From October 22-25, NMFTA hosted its annual Digital Solutions Conference on Cybersecurity in Houston, TX. The presentations contained powerful information for any company in the trucking industry that’s concerned about cybersecurity for its enterprise and/or assets. Of course, that needs to be the entire industry. This is part of a series of blogs that summarize the information presented for those who could not be there.
TOPIC: Business Continuity Plan
Presenter: Steve Hankel, Johanson Transportation Service
Steve Hankel, the vice president of technology at Johanson Transportation Service, had quite a memorable experience a few years ago when traveling to Arizona for a conference. While he was there, the CIO of another attending company shared that his company had been hit by a ransomware attack during his first week on the job.
This was at a time when ransomware was a very new phenomenon, and no one was quite sure how to respond. Hankel observed with interest as the CIO and the rest of his company tried to navigate through the crisis.
“Many of the people who were there agreed that the first thing we needed to do when we get home is to make sure we’re ready for this ransomware stuff,” Hankel shared during his session. “The first-hand experience of having someone tell us what we had to do really got our attention.”
Before Hankel could get to the airport, his phone rang. It was one of his company’s executives asking, “There’s been a breach! What do we do?”
Hankel had some excellent background for the question. During his career at Washington Mutual, he worked in business continuity, disaster recovery, vendor risk management, emergency management, and cyber resilience.
Before that, he worked for WebVan, which he describes with a sardonic grin as “the largest dot com failure in history.”
Hankel knows his way around cyber trouble.
In 2010, Hankel joined Johanson Transportation Service, and has made it his mission to implement digital strategies that make sense in the transportation industry. And one thing he knows for sure is that Johanson, like every other company, needs a business continuity plan in the event of a catastrophic event.
That involves individual priorities like data recovery and cyber insurance. But on a larger basis, it involves total preparation and anticipation of worst-case scenarios.
“All these efforts we make to prevent these attacks don’t mean anything if we don’t know what to do when one happens,” Hankel said.
Yet many companies don’t, and one of the most common reasons is also the simplest: Company leadership never thinks it’s important enough to prioritize in the face of more seemingly urgent needs.
“There’s a million reasons you don’t have time to do this,” Hankel said. “Everything’s a priority in business, and it’s not going to get done unless you get the support of upper management.”
Hankel recommends starting the process in small time chunks. The first priority is to understand the company’s risks, which includes an assessment of the company’s environment—including the physical environment around the company’s facilities, and things that could potentially go wrong, however unlikely.
Also, schedule pen-tests on a regular basis to test the company’s digital vulnerabilities, as well as a look at the company’s history to see what risks have shown themselves in the past.
Finally, talking to company department heads can help shed light on a lot of issues.
The next step is to identify business processes, then rank them in order of importance and potential risk vulnerability.
Once those priorities are set, the company needs to establish recovery time objectives. For example, if you need the last two weeks’ data to make payroll, then ensure there will be a two-week recovery period.
Companies also need to know the realities of their security processes. For example, if the company is running regular backups, there might be the thought that no recovery would be necessary. But a backup can be next to useless if it is not immutable, which is to say it sits in a location that no hacker could possibly get to.
Often that is not the case.
Along those lines, the company needs to ensure data center continuity, which would include a “failover” to another region in case the main region is compromised and needs to be recovered.
Looking upstream and downstream at key technology vendors is also crucially important.
“You might remember a few years ago when AWS went down,” Hankel said. “Someone fat-fingered a DNS change, and all of Amazon went down.”
Protection of physical locations should be part of the plan and should account for the possibility of events like earthquakes, fires, water damage, and technology outages. The company should be prepared for the long-term loss of a location because of an event such as this.
Sudden loss of personnel is another issue to consider. The death of an employee is always a possibility no one wants to face, but what about the death or long-term health crisis of an employee’s spouse or child?
Would the company know who can step in when a critical person is suddenly unavailable?
A crucial lynchpin of business continuity is a plan for incident response. This involves a good deal of foresight and advance planning, but a company could suffer much more serious long-term consequences if it is slow or ineffective in responding to a catastrophic incident.
These scenarios would include the establishment of an emergency operations center.
Another element is a communication plan. In the event of an incident, communication responsibilities should already be established, and company leaders should know who to bring into the loop and who will have responsibility for executing both internal and external communication.
Companies may be tempted to downplay the seriousness of an event, especially when communicating with the public. That can prove to be a painful mistake if it turns out later there are major impacts that affect customers or the public.
Restoring trust is critical after a disastrous event, and companies don’t need to be making the job harder on themselves by putting out untruthful statements.
Once the entire plan has been put together, it’s very important to assemble it and document it. The written plan needs to be extremely detailed, such that any individual within the company would be able to pick it up and run with it.
Needless to say, it needs to be printed in hard copy and easily accessible if digital systems go down. It also needs to be updated regularly as the company’s environment changes. A business continuity plan that was last updated 10 years ago will contain a lot that’s out of date.
Along those lines, testing the plan occasionally will help demonstrate issues.
“Finding issues is a good thing,” Hankel said. “A lot of people go through business recovery testing and say, I didn’t find anything, this is great. No, it’s horrible. If you don’t find anything, especially in the early days, you’re not doing it right. And you need to make that clear when you talk to your executives.”
When the testing is done, it should involve everyone – including some external players like local government depending on the issues. If the janitor doesn’t know what to do in the event of an emergency, the plan hasn’t been implemented correctly.
Finally, if an event does take place, make sure the plan is followed. If most of the company is just scrambling, then all the effort put into the plan was for naught. Because a good business continuity plan can be the difference between recovering and returning to prosperity – or folding up shop for good.
To view photos from the conference, access our event photo album.
