I noticed the small hole in the wall while descending the steps to my basement in the spring of last year. I really didn’t think much of it until the intruder’s tiny head peaked out for a quick glimpse. The exterminator I called confirmed my worst fear, that the unwanted visitor was one of thousands of termites – ant-like creatures that had moved into my house undetected during the winter and ravenously began eating its inner structure. The uninvited houseguests cost me a fortune to evict and to repair the damage they had done.
I was reminded of my termites during a recent cybersecurity webinar sponsored by the U.S. Airforwarders Association. The presenters told their audience that computer hackers can get into any business’ network and stay there, lying in wait, undetected for six to nine months before taking down your operations. As with the insidious termites devouring a house, criminal groups in places like Eastern Europe and Russia now have the time and resources to find a weak link within your organization and quietly nibble at it. And we in the air cargo industry, as stewards of critical infrastructure, have no choice but to do everything we can to fight back. We are targets, to be sure.
Cybersecurity is not just something we have to worry about in our personal lives; we need to be vigilant in our logistics world, as well. We’re hearing with alarming frequency about cyber-scams diverting cargo and misappropriating hard-earned dollars. It is now apparent that everything connected to the internet can be hacked, and, to an ever-increasing degree, our business is an online one. Accordingly, our shipment data and vital customer information is vulnerable to significant information denial, disruption or degradation of our operating environments.
The aviation industry has been warned against cyber-related intrusions, including hacks into reservation systems, air traffic control, navigation and worse – potential hijacking of an aircraft. Recently, the news media reported that a cybersecurity consultant told the FBI he had hacked into computer systems aboard airliners up to 20 times and managed to control an aircraft engine during a flight.
Likewise, the airfreight business faces debilitating threats, where data breaches can intrude on proprietary customer business relationships, hijacking and holding for ransom information, including pricing data, customer lists and trade secrets. Most importantly, once hacked, customers may not come back after they lose confidence in your ability to protect them and your system.
The termite infestation experience taught me that the government was not going to provide much guidance and leadership in my predicament. I had to take quick and decisive action to save my own home, much as freight forwarding companies and their affiliates must do now.
According to a recent Cisco Systems annual security report, security must be viewed as a “people problem.” A technology-centric approach to security does not improve security; in fact, it exacerbates it. Technologies are merely tools that can enhance the ability of people to secure their environment. Security teams need to educate users about safe habits that they should apply, no matter where they are using technology – at the office, at home, or on the road.
As with many business challenges, company leaders need to begin educating employees on the issue and its risks. There are plenty of free and commercial resources available to provide assessments on systems and best practices. Forwarders should create security policies anchored by training and education for administrators and users. The training should include procedures and tactics as well as evaluation tools in the selection of appropriate security technologies.
Since most cyber-threats enter systems through email, companies should invest in quality anti-spam products and services to prevent users from receiving the malicious emails in the first place. Staffs should be trained to validate senders and not click on the links in emails without careful verification and consultation with IT departments. Under no circumstances should users respond to “pop-up” messages requesting user action.
Wi-fi security networks should use strong administrative passwords and disable unsafe or older wireless security standards where possible, while keeping firmware up-todate. Employees should be trained on basic security principles, including password complexity, email security, ways to detect “phishing” scams and safe web use. And since many cyber attacks are the result of insider threats, there should be no sharing of accounts between individuals, which can frustrate auditing and forensics efforts.
There are many other defenses to ensure data security, including extensive use of encryption, file transfer and data storage mechanisms. While learning about them may prove difficult for nontechnical individuals, effective IT administrators should remember to focus communications particularly on these employees, since they may be the most vulnerable to cyber attack.
As the experts tell it, there are two types of companies: ones that have been hacked and those that will be. Cybercriminals are organized, automated and persistent. They are continuously looking for new ways to compromise their targets. All this means it is absolutely essential that forwarders stay current, keep their guard up and constantly look to improve their defenses before the termites do too much damage.
