Cybersecurity is like the COVID-19 virus, according to CarriersEdge CEO Jane Jazrawy. “If you’re not protecting yourself, you can get it. You won’t know it right away, and it’s going to be really detrimental when it happens. You’ll wish you could turn back the clock—but you can’t,” she said.
COVID-19 isn’t the only pandemic the world will face this decade, stated Christopher Krebs, former director of the federal Cybersecurity and Infrastructure Security Agency. “Considered a low-dollar, online nuisance crime only a few short years ago, ransomware has exploded into a multibillion-dollar global racket that threatens the delivery of the very services so critical to helping us collectively get through the COVID pandemic,” he said in testimony before the U.S. House Subcommittee on Cybersecurity in May. “To put it simply, we are on the cusp of a global pandemic of a different variety, driven by greed, an avoidably vulnerable digital ecosystem, and an ever-widening criminal enterprise.”
Cybercrimes have been around since the early days of computer networks in the 1970s. While these crimes have steadily increased in the decades since the U.S. Defense Department's Advanced Research Projects Agency Network (ARPANET) led to the internet, cybercrimes have reached a torrid pace since the COVID-19 pandemic changed the office work landscape in the U.S. Just last spring, the FBI reported a 300% increase in cybercrimes between March and May 2020. The transportation industry has seen similar surges in attacks this year, according to Ben Barnes, McLeod Software’s vice president of IT services and chief information security officer.
“We didn’t see a lot of attacks in January and February, but in March and April, the ransomware attacks have escalated in our industry, and we don’t know why exactly,” Barnes, whose company provides transportation and trucking software solutions, told FleetOwner. “But if we can map these patterns and know the same thing happened last year in March and April when we saw attacks go up, we’re starting to see a pattern.”
The May 7 ransomware attack on the Colonial Pipeline Co., which supplies 45% of the East Coast’s fuel, is one of the latest examples of a cyberattack’s power. The breach forced the company to shut down its four main pipelines between Texas and New Jersey, leading to fuel market concerns. Shortly after the attack, Colonial said it was breached through its corporate computer system.
The transportation industry has become a high-value target, Barnes said, because it is so big and “there is so much money changing hands every second of every day.”
If cybercriminals gain access to a fleet’s IT system and install ransomware, the company will face some complex decisions, Barnes noted. “A ransomware attack in our industry can easily shut down your business for three days. You can’t dispatch loads, you can’t pay drivers or conduct financial transactions of any sort, and you may not be able to use email,” he said. “Companies that don’t have an incident response plan in place may be looking at one or two weeks of inactivity. The impact on the business can be severe and lasting.”
More than 90% of cybersecurity problems originate from human error, according to Cybint, a firm that offers cybersecurity education and training for businesses. “That is human error on emails, people that left open or misconfigured their router or firewall and essentially left holes for attackers to come in,” Barnes noted as examples. “Human error can come from all over the place—it’s not just one area. It’s not just email. Education awareness can go a long way.”
Cybercriminals, he said, are like most other criminals: They are looking for an easy way in. He compared businesses to a bunch of homes on a cul-de-sac. “You don’t want to be the house with the doors open, no guard dog, no cars in the driveway,” Barnes said. “You want to be the house that has a security system and locks its doors. They are going to move on to attack the easier target. You don’t want to be the low-hanging fruit.”
How hackers use ransomware is evolving, according to Scott Hellberg, director of information security governance, risk and compliance for Sentry, an insurance provider for long-haul fleets and owner-operators. “At one point, ransomware was simply malware loaded into a phishing email,” he told FleetOwner. “With that, [the hacker] will gain access to the machine and encrypt it.”
Now, he said, cybercriminals are taking more of a “shotgun” approach where they don’t have a specific target. The goal is to get the malware on as many networks and machines as possible. Then, once the hackers have access to a network, they decide when to activate the ransomware. Cybercriminals are “betting on the fact that most people don’t do a good job with backups and have put themselves in a position where their data is one of the most important aspects of them being in business,” Hellberg explained.
Businesses without good data backup plans are most susceptible to being held at ransom, Hellberg said. If businesses do not have a good backup system in place, cybercriminals could force the organization to pay a ransom in whatever cryptocurrency the attackers want. A cybercriminal can lock up an IT system until the victim company pays for a “cyber key” to regain access to the data.
Sometimes this malware lies dormant in a company’s network or an individual computer. Barnes said it could become like a “pyramid scheme” for hackers once they gain access to a system. Along with selling access to various criminal networks on the dark web, cybercriminals like to go after the same organizations more than once.
“We’ve seen some midmarket and smaller transportation firms get hit multiple times,” Barnes said. “That is as baffling to me as any of this because if you got hit once, you’re on a list. Suppose [a hacker] has credentials to get into your system. In that case, that attacker can sell those credentials to another attacker—and that attacker will go and map out your network and find everything you have, and they will sell it to another attacker who will run ransomware on it. Well, each one of these sales puts that information out there for public knowledge, and that can be resold yet again.”
Companies that don’t tighten up their cybersecurity, make changes, or learn from the past are the companies most likely to get attacked multiple times, Barnes said.
“If a fleet hasn’t started thinking about cybersecurity yet, then they’re probably being targeted right now,” Jazrawy told FleetOwner. “It’s just too late now. You should be immediately starting something now if you haven’t done it because someone has probably found you. It’s crazy not to be doing something, and that something has to include both your backend systems and your people because that is how they are getting to you.”
Print a plan
Chris Sandberg, vice president of information security for Trimble Transportation, said that larger fleets tend to have better cybersecurity plans than smaller carriers. But no matter the business size, a company’s cybersecurity plan should start with examining its critical workflows, he said.
“Figure out what workflows are actually critical to your system,” he told FleetOwner. “Then make sure you document those workflows. I always encourage people to make sure that you print them out and redo this at least annually, if not quarterly.”
The printouts should include workflows and who has access to what information and network systems. The hard copies should also include procedures and phone numbers to call if there is a system breach. Sandberg suggests putting all of this critical information “in big red binders and put it everywhere.”
While creating these documents of company workflows and information, Sandberg said, fleet managers and executives will learn more about their critical processes, such as who has access to what within the system. “From there, make sure only the people that need access have access,” he suggested as a way to tighten control.
Most importantly, Sandberg said, have an offline system. “It can be something as simple as somebody writing a little [computer] script, copying the files to another file share that the main users don’t have permission to [access], which is what we call an offline backup,” he explained. “So, if someone gets infected with something like a CryptoLocker virus, they can’t screw up the backup.”
How often a company backs up its system depends on the business, Sandberg added. “It depends on the criticality,” he said. “If the business can accept losing a day’s worth of data, back it up once a day. If they can accept losing five minutes of data, copy it every five minutes. The criticality of the data is what drives the backup schedule.”
McLeod’s Barnes said it’s important for fleets to have a playbook ready in case they are attacked so they’re “not reacting in a panic.” He also suggested that fleets get cybersecurity insurance, which only 55% of U.S. businesses have, according to a 2020 study by Travelers.
Training and education
CarriersEdge’s Jazrawy said the most common risk to fleets right now is employees clicking on the wrong links in emails that look legitimate but lead to “a nasty website or downloads some sort of malware.” She said employees in her company had received emails mimicking Jazrawy that ask those employees to do a task for her, such as buying gift cards and relaying the gift card information back via email.
“Another time, I had a staffer get a fake email from me asking them to email back their phone number, claiming I needed to call them,” she said. “This was ridiculous because I already have everybody’s numbers. But if they send back their number, then [the phisher] tries to call you and take it further somehow.”
McLeod’s Barnes said he’s commonly asked how many clicks of a bad email link it takes to infect a company’s system. “One. It only takes one click if you open something bad,” he said.
All of this is done by cybercriminals who are trying to infiltrate companies through employees. “People are by far the weakest link,” said Jazrawy, whose company creates training programs for drivers and fleets. And a newer “people target” is truck drivers.
“The biggest risk that I see right now is that companies aren’t training their drivers because they think that the only people who need to be trained about cybersecurity are the people in the office because those are the people who are using the system,” Jazrawy said. “I think that’s a very dangerous way to think because the drivers might not be using your systems directly, but they are certainly talking or sending messages back and forth to the people who are using your system. What are they forwarding or doing without understanding?”
Barnes said companies are looking for a 100% guarantee that cybercriminals won’t get into their systems. “I don’t think that exists. You have to do the right things. Getting more preventative is like how you eat an elephant—you take one bite at a time. If you've done that and you look up and half the elephant is gone, then you're into some really good, multiple phases of your security approach.”
He added that those “first few bites of the elephant” aren’t going to cost a company a lot in their cybersecurity journey. Just having data backup systems can go a long way. “If you can’t 100% prevent an attack and an attack happens, what do you do?” Barnes said. “Having a good backup is No. 1. That doesn’t cost a great deal of money to set up, but you would be amazed at how many transportation companies don’t have reliable backups.”
Jazrawy said it doesn’t make sense just to train some employees on the dangers of cybersecurity. “It’s not just the company’s security; it’s people’s personal security,” she added. “They should all be educated on how to protect themselves—even when it has nothing to do with the company they work for.”
Most drivers, unlike office workers, are not spending much of their time online, and that can make them susceptible. “If no one explains to them what a phishing attempt looks like, they can get tricked,” she explained.
This can be a particular problem for drivers whose first language isn’t English, Jazrawy said. Since many attempted cyberattacks come from other countries, a native English speaker might more easily pick up on a scam because of poor grammar or spelling. “I’ve noticed that when there are issues, it tends to be non-native English speakers who fall for it because words are what is being used in a lot of these phishing emails. I think that is something to watch out for.”
Jazrawy said this is something she has noticed more recently and has been working it into the onboarding process for new employees. “I have had to show my staff pictures of phishing email examples and explain why I would never actually send an email like that,” she explained.
She said this is important for companies to explain to employees. “If you’re the owner of a 200-person company and you don’t talk or email with everyone every day, if someone sends a fake message from your account, an employee might not know it’s not from you,” Jazrawy said. “Because they don’t know how you sound in a day-to-day email, they might just automatically respond because they think it’s actually a message from the owner of the company.”
So Jazrawy created a graphic that shows new employees what type of emails she would send, including how she would greet the recipient (“I would never start a message with ‘Dear so-and-so’”) and even how she would sign an email. “So, they can very clearly see what I will say and what I won’t say.”
CarriersEdge offers a cybersecurity course for drivers that the company also uses internally for its own employees. “Everybody from developers to customer service goes through that course,” Jazrawy said. “And what we also do is when we get scam messages, we talk about them. We’re constantly sharing information about fake messages going around because they’re definitely increasing.”