more exploitable than others, but anything that’s left unpatched for long will give hackers a way in. Once they’re in, your entire enterprise is in serious jeopardy.
And that jeopardy doesn’t only come in the form of hacking vulnerability, as serious as that is. Many trucking companies have wisely obtained cybersecurity insurance, but they unwisely think that means they have nothing to worry about in the event of a cyberattack. Which is why it’s important to read your policy.
If you are not regularly patching your system, you may be giving your insurer a pretext not to pay your claim if you are hacked or your insurer could reduce your claim payment or raise your premium. Again, read your policy.
Why prioritize the patch plan?
An ordinary IT professional can handle things. But the enterprise has to prioritize the task and has to make whatever accommodations are necessary to get it done. Sometimes the IT pro might need access to someone’s workstation when it’s not the most convenient time. Sometimes the team might have to be patient about updates being run and many times the computer system needs to be restarted in order for the security update/patch to take effect.
The IT pro needs to remain on a constant schedule for successful vulnerability management. That includes testing new patches as they come out, to see if they introduce issues into the company’s system. It requires a plan to restore the system back to its original state if the update fails or causes issues.
The right approach to patching is to set priorities, test the patches, address the highest Internet-facing priorities first and maintain a commitment to keeping everything on schedule.
The wrong approach is to put it off because it doesn’t seem all that urgent, or to do it without really having the skill to do it safely and effectively.
Because believe me, hackers know how to blast through those security holes and they know how to cripple your system once they get in. You’d better have someone on your team who has the same level of skill – and wants to protect your system every bit as much as they want to take it down. The end result of not having a VM program and patching could be catastrophic.
I’ll be co-hosting a complimentary webinar on November 16 that will be all about vulnerability management. Visit www.nmfta.org/nmfta-events or follow NMFTA on social media to register for this event.
