It’s easy to dismiss data breaches and hacking as crimes that only affect the cyberworld — that couldn’t be further from the truth. In fact, in the transportation and logistics industry, the theft of business intelligence, shipping manifests or route information can lead to real-world hijacking and delivery theft. Jeffrey Luft, global practice leader for the Verizon Enterprise Solutions transportation & distribution verticals, explains how a supply chain data breach can turn into theft of goods in transit or the warehouse.
What is the current state of security in the transportation and logistics market?
Jeffrey Luft, Global Practice Leader, Transportation & Distribution Verticals, Verizon Enterprise Solutions
Jeffrey Luft: While the numbers of physical incidents are declining, the value of each incident is increasing. In a supply chain, transportation and distribution environment we focus on what we can see — the physical objects that could be stolen. Think about it. High-value merchandise in a warehouse is usually kept in a cage that requires a key or badge swipe for access. Guards personally check transportation drivers and review the bill of lading before goods are moved on or off a vehicle. When products are in transit, we put a lock and anti-tamper technology on the container. What many companies are missing — and need to spend more time on — is a holistic cybersecurity strategy. In a world where data is the oil of the 21st century, understanding where product is coming from or going to is a wealth of information.
With the recent public data breaches in the retail or hospitality industries, does it make sense for the supply chain to ramp up cybersecurity measures?
Jeffrey Luft: Absolutely, because protecting the data that sits in enterprise information systems is essential to preventing physical loss. For example, if I have a high-value shipment being delivered and someone has access to my IT systems and can see what's in the container, they can plan a physical theft. If a criminal can see where my deliveries are going, they can target that end-user’s location.
Businesses must protect their route information for exactly that same reason. In this industry, cybersecurity almost always relates back to physical security. If I don't stop high-tech criminals from stealing my data, it can potentially lead to lower-level criminals stealing my goods. In essence, cybercriminals help give new meaning to organized crime. But in this case, we are talking about a crime that has been organized and planned because of holes and vulnerabilities in information systems.
The stolen data helps the criminal element understand where to best invest their time and energy, just like the companies that build, ship and sell the goods.
Are you seeing an escalation in these types of cybercrimes?
Jeffrey Luft: It is hard to say. Many companies in this space don't report cybertheft and some don’t even know it has happened. They see and report the physical losses to the authorities, but businesses don't usually trace a loss back to how the criminals got the information that they used to commit the crime. Companies are more concerned with the downstream implications on the supply chain, and what that theft will mean to customers that did not receive their goods.
This is a much different situation than the recent breaches affecting big retailers. The retail world is a whole different animal, because credit card information is subject to stringent PCI security requirements and compliance is mandated by the various banking institutions. That oversight doesn't really exist in the transportation business, except for a few companies that engage in retail transactions. In the supply chain and distribution industry the data theft more than likely leads to better, more targeted and more lucrative physical theft.
How do you protect a network that isn't regulated?
Jeffrey Luft: Companies must audit their security systems to gauge how easily their system can be compromised. Do they require multi-level authentication of users? Do they require users to change their passwords on a consistent basis? If the answer is “no,” they really should consider using a professional services team to help them test the strength of their systems using brute force techniques and other tools. Data security isn't all that complicated, but it requires the conscious effort and diligence of both your IT staff and the people who use these systems. The key elements to security are to detect or understand where vulnerabilities in your enterprise exist, put a plan and controls in place to eliminate or mitigate those risk areas and then continually monitor for new threats and lapses in existing controls.
Supply chain and distribution businesses may take preventative cybersecurity measures or conduct the occasional security audit, but what they need is a business continuity plan that maintains the security of their systems. They need to have a process in place that immediately alerts them of unauthorized access, so that they can take the necessary actions to close the leak and protect the data, which, in turn, safeguards the property.
How can companies balance cybersecurity with the human element and physical security?
Jeffrey Luft: Just as companies monitor employees through random checks, they need to make sure that the information that their employees are looking at is what they are authorized to have access to. Access should only be granted on a business needs basis and not without some sort of oversight and audit process. If you conduct a security audit on a regular basis — just as some businesses are required to do annual ISO audits and distribution centers perform semi-annual physical inventory — you reduce the risk of being compromised. If there is an inside breach resulting in a theft it can be traced back to the person(s) that had access to the information.
Where does the Internet of Things fit into all of this?
Jeffrey Luft: The Internet of Things and connected solutions provide a bevy of data pertaining to equipment within the transportation and distribution space. Transportation companies use machine-to-machine (M2M) connections to track information, such as the duration a driver is on the road, the length of each stop, how many times the trailer door was opened, to name a few. By looking at all these data points — in a real-time environment — headquarters can communicate with the driver about any anomalies.
Similarly, in the warehouse, businesses use M2M technology to monitor access to areas with high-value materials against the number of orders that are picked. If I had only one order for five small pieces, theoretically the door should only have opened a maximum of five times. If I have a record that shows the door was opened 20 times for a quantity of five picks, and there was nothing put away in that area, then I need to ask “why was the door opened and closed so many times.” Analyzing that information allows for automation and notification of anomalous activity so that someone can “check the video” to see what really happened.
Read the “Verizon 2015 Data Breach Investigations Report” and get the latest information to help protect your enterprise organization from a supply chain data breach and safeguard your customers’ personal information.
Visit Verizon’s Transportation and Distribution Solution Center to learn how you can reinvent your business model; increase revenue opportunities; and improve communications, logistics and inventory tracking.
To contact Jeffrey Luft, email Marie McGehee at Marie.Mcgehee@one.verizon.com.
