Cloud Security: For Motor Freight Carriers, Trouble Often Starts With Misconfigurations

Joe Ohr - June 26, 2024

As more trucking companies transition their data and technology to cloud-based applications – saving money on hardware as well as on the implementation of locally-based software – they theoretically provide their data with a layer of protection in the event of a cyberattack on a company’s systems.

But cloud-based systems have cybersecurity vulnerabilities of their own. There are certainly advantages to using them, but no trucking company should be under the illusion that publishing their data in the cloud presents an opportunity to become lax on cybersecurity issues.

I recently visited a carrier that was working on moving its data to the cloud. Its people were literally moving information from servers in a basement to the cloud servers they hoped would give them far more security. It’s common for carriers to think that, once their data is no longer on premises, they really don’t have to think about security.

But they do. They just have to think about it differently.

As with all cyberthreats, a company’s biggest vulnerability is usually via a mistake by an employee – clicking on a phishing e-mail or giving away log-in credentials to someone who is up to no good. Mistakes like these can be particularly dangerous with cloud applications – many of which only require log-in credentials to access. If hackers can gain access to a company’s cloud-based data by absconding with someone’s log-in credentials, the consequences for the company can be devastating.

A few of the leading threats to carriers who have moved their data to the cloud would include:

Cloud misconfigurations. Cloud configurations are very complicated, with multiple storage buckets. If the configuration is misaligned even a little, the result could be certain things you thought were not exposed to the Internet, but actually are. It’s easy to overlook something with configurations this complex.

This is one of the reasons it’s crucial to make sure you’ve got the right people managing your cloud environment.

Exposed APIs. This well-known acronym for Application Programming Interfaces refers to the systems that allow different digital platforms to communicate and exchange data with one another. But APIs can be exposed to hackers, and when they’re hit, they can give hackers access to all the programs and users who are working through them. It’s critical that any carrier who is using APIs employ all necessary security measures to ensure they are not exposed.

Overprivileged users. The privilege I’m referencing here is the rights people have to high-level system access. Most people in your organization only need the minimum level of access necessary to do their jobs. Only a very few people should have administrative access that allows them to poke around at the most sensitive information. Others may need access to certain things at certain times, and that can be granted on a by-approval basis.

Many managers like to appear employee-friendly and give everyone high-level access. They figure this shows that they trust their people and they’re willing to give them what they need to do their jobs. But it’s also giving too many people access to information that only needs to be misused by one bad actor. Security isn’t convenient, and in the environment where we’re operating today, that’s simply a fact of life people have to live with.

Holes in the offboarding process. As random as this might sound, a person leaving your company can wreak real havoc if he or she retains access to your system. And it happens more often than you might think. We’ve probably all heard stories of the employee who leaves a job and still has access to the schedule and other aspects of the operational system years later – because no one remembered to terminate that access. Not all former employees are untrustworthy, of course, but none of them need access to this information after they’ve left. An effective offboarding process should terminate that access before the employee is out the door on his or her last day.

Lack of a secure backup protocol. When everything is on the cloud, everything is lost if you lose access to the cloud – or if a hacker gets to it and compromises it. Carriers need to back up their cloud data using a storage mechanism that’s offline and inaccessible to hackers.

Cloud systems are vulnerable to what’s called zero-day attacks, in which hackers take advantage of patching issues before the user realizes the patch is necessary. Open-source software is especially at risk for such attacks, as few trucking companies have the IT bandwidth to patch as often as they should.

Cloud systems without the proper patches can also leave trucking companies more vulnerable to the impact of malware, which is more easily deployable in a cloud-based setting as files travel to and from the cloud. A malicious code that sneaks in to one of these exchanges can do tremendous damage to a carrier’s system.

The cloud offers tremendous savings and simplicity for carriers, but it can create a false sense of security when it comes to cyberattacks. Your data on the cloud is not impenetrable. Taking the necessary steps to protect it could secure the future of your enterprise.

Carriers looking to shore up their cloud security are invited to peruse the wide array of cybersecurity research and cybersecurity resources available from NMFTA, and to register for our Cybersecurity Conference in October.

Joe Ohr
Joe Ohr

Joe is the chief operating officer at the NMFTA. He brings to the organization over 20 years of experience in engineering product software, gained from roles at Omnitracs, Qualcomm, and Eaton. Ohr has provided strategic guidance, vision, and a roadmap for addressing long-term customer challenges. He has played a key role in accelerating revenue growth and has collaborated closely with IT, product, and engineering teams to foster stronger partnerships with strategic customers and peers.