Maximising cyber-security in logistics

Every 10 minutes an Australian individual or business reports a cyber-crime[1], costing them more than $33 billion per year[2]. Australia is not unique; worldwide, the cost of cyber-crime has tripled in the past 5 years from $1 trillion in 2016 to $3 trillion in 2021[3].

As technology has pervaded our personal and professional lives – and indeed as the line between the two has blurred – opportunists have honed their hacking skills, developed new and sophisticated malicious programs and increased their number of attacks and rate of success.

Business has tried to keep up, with cyber-security spending in the United States more than doubling between 2010 and 2018 from $27.4 billion to $66 billion, but they remain frighteningly vulnerable. Even government departments – symbols of national sovereignty and security – have been victim of cyber-crimes and attacks.

In 2019, the personal identification of more than 1,000 FBI agents, along with that of other US law enforcement agencies was hacked and stolen[4]. Closer to home, the Federal Parliament of Australia was disrupted in 2021 when an attacker tried to compromise the Department of Australian Parliamentary Services’ IT system[5].

Cyber-risk in the logistics industry

Government departments aren’t the only juicy target attracting cyber criminals. Healthcare, manufacturing, financial services and transportation are among the most cyber-attacked industries[6]. Technology has played a particularly transformative role in the logistics industry over the past 5-10 years.

Providing visibility of a supply chain from end to end, logistics technology can deliver a range of benefits, ultimately improving supply chain efficiency. However, it also poses risks which need to be managed. If your logistics platform is attacked, potential impacts include operational disruption, customer data theft, financial theft and reputational loss.

Adversaries take many forms. It could be a state-sponsored espionage team equipped with extremely sophisticated technologies and methods; cyber-criminals seeking to steal customer credit card numbers or monetise identification information; or so-called ‘script kiddies’ – amateurs who use others’ computer scripts to exploit weaknesses in a target’s systems for the ‘thrill’ of it. Regardless of their motivation, these cyber-criminals seek to compromise networks, cause harm and steal information.

This is why it’s critical that when you engage a logistics provider you ensure they have cyber-security as a top priority and a suite of measures underpinning that mission. Cyber-security – as complex and sophisticated as the attackers have become – can no longer be taken for granted or relegated to the IT department. As tech giant Amazon says, cyber security is a shared responsibility. It takes everyone to stand united and strong against a potential attacker.

Here’s what you need to look for in your logistics technology partner to give your company and your customers’ data the strongest protection against cyber-crime.

Good cyber-security hygiene

Companies – and their logistics partners – must get the basics right in securing routers and servers. Cyber criminals can easily take advantage of software or operating system weaknesses by writing malicious software (malware) to target vulnerabilities. Once in your system, the malware can steal data saved on your device or allow the hacker to gain control over your computer and encrypt your files. Common vulnerabilities include failing to apply updates and patches (which cover security holes) to applications and operating systems, poor web coding and failing to restrict access to sensitive information.

The team behind efm’s proprietary software program, OneFlo, defensively code and routinely monitor and patch to remediate discovered weaknesses. In addition, efm deploys two-factor identification and log-on authorisation for team members so that our servers are harder to access. The efm team also operates with constrained permissions that prevent any one account from having access to all the company’s highly sensitive infrastructure and information.

Strong passwords

Passwords are the first line of defence against cyber-crime. There are two cardinal rules with passwords: 1) Make it cryptic and 2) Do not share your password. To the first point, you want to create a password between 12-15 characters with a mix of lower and uppercase, numbers and symbols. Consider using a password manager like 1Password or lastpass to create and store strong passwords.

Secondly, and very importantly, particularly for warehouse teams who may have 10 or more people managing shipments, it is imperative not to share passwords between users. Passwords stored insecurely – such as on a dreaded post-it note stuck to the computer monitor – is prone to theft, which increases the risk exposure of your private information and your accounts. Further, if the password is not changed when someone leaves the company, they will maintain access to your company data and services. With OneFlo it is possible to set a specific password for each user and we strongly recommend you use this feature.

Company culture

Employees must be aware of cyber-security procedures and understand the implications of unsafe practices. This ranges from having the skills to identify a potential phishing attack – an innocuous-looking email designed to steal personal information – to owning up when they click the link. A culture of security and honesty means people are more likely to self-report a mistake and the threat can be quickly and effectively addressed.

Quality software engineers

Cyber-criminals are constantly looking for a chink in a company’s digital armour. Some of those chinks appear in the hardware; some appear in the very software of the program you are running. This is why the quality of the code is an important factor in security. Although high-quality code is not necessarily secure (it takes a range of factors to bolster your defence), poor quality code is more difficult to secure. Therefore, the quality of the engineers behind the software programs is very important. The team that manages efm’s OneFlo is comprised of highly experienced and quality software engineers, led by experienced ex-Amazon techie, Keith Bawden.

Secure infrastructure

At the heart of any organisation is a suite of technology infrastructure - servers, services, network equipment etc - which allows users to access information or functionality, often remotely. Servers, services, and infrastructure are frequently targeted by cyber-criminals looking to exploit weaknesses and access the sensitive information they hold. OneFlo is hosted on and accessible via securely-hosted servers and infrastructure. Strong infrastructure security – both for your business and its partners - is critical in protecting your business. Our customer interface, OneFlo is hosted on Microsoft Azure, a secure cloud computer environment^[1].

Encrypted storage back-up

Unfortunately, cyber-attacks do occur so you need to be prepared – or at least ensure your providers are prepared – in the event one happens to you. Data backup is the cornerstone of your digital disaster recovery plan. OneFlo automatically backs up the data stored on the system, including customer databases, carrier information, historical consignments, financial data and so on. Further, we encrypt it to provide further protection against adversaries.

Simulations

It’s one thing to put defences in place but you don’t want to wait until it’s too late to know whether they are robust enough to protect against an attack. Cyber-attack simulation allows you to see your organisation through the eyes of an attacker and test your defences under real-world conditions.

Our OneFlo team engages in routine ‘game days’ in which they check every possible route and type of attack to identify any vulnerabilities and immediately implement action to remediate weak spots. In addition, they periodically engage external security testers to perform penetration tests of our hosted services. They then ensure all identified risks are patched and further secured.

User awareness

As important as they are, these technical security measures can still be insufficient if human operators are not properly educated in correct procedures and digital hygiene. Phishing is an extremely common form of email attack and is particularly dangerous because it relies on human behaviour. Just one click on the wrong link in a fraudulent email could result in a data breach.

Last month a simple, innocuous-looking email appearing to be from a customer was sent to some team members at efm and its parent company, FMH Group, asking recipients to download a document. Although 29 of the 30 recipients were suitably suspicious and deleted the email, one person clicked the link (the OneFlo platform was not affected). Noticing irregular activity, our IT team swiftly intervened and successfully contained the attack to minimise data theft or damage and to protect ourselves and our customers.

With cyber-crime as prolific as it is in Australia, preparedness and response are critical components of maintaining a secure system. Following the incident, we reviewed our processes and identified an opportunity to further increase our employee awareness training. More than 95% of employees recognising a phishing attempt is good, but we can do better. We also recommend customers and carrier partners engage in awareness training so they can remain vigilant against spurious emails purporting to be from efm, FMH Group or OneFlo.

Logistics companies must be tech companies too

With the exponential increase in sophistication from cyber criminals, cyber risk has become one of most complex and potentially destructive issues facing business today. Organisations need logistics providers with security as a top priority. As a critical business partner, they must have extensive measures in place to safeguard from an attack, as well as the ability to identify threats in real time, limit exposures, enable business continuity and prevent future attacks. efm and our technology platform, OneFlo, can help.