Getting stuff from A to B has never been more important or more in the public eye. And with the challenges of the pandemic, Brexit and spiking fuel costs, logistics companies are coming under increasing pressure around delivering on time and at low cost.
Unfortunately, cyber criminals don’t care about that and if logistics companies are not prepared, they could easily fall victim to a cyber-attack. And an attack through their website is one of the ways that they could do it.
Criminals understand that logistics companies depend on a delay free environment so that they can get their goods picked up and delivered quickly and efficiently. Anything that interferes with this will have to be dealt with straight away as delays cost money and reputational damage – that means ransom demands against logistics companies are likely to be paid quickly and quietly to ensure goods transits remains unaffected. That makes them particularly sensitive to an attack and therefore more vulnerable to attack.
Recent Logistics and Transportation Cyber Attacks
There are plenty of examples of cyber-attacks affecting logistics and transportation companies in the past few months.
Hellman Worldwide Logistics suffered a suspected ransomware attack in December 2021, which led to clients being targeted with fraudulent communications.
Expeditors International - the world's sixth-largest freight forwarder reportedly shut down its computer systems after an attack limited its ability to manage customs and distribution activities. While they did not explicitly say it was a ransomware attack, the business did say it was restoring systems from backups, which is an indicator of that type of cyber-attack.
And in February 2022 IT infrastructure at ports in Belgium and the Netherlands were reportedly subject of a cyber-attack.
It is worth noting that many such events are recorded as suspected cyber-attacks – this is because businesses try to avoid the reputational damage of such an incident by not reporting to law enforcement and in some cases denying that any attacks have occurred at all. However, when large firms are targeted the impact trickles down to SMEs who are connected to them in supply chain activities. Many of these smaller businesses can suffer great financial harm in these cases, and they're certainly not immune to cyber risk themselves. Because logistics and transportation is such an inter-connected industry, any one company faced with an attack can bring freight movement to a screeching halt.
But what does this have to do with my company website? Unfortunately, your website is a window out into the internet and is often a place that criminals will target to get into your network. And once in the damage is done and your data may be at risk.
Common website cyber threats
Weak passwords so criminals just log in to your systems – no technical experience required but easy to fix from your point of view.
Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.
Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!
Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.
Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access your valuable data.
Do you know if your website is vulnerable?
The only way to really know is to pressure test your site.
But do you really want to know? Nothing bad has happened so far and if you don’t know about it then surely you can’t be guilty of not fixing it?
Ask yourself these questions:
How would the people that you represent feel if their sensitive data were stolen and sold?
How would your supply chain feel if their confidential data were leaked?
Would your customers have expected you to do everything you could to protect their data?
The ECRC offers members affordable web application vulnerability assessments. We work with university student who conduct the testing and provides you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more.
Is there anything I can do for free?
Sign up to the Eastern Cyber Resilience Centre – its free and we will give you support and guidance around the areas that you need to consider in every aspect of your business to build your resilience.
Get your staff to check their details on haveibeenpwned.com – you can search for your email address and telephone number against data breaches and if your details show up in them you need to change your passwords (everywhere you use the password). Once you have done this implement strong password policies. Passwords should be unique and complex. Watch our short video for more information about this.
Enable two factor authentication (2FA) on all your important accounts (email, social media, where you have financial information stored) – this will stop a cybercriminal from being able to access your accounts, even if they have your username and password from a data breach. You can find more about 2FA here https://www.youtube.com/watch?v=OR53Y49gAmQ&t=1s.
Apply all security updates to your applications, systems, and devices.
Get some free staff training from either the National Cyber Security Centre or through your local cyber protect officer (contact us and we can refer you).
Further guidance & support
You can contact the Cyber Resilience Centre for guidance and support through our e-mail firstname.lastname@example.org or use our online booking system to make an appointment with one of our team.
We also provide free guidance on our website, and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Finally, you may have access to some sort of IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf.