Last month Motor Transport in association with Bosch CyberCompare held a webinar looking at the growing problem of cyber attacks. These can leave a business crippled and facing demands for ransoms that could destroy its finances.
Many operators hope ‘it won’t happen to me’ and take a chance. Even those that believe they have good online security may find that the rapid advances by cyber criminals leave their defences vulnerable to attack.
James Hall, solutions manager at Bosch CyberCompare, said that 66% of attacks are looking for weaknesses in a supplier’s coding, 58% are looking to access data, more than likely to hold the company to ransom and 62% resort to malware.
An IBM study has showed that the 4% of all attacks were made on companies within the transport industry, making it the seventh most targeted industry in the past year, and in the year to June 2021 the industry witnessed a 186% increase in ransomware attacks.
“The sophistication of the attackers has grown significantly since then and, without a strong security posture, remediation costs will continue to rise,” Hall said, who went on to list the 10 key defence measures all businesses should adopt as best practice (below).
Stephen Hards, head of programme management and IT at the RHA, pointed out that the risk of cyber crime had increased significantly as a result of a growing reliance on technology.
“The challenge we face is how do we make sure that the companies we connect with are safe,” he said. “With the use of systems like route planning, telematics, ERP, CRM etc becoming ever more fundamental to your operations, it is important to make sure that the companies you partner with are not just cost effective but also hold the right accreditations to protect you and your data.”
A lot of operators say they do not have the budget to invest in proper cyber security but Hards pointed out that there is funding available to enhance cyber security, and that help is available from the National Cyber Security Centre website.
One of the biggest risks however is complacency and the hope that ’it won’t happen to me because I’m not big enough to attack’.
“Unfortunately all operations are a target, big or small,” Hards said. “The days of teenagers in mum’s basement attacking companies for fun are long gone. These are multi-national, well-organised enterprises with massive budgets and it is all about volume. Everyone is a target.”
More customers are now asking their transport providers for evidence that they have security measures in place, especially government departments, and Hards listed a number of measures to help operators mitigate the risks. These include: educating staff on how to spot potential attacks; regular independent audits; partnering with specialists and experts; having a plan of what to do in the event of an attack and regularly updating it.
“Plan for the worst, hope for the best,” was Hards’ key message.
Paul Abbott, a former director of KNP Logistics, shared his experiences of the cyber attack which forced the business into administration.
“In my view it is probably one of the biggest risks to all businesses now,” he said. “Regardless of if you have ISO 27001 accreditation, off-site and remote back-ups, automated patching updates and ongoing staff training with frequent briefings on security, the risks of a cyber attack remain just as high.
“It is a case of when not if an attack will occur. Smaller businesses may be used as a gateway to other bigger organisations’ networks.”
Abbott warned that cyber criminals could have hacked into your network without you even realising, and it could be up to 14 days after the initial breach before they issue the first threat or ransom demand.
“They are in collecting data, extracting files and disabling security systems in preparation for that moment your business is disabled,” he said. “When that point comes they will issue a ransom demand and there could be a leak of sensitive data which will be offered for sale on the dark web.
“At this point you have to report to the Information Commissioner’s Office and fundamentally by then it is too late and the damage is done.”
The company will now be in survival mode and a plan should be formulated in advance to take the necessary steps. “This is a highly specialist area and it is unlikely that most businesses will have the technical expertise to cope with this,” he said. “Engage with a third party specialist who will send in a forensic team to isolate and contain the virus to prevent it spreading further.
“The entire network is potentially dirty and has to be closed down before being cleaned or replaced with new hardware. Communication is vital and your staff will be one of your strongest assets because you need to get the right messages out to customers.”
While many businesses have worked hard to reduce or eliminate paperwork, Abbott advised operators to start keeping paper records of key activities as a back up to keep the business running as it could up to four weeks before online systems can be reinstated.
After painting this bleak picture of what can happen, Abbott re-emphasised that “protection is better than cure” and that it is better to bring in the experts to improve cyber security rather than after an attack has happened.
He recommended choosing a cyber security provider carefully, as some had suffered breaches of their own defences. “It is important to engage with the right partners,” he said. “Encrypted access to storage, databases and the network is absolutely critical, as is ongoing testing and validation of the security measures you have invested in.”
Taking out specific insurance against a cyber attack is also “essential”, Abbott advised, “as the costs can be beyond eye-watering”.
“The cost of insurance can be relatively modest but it is effective.”
In conclusion he said that getting high level support from shareholders and senior management for the IT department’s cyber security measures was also vital.
Nehal Thakore, UK country head at Bosch CyberCompare, pictured right, then turned to some of the solutions that can be applied to protect businesses from cyber attacks.
Started three years ago, CyberCompare is a vendor independent service to advise companies on the most suitable cyber security solutions.
“Unlike other companies, we do not have commercial partnerships with vendors or providers of cyber security,” he said. “The risks are real but they can be managed effectively and you don’t need to rip out what you already have and start installing everything from new.”
The scale of the cyber threat facing UK businesses is staggering, with the cost put at an estimated £27bn every year, yet almost half have basic gaps in their cyber security skills.
Thakore urged operators not to be “the weakest link in the supply chain” as attackers will target smaller players who may be more vulnerable as a way to catch the bigger fish.
He advised operators to focus on plugging their biggest security gaps first and have a roadmap to drive continuous improvement in security measures that is able to measure risk and is driven by outcomes.
“We assist businesses in reviewing their overall security posture and capabilities and recommending actions to strengthen them,” Thakore said. “You need to constantly monitor security and it should not be a one-off exercise every three or five years.”
Picking the right partner can be a challenge, as the mushrooming level of threat has been matched by a burgeoning market for people selling solutions. “There are around 7,000 vendors in the world and more than 1,890 vendors in the UK,” Thakore said. “It is a constantly evolving market with new products and resellers that sometimes also provide insurance. This makes it a very complex market to navigate and it is challenging to plan your expenditure.”
Part of CyberCompare’s service is to identify the best three vendors to provide the right solutions tailored to your operation using a proven methodical four-step process.
“We carry out anonymous tendering on your behalf and once we receive the proposals from the bidders, we evaluate them, validate the companies and determine which are providing the best price to performance ratio,” explained Thakore. “This will make it easier for you to decide who to invite in for the sales pitch.”
For more information contact Bosch CyberCompare on Cybercompare@bosch.com and Paul Abbott on pa-abbott@outlook.com
Stephen Hards can be contacted via LinkedIn.