How carriers can avoid cybersecurity danger from outside vendors
Every month, we discuss steps trucking companies can take to protect themselves against cyberattacks. From employee training to regular software patches to multi-factor authentication (MFA) and table-top exercises to test their systems, the National Motor Freight Traffic Association (NMFTA) offers many action steps. We know the companies who follow this advice are much more likely to avoid breaches and we have seen trucking companies improve in these areas.
But there’s a problem
The various players in the trucking industry are more interconnected than ever. Carriers rely on a variety of different vendors to keep their business running. Because the industry has become increasingly digitized, carriers and their vendors are almost certainly going to be digitally connected via application programming interfaces (API) and other methods.
A carrier can do all the right things, but if a key vendor fails to be vigilant about its own cybersecurity, the carrier can still fall victim to a breach that jeopardizes everything from its data to its financial security and its reputation. Even the ability to operate its trucks may be at risk if hackers can manipulate the vehicles’ telematics systems, or its sensors, or its onboard diagnostic systems.
The solution here is for every carrier to have a robust third-party risk management (TPRM) program.
This is an issue NMFTA recently highlighted in a webinar, and will also feature prominently at this year’s NMFTA Cybersecurity Conference from October 27-29 in Cleveland, Ohio.
The recent webinar featured Dr. Erika Voss, vice president of information security at DAT Freight & Analytics. Voss presented a detailed look at how trucking/supply chain companies can design and implement a TPRM program that works for them.
Voss urged carriers to be vigilant in monitoring their interactions both with contractual and non-contractual third parties. It starts with understanding how much of your data each external party has access to, but it also involves knowing the relative health of each third party.
That includes financial strength, since you don’t want an outside company that’s in possession of a large volume of your data falling into bankruptcy. It also includes cybersecurity strength – getting a full understanding of the steps this company has taken to protect itself, and by extension, your company.
The need becomes even greater when a company’s supply chain reaches multiple tiers. Voss shared a previous experience in which she dealt with a vendor map that was seven tiers deep. Even the vendor seven tiers removed from the company at the top was in possession of that company’s data. Many trucking companies may feel as if there is nothing that they can do to control the risk of their data being shared with third, fourth, and fifth parties. However, a TPRM program can help.
Developing a solid TPRM program requires a serious commitment, most critically requiring the buy-in of executive leadership, along with a deep dive into the supply chain to understand where the greatest vulnerabilities may lie – and continued monitoring of the effort including steps like table-top exercises to game out scenarios and make sure the process works.
Voss also offered some specific pieces of insight:
Automating responses to third-party incidents
Too many organizations, she said, only have manual processes – which can be faulty and too slow to action.
Getting serious about the right kinds of technology
“Give up your spreadsheets once and for all,” Voss said, adding that many companies are still using such rudimentary platforms to chronicle their risk factors. “It’s 2024,” she said. “Let technology help you.”
Building a single source for the truth
Many companies, she said, use overlapping tools that present foggy and sometimes contradictory pictures of a company’s third-party risk situation. She urged companies to consolidate all such information into a single platform that speaks with a clear voice.
Don’t just assess third-party risks. Remediate them
It’s not enough, Voss said, just to recognize vulnerabilities. Companies have to put plans into action to remediate those risks so they really will make themselves more secure in today’s business environment.
Third-party risk management is one of the most critical challenges facing the trucking industry in 2024, which is why we intend to deal with it extensively at this year’s Cybersecurity Conference. If you’ve never attended the conference before, this year’s edition in Cleveland is a great time to start. It’s two full days of presentations from industry leaders, cybersecurity experts, and strategically selected public officials who are at the front line of the trucking cybersecurity effort.
Last year’s conference featured key leaders from the U.S. Secret Service, the FBI, U.S. Department of Homeland Security, and many others.
It’s not too early to make hotel reservations and get up to speed on the details. Late October is less than six months away. The next cybersecurity challenge your company faces could be right around the corner and NMFTA is focused on giving practical and actionable guidance for busy trucking companies.
Get started now on a TPRM program, and maybe by October you’ll have the chance to share what you’ve accomplished with the rest of the conference. We all need to keep learning, because the hackers certainly never stop trying to find ways to compromise us.