In February 2022, the logistics firm Expeditors International of Washington got hit with a targeted cyberattack, forcing them to shut down nearly all of their global systems. Unable to operate normally without a working tech environment, the company couldn’t properly process orders for their customers. This ultimately led to a $2.1 million lawsuit by one of their customers, iRobot, who claimed they lost $900,000 in refunds due to their inability to get products into consumers’ hands.
As of May 2023, Expeditors International reported that the attack had cost them $47 million in extra charges. On top of that, they also paid an additional $18 million in costs related to investigating the incident and covering claims from customers who experienced shipping problems.
This is just one example of why hacking, ransomware and other cyberattacks issues represent some of the biggest ongoing threats to shipping and logistics organizations across the globe. We discuss below why you should be concerned about supply chain cybersecurity risks and what steps you can take to mitigate them.
Lack of Security = Major Business Risk
In January 2023, the World Economic Forum reported a concerning result from its then-recent survey: 93 percent of cybersecurity experts and 86 percent of business leaders believed a “catastrophic” cyberattack will happen by 2025 as a result of the current geopolitical climate. If that attack targets the global supply chain, the effects could be devastating for businesses of any industry.
“You can be taken completely offline,” says Wayne Crowder, IT and security expert at Shamrock Trading Corporation, parent company for Ryan Transportation. “We’ve seen cyberattacks in the last few years that took ports offline. So now you have ships that can’t get unloaded, which causes a big business impact.”
As we saw in the Expeditors International case, those business impacts can escalate all throughout the supply chain. The average breach costs $4.35 million to the organization it targets; add in the potential for customer data to be exposed (and the lost confidence and brand confidence that causes), and a single attack can devastate an entire organization.
Recent reports from May 2023 suggest that supply chain software attacks could cost $81 billion by 2026. What makes the issue particularly difficult to solve is the current lack of cybersecurity experts. In fact, some analysts predict that by 2025, more than half of significant cyber incidents will be able to point to lack of talent as a direct cause.
So, in this environment of escalating risk and a shrinking talent pool, how can you protect your shipping and logistics organization from outside threats to your supply chain cybersecurity?
Start with Your Team
According to IT firm AAG, the most frequent type of cybersecurity breach in recent years has been hackers using stolen credentials, which accounted for 40 percent of breaches as recently as 2022. Behind stealing credentials, the two most common types of attacks were ransomware (20 percent of attacks) and phishing (also 20 percent). All three of these cyberattack methods have one thing in common: the human element.
Improving your security policies and educating your employees to help them spot potential malicious activity should be a major component of your strategy to mitigate supply chain cybersecurity risks. One of the biggest weapons in a hacker’s arsenal is social engineering. This involves gaining an employee’s trust in order to trick them into giving up highly sensitive information that the hacker can use to get access to critical business systems.
“My role [as a cybersecurity expert] is as an educator, first and foremost,” says Crowder. “Once everyone’s aware of the risks, you get what I call a healthy paranoia.”
For example, “scareware” flashes warnings on a user’s screen alerting them that their system is infected with malware; when they click on the warning, it prompts them to install software to remove the infection. Instead of cleaning up the nonexistent malware, however, the downloaded software either contains malware itself or gives hackers a backdoor into the user’s system.
By training your employees to spot fake security warnings and phishing attempts and enacting stronger security policies, you can reduce the chance that hackers use your team to get access to sensitive systems.
Improve Your Security Hygiene
It’s easy to fall into the trap of thinking that avoiding security threats requires expensive software or tools that are not affordable to organizations operating on tight budgets. However, you can tighten up the gaps in your system even with limited resources.
One of the simplest ways to mitigate cybersecurity threats is to ensure your systems are up to date, with vulnerability patches installed regularly. This can be easier said than done, however, especially if you’re using legacy or customized systems that are more difficult to patch.
The good news is that there are other things you can do to improve your organization’s online security. One example: multifactor authentication. By requiring a token in addition to a password for all logins, you make it much more difficult for malicious actors to gain access. Even if they’re able to trick an employee into revealing a password, they can’t get in without the token.
Another good supply chain cybersecurity practice is layering your security measures. For example, encrypt your data – but also ensure the encryption key isn’t stored on the same server as that data. Be sure to apply the same security protocols to third-party platforms or other tools that you apply to your main system. One example of this is developer tools attached to your system during updates or technical support. If those tools don’t also use encryption and multifactor authentication, they can become doorways into your more sensitive data.
This goes for hardware tools as well, such as company-provided laptops, tablets or smartphones issued to employees. These devices need strict security measures, like the inability to download software without approval.
Fending off cybersecurity threats is tricky, but combining education with good security hygiene can help reduce the chance that you’ll be the next ransomware or hacking victim. Even if you have a limited budget, employee education and strict security practices can dramatically reduce your risk.
“You don’t need the shiny object, the latest and greatest security tool,” says Crowder. “You really need to focus on the basics, and those basics often don’t have a cost other than training for awareness, processes and documentation.”