It took Estes Express Lines (CCJ Top 250, No. 10) fewer than 20 days to return to full operations following a cyberattack that caused “an outage in our core infrastructure” in early October.
Estes Chief Information Officer Todd Florence said the company was fully operational within 18 or 19 days; communications were back up within four to five days; and customer systems that allow for processing new business were back up in seven to eight days. The Richmond, Virginia-based carrier continued to move freight throughout the recovery period.
In a recent media debrief, Florence and Estes CEO Webb Estes attributed the quick response to the company’s 22,000 team members, its security partner GuidePoint Security and the cybersecurity elements already in place.
“We noticed some, what I'll say, outside activity in our network on Oct. 1,” Florence said. “The first thing we did was – if there was a big red button, that's kind of what we pushed – we pulled all network connectivity, and we did that in an attempt to protect our employees, our customers, our partners and to give us a playing field from which we understood what was going on and where we could start looking.”
The outage in the core infrastructure was a result of Estes purposely shutting down network connectivity to address the cyber threat. Florence said Estes then implemented its incident response plan and engaged GuidePoint within 90 minutes following the shutdown to begin forensic analysis of the system’s intrusion points and determine which systems were and were not impacted. He said many of Estes’ systems were not impacted, including HR, financial, freight movement and safety platforms, allowing the company to continue operating and helping to soothe customers, partners and employees. Estes’ existing security measures like network segregation, for example, proved beneficial in keeping many of its systems online and helping speed the recovery process, he said.
[RELATED: Business compromised email one of the biggest threats to cybersecurity]
“When you get into the tech aspects of it, having a good ERD platform that protected most of our systems (and) having immutable backups in those areas where we did have to restore, we could restore lots of systems simultaneously,” Florence said.
And for the systems that were down, the company targeted the most-needed systems for business continuity first.
“The things that took longer were from a prioritization perspective. Like, we had to be able to bring in freight and bring in orders before we had to invoice them. So understanding that business process was helpful in that space too,” he said. “Payroll, EDI (electronic data interchange), the ability to communicate with our customers, API (application programming interface), rating, quoting, those sorts of things, it was just all very well known, so we targeted those systems first if and where they had any impact throughout the event.”
[RELATED: Cybersecurity experts say API security starts with company culture]
Florence said his IT team will perform lookbacks on how it handled response to the attack so it can improve response going forward.
Many cyberattacks can take months to recover from. Although Estes said he is pleased with the recovery timeline, the company will continue to invest in cybersecurity and technology that will make recovery easier and faster should another event occur.
“Don't let a good crisis go to waste,” Estes said. “That's our job now is to make sure that we leverage it, not just for better security, but also just for a renewed emphasis on where we're moving with technology.”
He said being willing to spend money on new systems and processes in the first place is what helped the company recover so quickly.
And the company is recovering well in terms of money, too, Estes said.
Though he said he can’t share revenue before, during and after the attack, “pretty much all of our business is back … We are back hitting numbers that are up year-over-year.”
