Given the potential for cybersecurity threats to cripple a trucking company, high-level executives need to be thinking about more than just technology solutions. Executives must prioritize building a culture of security that all employees embrace.
When building such a culture, one of the first mistakes many company leaders make is to try to turn everyone into a “security geek” who obsesses over the finer points of the technology. That isn’t possible, nor is it desirable. And it certainly isn’t necessary.
“Even the security geeks get tired of this stuff,” said Ericom Software’s Chief Strategy Officer Dr. Chase Cunningham, and a prominent presenter at NMFTA’s most recent Digital Solutions Conference. “The technology exists that allows you to make the user experience for security minimally painful.”
The average employee who is not a technology expert doesn’t have to learn all the nuances that have been mastered by the IT team. Rather, they have to get in the habit of using certain user-friendly tools that help keep them and the company protected against threats.
One of the most critical segments of technology to emerge toward that end is called browser isolation. The tools that fit into this category automatically keep malware off laptops and mobile devices by sending risky web content to remote cloud containers. Only safe information gets streamed to laptops and mobile devices, so users cannot be tricked into downloading malware or giving away their IDs and passwords.
Of course, no one needs to convince the technology to do its job. If deployed, it will. Building a culture means bringing the people along with the idea that these things have to be taken seriously every day.
Cunningham said the keys to building such a culture are consistency and personal stakes for people. On the latter point, people need to understand that cybersecurity measures are essential for the security of their jobs.
“You have to make sure people understand you’re putting these things in place, and you’re building this culture, because people want to keep getting their paychecks,” Cunningham said. “That can’t happen if you’re underwater because things stop every few months due to a cyberattack.”
At the same time, the company cannot present the culture of security as a crucial priority at the start, only to veer away from it over time.
“They’ll really engage it for a month or so, and then other things happen and it drifts to the side,” Cunningham said. “Commitment is critical.”
At Peninsula Truck Lines’ IT Operations Manager Chloe Callahan was hired in 2018 and found the company culture anything but focused on security. She started the process by building relationships with her colleagues, then shifted her focus to cybersecurity training.
She had to put her foot down on some things.
“They were transmitting plain-text passwords over the Internet with a shortcut key, so I took that away,” Callahan said. “I also made it so passwords wouldn’t go over the Internet.”
These are behind-the-scenes moves, of course. The cultural changes involved extensive security awareness and training.
“The first year it was just me making the content and sending it out via e-mail, and you never know if people are reading what you write or even opening an attachment,” she said.
But progress became apparent as more people started asking questions and reporting incidents that seemed suspicious. As awareness of cybersecurity issues grew, Callahan even offered to help some employees with security on their home computers.
“For me personally, if I can teach anybody and have it carry out anywhere, then those people are going to become advocates for the same things, and it will spread like a pebble in a lake,” Callahan said.
While companies shouldn’t expect to achieve a culture of security simply by throwing money at the problem, there are certain high-impact technologies that should be budget priorities. The highest, Cunningham said, would be identity and access management.
“If you can eliminate crappy passwords and mandate multi-factor authentication, you’re solving a giant piece of the problem,” Cunningham said.
Like anything else, companies can likely expect some employee resistance to mandates and large-scale initiatives. Employees might like the simple, familiar password they use for 25 different things. They might not want their Internet browsing restricted in any way.
But if company leaders are consistent and lead by example – and explain the stakes clearly – employees should recognize that these behaviors are a necessary and critical part of keeping the company strong and viable.
“People still smoke cigarettes and don’t want to buckle their seatbelts,” Cunningham said. “That’s why it’s important to make them aware it’s personal to them. We have to adapt because of the realities of the stakes. If we don’t do this, we don’t survive.”
Finally, Cunningham warned the owners of smaller businesses not to make the mistake of thinking hackers won’t be interested in them.
“It may be true that you’re not a big target,” Cunningham said. “But you might be a launching point to a bigger network. Don’t accept the argument that no one would care about your little business. You have value to them for some reason.”
That’s why even the smallest trucking companies, with relatively few employees, absolutely must build a culture of security. It starts at the top with the example set by leadership, and flows through to every person at the company.
Technology helps, but it’s the day-to-day decisions of people that really separate the companies committed to cybersecurity from those who are constantly at risk of being attacked and paralyzed.
In today’s LTL trucking world, there are few leadership imperatives as important as this one.