Cybersecurity in the conference spotlight

It’s not a question of ‘if’, but ‘when, and how bad?’, was the warning about the dangers of cyberattack which came from a roundtable discussion at the recent Microlise Transport Con­ference.

The hosts themselves had re­cent first-hand experience of this, as Microlise CEO Nadeem Raza admitted. “The first thing we found out is that real life is very different to an exercise. In exer­cises you look at what you think are the most critical systems, but the reality is that even a ‘minor’ system like a label printer can be critical to getting stuff out of the door.”

The telematics company had not been attacked through its commercial software, but the hit had come through its internal of­fice system. “No customer data had been stolen,” he empha­sised.

Gallagher Insurance’s global head of cyber risk management, Johnty Morgan, said: “Many busi­nesses are not prepared for an attack; they don’t know who to contact.

“We are in a global economy that largely uses three tech pro­viders: Google, Amazon and Mi­crosoft. A successful attack on any one of them would be a huge global event, but I don’t think there is any way back now.

“Do organisations even know who their outside IT provider is?” he asked.

The human factor should not be underestimated: “The stress can put an IT manager out of ac­tion within a couple of hours of a situation being apparent,” he warned.

This point was reinforced by the head of IT security at Yusen Logistics Europe, Daniel Brind. The company was subject to a cy­berattack in 2023, but was able to restore its operations over the following three months.

“You can’t overstate the impact of an attack not just on an organ­isation, but also the individuals within it,” he said. “Everything is perfect one day, but changed forever the next… Cybergangs are very clever, they will attack they system when it is not being used: at the weekend, on public holidays or in the middle of the night.”

He emphasised the impor­tance of looking after people during the crisis. “The most im­portant thing is a robust payroll system. Make sure you can still pay people if your IT system is attacked, because that’s when you need your people more than ever.”

According to David Brown, prin­cipal incident response consult­ant at NCC Group, ransomware was not the biggest threat; rather, it was phishing emails disguised as legitimate business communi­cations.

“Cyber-criminals are using AI to make these more convincing than ever,” he warned. Individu­als could even be deepfaked in online meetings, and the North Korean state appeared to be stealing details from social media as a means of raising revenue us­ing fake identity.

“It only takes a three-minute video pulled from social media to construct a convincing ‘deepfake’ of a person that can take part in a Teams meeting or similar.”

He explained that a construc­tion company had lost $25 mil­lion when an employee had been fooled into making the payment by AI deepfake voice and video clones of senior officers at the firm.

“Make sure you are talking to the person you think you are talk­ing to!” He said the global cost of cyberattacks in the last year had been estimated at a staggering $10 trillion!

“There is more money being made around the world from ransomware than there is from illegal drugs.”

Johnty Morgan warned that paying a ransom might not even be possible: “You can’t make pay­ments to sanctioned nations,” he pointed out.

Paul Crichard, chief informa­tion security officer of Serco, said IT was: “The mortar binding the bricks of your organisation to­gether. Protecting it is a bit like a health and safety policy, it’s a question of balance.”

“The bigger the incident, the longer it will take to recover.”

Every attack was different, he said – but it was a human, rather than an IT, problem, with most in­cidents resulting from somebody making an assumption.

“A lot of organisations are ‘hopeful fixers’,” he said. “They hope to be back up in a few days.”

But that expectation was out of kilter with reality.

“Ask about cyber-security at the beginning of any change to your systems, it’s cheaper to do it then. And test systems annually, it can be done internally.”

Nadeem Raza said fleets should consider taking out cyber insurance policies: “Insurance companies know who all the right people are to go through the re­covery process.”

And what should be done after an attack?

The panel urged honesty and openness.

David Brown felt that organisa­tions should be obliged to report cyberattacks, and Paul Crichard said: “Don’t be scared, open the door and ask for help.”

He added that prevention was better than cure, and the entire business should be prepared for cyberattack, and not just the IT department.

Daniel Brind urged that inci­dents should always be taken seriously, and companies should work with partners and compet­itors, and share information and intelligence.

A snap survey of the confer­ence audience of transport pro­fessionals revealed that almost 60 per cent had been experi­enced a cybersecurity incident in the past two years. In spite of this, 61 per cent of the audience said their business did not have a cyber-security plan.