Canada. July 2020. It’s morning, and the personnel of a mid-sized Canadian trucking company are logging into workstations, checking their daily schedules, and getting into the zone for just another busy day. Except that it isn’t. Something’s off about the company’s freight management system.
Employees across the organization begin to submit IT tickets reporting data access problems. There’s head-scratching and muttering as employees struggle to keep the company’s wheels moving.
By mid-morning, frustration has turned into a full-blown crisis. Nothing works as it should. The company is in a state of near-complete operational paralysis. And it’s right here, in the heart of the chaos maelstrom that someone discovers the ransom note. This company — the fourteenth largest trucking company in Canada with over 750 tractors and 80 terminals across the country — was the victim of a ransomware cyberattack.
In the scheme of things, this company was one of the lucky ones. The next few days were a blur of tense meetings, hard decisions, and a desperate hustle to keep their doors open. In the end, this company chose not to pay the ransom and to bear the consequences.
After two days of mayhem, logistics coordinators and drivers were able to get back to business. The company had to contend with harm to its reputation when a hacker group released the company’s confidential data, but ultimately the business was resilient and able to weather the storm.
The smoking gun
It was in the aftermath of recovery, however, that the big, scary question rose up from the depths like an … like an enraged octopus with indigestion:
How did this happen … and how do we stop it from happening again?
A team of cybersecurity threat analysts swung into action to investigate. In the end, the smoking gun came from the cybercriminals themselves. Over a few months, the hackers leaked data from a handful of adjacent-industry and partner companies. The connection was too strong to be a coincidence.
Investigators concluded the compromising data must have been stolen from just one source, one of the company’s partners. A weakness in one partner company’s data security likely created a cascade effect that ultimately impacted the Canadian trucking company. Investigations are ongoing.
The moral: your data security is only as secure as your least secure partner.
The risky business of partnership
The partner you choose to manage your supply chain has enormous implications for your company’s cybersecurity. Yet 2022 cybersecurity research by threat analysis firm Interos found that barely over 10% of companies continually monitor the security of freight partner companies. Over a third of companies canvassed said they review their partners’ security on a monthly or even a quarterly basis.
That’s a problem…
… and it’s an enormous problem if you aren’t working through a trusted third-party logistics provider (3PL). The right 3PL:
- Equips your company with secure system infrastructure for sharing supply chain data.
- Gives you real-time visibility over shipping irregularities.
- Lends expertise to your company to help you foster practices that mitigate cybersecurity risk.
But here is the tricky bit. As with any data-sharing partner, you’re only as secure the 3PL with whom you work. If your partner 3PL’s digital assets and systems aren’t safe, neither are yours.
How do you recognize a more secure 3PL from a less secure one?
Over a series of blogs, we’ll look into this issue of security and trust. Here we’ll focus the spotlight on TMS software, the nerve center of efficient supply chain operations and a key repository for sensitive freight and partnership data.
Here are some important questions to ask about your TMS:
Who wrote the software?
We live at a time where code abounds. An enormous digital marketplace of code is out there and readily available — low-hanging fruit for a software developer near you. Why develop the intricate moving parts of a software package from scratch when you can save money and time cobbling it together from pre-baked code?
This is probably fine if you’re in the business of developing the next Candy Crush clone or a try-before-you-buy virtual shoe filter for Instagram.
It’s not a safe approach for the development of software that houses business-critical data. Yet many companies are doing it. To quote IL2000’s white paper on supply chain cybersecurity, “this practice opens a door for cybercriminals to hard-code vulnerabilities into software that they can exploit later.”
Where is the data stored?
It’s good to know upfront if the data you enter into your TMS exists on a client-server or on a third-party cloud-based platform. While not all cloud services are equal, you can actively quantify the security track record of a cloud-based provider. On top of that, cloud computing providers are required to conform to high security standards. Their business model is predicated on it. Cloud compliance is something you can quantify, research, and compare across providers.
You don’t have that luxury with a server another company owns and manages. You’re going off faith alone — the used car dealer equivalent of a firm handshake and complimentary coffee at the customer service kiosk.
What happens when something goes wrong?
In its comprehensive framework for cybersecurity, the National Institute of Standards and Technology makes a (kind of alarming) recommendation. The Institute recommends approaching a successful cyberattack as though it were inevitable. The sheer breadth of attack surfaces is just too great for any reasonably sized supply chain to be 100 percent safe from cyber intrusion.
Therefore it’s important to quantify not just the capability of your TMS provider to resist cyberattack, but also its resilience to swiftly recover after an incident occurs.
If you don’t know how prepared your 3PL is to recover your data after a breach, ask. This is important information to find out.
Trust is earned
Many 3PLs don't have their own TMS and are passing the risk through from one of their up-the-chain partners. IL2000 has taken a uniquely secure approach by developing our own TMS. How does IL2000’s TMS stack up?
- IL2000 designed our proprietary TMS from the ground up. No line of code exists in the software that we haven’t written and that we don’t control.
- Our TMS is built on a secure cloud platform, giving your business ease of access without compromising the security of your data.
- IL2000’s system is resilient, equipped with fail-safes that allow us to reliably restore data.
That mindset guides everything from system development to daily data handling practice. Most importantly, we understand the deep importance of trust. We work hard to earn, maintain and grow that trust with rock-solid secure TMS software and industry-leading supply chain expertise.
Talk to us if you’re seeking a safer way to manage your supply chain.