As trucking continues to rely more heavily upon an ever widening array of digital connections and pathways to conduct business—everything from the personal smartphones of drivers to telematics systems and electronic freight manifests—the greater the need will be for improved cybersecurity. And many experts agree that constructing vastly improved cybersecurity policies can’t happen fast enough.
“Back 10 or 15 years ago, a lot of hacking into electronic networks occurred simply for the sake of curiosity. Today, though, it’s being driven by highly organized criminals seeking to gain significant ROI (return on investment) for their efforts,” explains Jarad Carleton, principal consultant for the information and communication technology practice at global research firm Frost & Sullivan.
“In particular, cyber criminals are targeting small- and medium-sized businesses because they are the ones most likely to have cash in the bank,” he says. “Because smaller firms don’t have the same kinds of credit lines big companies do, they tend to rely more on cash reserves. That’s why you see a lot of focus on them.”
In trucking, the move towards creating false pickups to steal cargo represents a new twist to the ROI focus. For criminals, hacking into networks to acquire shipment information in order to facilitate a false pickup entails a far lower risk profile than physically hijacking a tractor-trailer outright.
“The ability to know where a specific shipment is—especially for high-value goods like electronics—makes it easier and more profitable to steal than randomly taking a tractor-trailer on the street,” Carleton points out. “You really have to think about cybercrime as a business now. They want to maximize ROI and minimize risk for their activities.”
“Attackers look for the easiest means of compromise. That’s why attacks are moving from more security-mature organizations down to less mature, typically smaller partners,” notes Dylan Owen, manager for cybersecurity and special missions at Raytheon. “Attackers can exploit the trust relationships between companies to infiltrate well-protected targets through supply chain partners with less security experience.”
Owen helped author a report on this issue. In “Taking Charge of Security in a Hyperconnected World” published by RSA, the security division of EMC, he notes that efforts to improve readiness and response capabilities to cyber threats must be driven by organizations recognizing the need to assume broader responsibility for protecting themselves and their business partners.
“We believe organizations are taking a stronger interest in improving security not only to protect their information assets, but also their business relationships,” adds report co-author Art Coviello, who serves as RSA’s executive chairman and executive vice president at EMC. “As more organizations take a broader community-minded view of their risks and security practices, information security will improve for all of us.”
RSA’s report discerned several common problems that contribute to the majority of cybersecurity breaches, including:
- Neglecting “security hygiene.” In forensic evaluations following security attacks, missed software updates frequently surface as exploited vulnerabilities.
- Relying exclusively on traditional threat prevention and detection tools. Most security teams still wait for signature-based detection tools to identify problems rather than looking for more subtle indicators of compromise on their own, even though traditional firewalls, antivirus scanners and intrusion detection systems (IDS) cannot discover the truly serious problems.
- Mistaking compliance for good security. Most compliance mandates reflect best practices that should be interpreted as minimum standards, not sufficient levels, of security.
- Inadequate user training. Many companies don’t invest enough time and resources in user training, even though users today are the first line of defense against many cyberattacks.
Broad risk
Don Hsieh, director of commercial and industrial marketing for Tyco Integrated Security, stresses there’s another component not to be overlooked when strengthening cybersecurity: limiting the physical access to computers and other sensitive data centers.
“Who has physical access to the data is critical to assess,” he emphasizes. “It starts with determining who needs the data to perform their job, and then establishing policies to ensure only those specific positions can gain access to such information.”
Hsieh notes that tagging certain job titles to specific zones such as dispatch, operations, warehouses and loading docks is another step toward improving the physical security of trucking operations, which in turn can aid in cybersecurity efforts.
“Most cargo thefts don’t just happen randomly anymore. Thieves are now often targeting specific loads based on specific information they steal or have stolen for them,” he explains. “That’s why there’s a physical component to cybersecurity now.”
Curt Shewchuk, chief security officer for transportation conglomerate Con-way Inc., also points out that cybersecurity is not a stand-alone issue when it comes to his company’s risk assessment strategies nor is it an issue that’s solely the purview of information technology (IT) experts.
“Cybersecurity is a basic part of our overall business risk assessment process,” he notes. “We really focus on everything that touches cyberspace in our business, be it smartphones and other mobile devices up to the backbone IT systems and servers handling our corporate administrative needs,” he notes.
Shewchuk says Con-way dedicates what he calls a multi-faceted team to handle cybersecurity issues. The team includes subject matter experts (SMEs), members of the carrier’s legal and human resource department, and operations personnel.
“All of those different disciplines need to work together on a formal basis when it comes to cybersecurity because this is an issue that touches every part of our business,” he explains. “It can impact the privacy of our personnel records, employee health records, our company’s financial data, our business records, even customer information. Cybersecurity really is an overarching piece of how we deal with the risks facing us in the trucking business.”
Building protection
Yet that perspective is not exactly widespread among the business community as a whole, according to a recent survey conducted jointly by software maker McAfee, a wholly owned subsidiary of Intel Corp., and Office Depot. A poll of 1,000 small and medium-sized business (SMB) owners as part of the Office Depot Small Business Index found that 66% of those surveyed feel confident that their data and devices are secure and safe from hackers; 77% responded they haven’t been hacked.
Those results are at odds with industry research that has revealed these same businesses are prime targets of complex and evolving cyber threats, notes Bill Rielly, senior vice president of small & medium business at McAfee. According to Verizon Communications’ forensic analysis unit, 72% of data breaches investigated are focused on companies with fewer than 100 employees—a discrepancy suggesting that many SMBs are not aware that they’ve been attacked.
“A business that doesn’t have any security measures in place is putting its data and the trust of its customers in jeopardy,” says Rielly. “As enterprises have increased their security defenses, hackers have started to target their attacks downstream to SMBs.”
The McAfee/Office Depot study also found that:
- Only 9% of SMBs use endpoint/mobile device security
- Roughly 80% don’t use data protection
- Less than half use email security
- About half use Internet security
- Some 45% of SMBs do not secure company data on employees’ personal devices
- Fewer than 14% of those polled haven’t implemented any security measures
Obtaining customer information, such as credit card numbers that can unlock an individual’s finances, is often the main goal of hackers. As expected, businesses that maintain and store large amounts of such information are being targeted more frequently by cyber criminals, even in the transportation industry.
A study by Javelin Strategy & Research entitled “Data at Rest is Data at Risk: Confronting a Singular Threat to Three Major U.S. Industries” reveals that the retail, financial and healthcare industries are “high-risk targets” of cyber criminals because of the customer data repositories they maintain.
“By breaching the data stores of businesses in the financial, healthcare and retail industries, criminals can obtain the fuel they need to execute various fraud schemes—and these crimes have crippling consequences,” says Al Pascual, senior analyst of security, risk and fraud at Javelin.
“Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers and third-party businesses,” he stresses.
According to Javelin’s research, retailers will remain prime targets for payment card breaches and fraud as long as payment cards remain a commonly accepted and popular payment method. Similarly, financial institutions will continue to be a top target because of large amounts of client data they store, including account information and payment card data.
Javelin’s advice for businesses to better protect data centers around four critical pillars of cybersecurity:
- Locate and identify sensitive data. Sensitive data is any data that has value to the organization or can expose it to risk if compromised. Sensitive data should include consumer bank account information, payment card data, Social Security numbers, and other types of personally identifiable information, as well as trade secrets.
- Classify sensitive data accordingly. Categorize the information using a naming convention appropriate to the organization. This step can ease efforts to control the access, routing and storage of different types of data.
- Secure data based on risk profile. Deploy security measures commensurate with the risks related to the loss of respective categories of data.
- Develop policies to mitigate data management issues. Implement and enforce policies designed to prevent unprotected data from being stored outside of approved locations.
Central focus
Government entities, especially at the state and municipal level, also need to take similar steps to guard customer information, adds Srini Subramanian, a principal at global consulting firm Deloitte & Touche LLP, and leader of its state government security and privacy practice.
“The programs and services they deliver have become enormous repositories of citizen data. As such, the privacy of individual citizens is contingent on adequate IT safeguards,” Subramanian explains. “Citizen trust in government is severely impacted when the data is compromised; hence, it is not just an information technology issue but an issue that could adversely impact elected officials and the credibility of governments.”
It’s a worrisome issue because less than one-quarter (24%) of the 50 chief information security officers (CISOs) polled are very confident in the ability of their states or U.S. territories to guard data against external threats, according to the most recent Deloitte-National Assn. of State Chief Information Officers (NASCIO) Cybersecurity Study.
Deloitte’s survey indicated some of the concerns expressed on the government side of the cybersecurity issue mirror those of private industry, including:
- More than four out of five (86%) CISOs reported that insufficient funding posed the most significant barrier to addressing cybersecurity issues at the state level.
- The inadequate availability of cybersecurity professionals ranked among the top five barriers to addressing cybersecurity.
- Despite the significant rate of turnover since the initial survey (31 new state CIOs and 22 new state CISOs since 2010), the challenges reported in the survey are remarkably similar, highlighting ongoing issues within state offices of information technology.
- A parallel survey targeting a limited cross-section of state business and elected officials shows that 92% of respondents ranked cybersecurity as “most important” or “very important.”
Elaborate and sophisticated cyber threats are keeping CISOs up at night, Subramanian points out. More than half (52%) of those responding to Deloitte’s poll list increasingly sophisticated threats as a barrier to addressing cybersecurity. In fact, CISOs list the top four threats having the greatest impact on state governments as phishing, pharming and other related variants; social engineering; increasing sophistication and proliferation of threats such as viruses and worms; and mobile devices.
The cost of cyberattacks isn’t small, either, as Deloitte estimates security breaches inflict an estimated $1 million to $5 million in damages per incident for some states.
Con-way’s Shewchuk says cybersecurity is expected to remain a central focus for his company for some time—mainly because of those reasons. “The steps we’re taking at Con-way include trying to mitigate cyber intrusions on the front end while making our back-end systems more secure,” he explains. “We’re also trying to be more intuitive about both continually emerging as well as fixed threats.
“That’s why we work in close partnership with both government agencies like the Dept. of Homeland Security and private industry groups like the U.S. Chamber of Commerce to keep a high awareness of developing cyber threats,” he continues. “ That will be our focus for the foreseeable future.”