Logistics industry leaders are sharpening their focus on cybersecurity as supply chains become more connected and digitized—and as threats from cybercriminals intensify in nearly every sector of the economy. Cyberthreats were listed as one of the top three business concerns among 1,200 companies surveyed by global insurance firm Travelers this fall in the leadup to national Cybersecurity Awareness Month, observed each October. The results echoed data from a Gartner survey earlier this year that showed a heightened focus on the topic in supply chain circles: 60% of nearly 500 supply chain organizations surveyed said that by 2025, they will use cybersecurity risk as a “significant determinant” in conducting third-party transactions and business engagements.
The topic is front and center in logistics largely because the supply chain is a prime target for cybercriminals, according to Dan Matney, a senior solutions architect and cybersecurity expert at supply chain consulting and technology firm enVista. Logistics and transportation companies are especially vulnerable because they can’t afford the downtime and delays that an attack or security breach brings, making them susceptible to hackers’ demands in order to get back up and running.
“We’re seeing very standard cybersecurity threats across pretty much all businesses, but the impact to logistics and transportation [is considerable]. That’s why [attackers] try so much harder in this industry,” Matney says, emphasizing the impact of costly disruptions that can have ripple effects throughout the economy.
Manufacturers are prime targets as well, and for similar reasons, explains Kirstin Simonson, cyber lead for global technology at Travelers.
“In many cases, a manufacturer’s systems need to be kept up and running 24/7/365. A cybercriminal could, for instance, use a malware attack to shut down systems to prevent a manufacturer from operating at all and disrupting the larger supply chain,” she says. “The cybercriminal could then request a significant ransom to restore the manufacturer’s operating systems.”
With the stakes so high, experts say it’s more important than ever to shore up your company’s cyber defenses. Here are three ways business leaders can make sure they’re on the right path.
The proliferation of technology on the manufacturing floor, in the warehouse, and on the road only exacerbates the risk of a cyberincident, as it creates more access points for cybercriminals to launch their attacks.
“Anything that’s connected to the internet can be hacked, and with the increase in internet-connected sensors, automated machines, industrial internet of things networks, industrial control systems, [and so forth], each of these creates a potential vulnerability or risk factor,” Simonson explains, adding that cybercriminals will leverage known vulnerabilities and look for areas they can compromise using methods such as phishing and malware. Phishing is an attack via email, phone, or text designed to lure people into giving up sensitive data or access to accounts or IT systems; malware is software that is intentionally designed to disrupt a computer, server, or network.
The experts at enVista point to other methods used to attack transportation, logistics, and manufacturing industries: ransomware, which involves encrypting sensitive data and systems and holding them hostage until a ransom is paid; distributed-denial-of-service (DDoS) attacks, which overwhelm a system’s resources, rendering it inaccessible to legitimate users; and man-in-the-middle (MitM) attacks, in which hackers intercept communications between two parties, gaining unauthorized access to sensitive data.
The first step in avoiding any of these attacks is to conduct a cyber-risk assessment, which can be done in partnership with IT vendors, a technology consultant, or an insurance provider. Simonson describes this as a process of identifying the critical points in a company’s network so that managers “know what you have and what you need to protect.” This includes identifying where all those access points are within the organization.
Matney agrees, adding that: “If you don’t have that first step, all the other implementations beyond that are pretty useless.”
It’s also important to conduct a third-party risk assessment, as the Gartner survey points out. This means working with vendors and other business partners to make sure they have adequate cybersecurity measures in place and contractual language outlining standards and how they will be enforced.
Taking that first step is becoming increasingly important: Nearly a quarter of companies in the Travelers survey said their company had suffered a cyberattack, with almost half of those occurring in the past 12 months.
The next step on the cybersecurity journey is making sure you have tools in place to protect against an attack—firewalls, antivirus software, encryption technology, and the like—and that all software and systems are up to date, which can help keep cybercriminals from exploiting IT weaknesses.
Physical security and access control are vital considerations as well.
“Whenever you’re dealing with getting into your building, that’s one layer. But past that front door, think about how [people can gain access] to critical information—the server room or the ability to plug into a port in the wall and [get] on the network, for example,” Matney explains. “Those are things folks don’t think about. Access control and physical security are the basics before we get into different technologies [for detecting and responding to potential threats].”
Simonson agrees, emphasizing the importance of making sure those who need access to secure systems have it—and that those who shouldn’t have access don’t. This means developing identity and access management plans as well as password management protocols. Those steps could include multifactor authentication, which adds a layer of protection for accessing vital systems, platforms, or applications; essentially, the process asks users for a third identification factor—an access code to be entered after a user name and password have been provided, for example—before a user can gain access to the system.
Building a defense can also include the installation of solutions such as endpoint detection and response technology, which monitors the physical devices connected to your company’s network to detect suspicious activity and respond to threats.
Companies should factor all of this work into a comprehensive incident response plan.
“This is no different than if you live in a fire-prone area or hurricane-prone area,” Simonson explains. “You build some kind of business resilience plan for that. [A similar plan] needs to be in place for a cyberevent as well.”
Many companies have a long way to go before they reach these goals, however. The Travelers survey showed that at least 25% of businesses have not taken essential steps, such as installing a firewall or virus protection and implementing data backup and password update protocols. A larger percentage say they don’t use endpoint detection and response (64%), don’t conduct cyberassessments for vendors (57%) or customers’ assets (56%), don’t have an incident response plan (50%), or don’t utilize multifactor authentication for remote access (44%).
Employee awareness is an important part of the defense strategy as well, and the good news is that most professionals say they understand the growing risk of cyberthreats in the workplace: 81% of respondents to the Travelers survey said they feel that having proper cybersecurity controls in place is critical to the well-being of their company, up from 78% last year and 69% in 2018.
Companies should capitalize on that awareness with proper training. For instance, enVista advises companies to regularly educate workers about cyberthreats, phishing scams, and best practices for secure online behavior, Matney says, adding that insufficient training and bad habits are all it takes for an attack to slip through the cracks in your defense system.
“A lot of the attacks [in this industry] are through phishing and bad links that have compromised an entire network,” Matney says. “[A lack of] training and awareness are probably the weakest links.”
Simonson adds that it’s important to get the entire organization involved in the cybersecurity mission—and to continually educate, evaluate, update, and adjust your company’s strategy.“Everyone has a role to play in a holistic approach to cybersecurity,” she says, adding that cyberattacks will only intensify as companies take a defensive position because criminals will step up their efforts to find ways around those defenses. “This isn’t something you can build a strategy for today, put it on a shelf, and it will magically work for the next five years. Companies need a living approach to cyberhygiene and cyberawareness. Fortunately, there are tools and information out there that can help.”