Three days into his new job as cybersecurity solutions architect at Hirschbach, Jack Smith found himself in the midst of a cyberattack that shut down all the company’s information systems.
Smith said there was no plan to follow, so his first step was to shut everything down and then kick off restoration efforts. The system was down less than 24 hours, but it was a disruption that almost sent the company back to an era of paper.
That’s what business continuity would look like for transportation companies if faced with a cyberattack.
Steve Hankel, vice president of information technology at 3PL broker Johanson Transportation, said his company regularly practices cyber-related business continuity. When the company upgraded to new servers, it used that time to operate from that perspective, working with employees to create manual workarounds.
“If you can't get into the program, you can record the loads, record tracking information, then when the system comes back online, you can enter that information back in,” Hankel told CCJ at the National Motor Freight Traffic Association’s annual cybersecurity conference held recently in Austin, Texas.
Smith said Hirschbach was ready to return to paper checks to ensure business continuity so drivers could get paid and take on new loads. He is now working on creating a business continuity plan.
Incident response
Hankel said Johanson has business continuity plans, disaster recovery plans and incident response plans.
“They all kind of work together,” he said. “Business continuity is obviously complex, and there are multiple parts, but having an incident response plan that also includes a communication plan, that's what you need.”
Johanson works with its technology team and every department twice a year to practice business continuity plans related to cybersecurity because most of its technology is in the cloud.
Johanson has a West Coast environment and an East Coast environment that it moves between in the event of an attack. Hankel said the company plans shutdowns of each environment to practice, having users from each department enter the other environment to verify that programs are working.
“Just in the last month, our entire system went down. We were able to move from the East Coast back to the West Coast in about two and a half hours,” he said. “We do these tests twice a year just to make sure that we're ready … let's say the West Coast data center gets hit by a cyberattack. We can spool up on the East Coast because we're constantly syncing data back and forth.”
It's something that has to be done regularly, he said, because everything in one environment may not necessarily be in the environment you’re moving to.
Tabletops and education
Another method of incident response is tabletop exercises.
Ronnie Thomas, vice president of technology solutions at Werner Enterprises, said his team gathers stakeholders from across the company and lays out a scenario for them to practice incident response.
“This is what happened at hour one. This is what happened in hour two. How are you reacting. Then we talk through that situation. When do we engage other parties? it's a real-world practice session,” he said. “We know that the threat actors are at the top of their game, and so we want to continue to practice and make sure we're able to respond quickly.”
In the same vein, he said it’s important to educate employees outside of the incident response team.
Werner uses vendors that simulate phishing attacks and analyzes who among its employees are more likely to click on a malicious link. That has led to great improvement across its associate base, he said.
Phishing is the most common way to deliver ransomware attacks. Ransomware attacks against transportation jumped 66% since 2022, according to a cyber threat intelligence report released by NCC Group in October. According to the report, there were 165 ransomware attacks on transportation organizations in 2024.
Thomas said if a user clicks on a link they are worried about, they typically notify the tech team immediately, which then spins up a security incident response team that locks down the machine and determines where to go from there. Werner also has monitors that check its logs constantly for bad actor activity within its systems, and they are notified if something looks suspicious.
In addition, Werner performs monthly security educational programs.
“Education is key,” Thomas said. “We can inform users what is the potential to go wrong, from everything from picking up a USB drive and putting it into your machine to the phishing alerts. We want to be able to help them understand what could happen and realize scenarios for that.”
Business continuity tips
According to NCC Group, ransomware attackers target transportation organizations of any size because the disruption of services, as well as encryption and theft of data, can be exploited to blackmail victims into payment.
That’s why Hankel said it’s important to have a plan.
To start, he said document the company’s major business processes to ensure there is a clear understanding of what the company does. From there, figure out what the dependencies are for each process: programs/technology, key people, vendors, etc.
“That's really where you need to start: get inventory of what each department does, and figure out what are the most critical ones, rating those mission critical,” Hankel said. “When someone clicks on the link, and you know that there's a cyberattack, you need to be able to think calmly … Have something documented so that you're not trying to start from scratch in the middle of a heated event because a lot of times, the longer it takes for you to respond, the more damage they're going to do.”
![Volvo Vnl Sleeper Review[20]](https://img.ccjdigital.com/mindful/rr/workspaces/default/uploads/2025/11/volvo-vnl-sleeper-review20.lrVppY9UDR.jpg?auto=format%2Ccompress&fit=crop&h=167&q=70&w=250)
