Cybersecurity ‘is your most important risk’

Almost six out of 10 van and truck operators at last month’s Microlise transport conference have been impacted by a cybersecurity incident in the past couple of years, according to a snap survey.

The implications can be far-reaching and time-consuming to resolve. Paul Crichard, chief information security officer at Serco, pointed to a case he’d been involved in that took a year to settle.

David Brown, principal incident response consultant at NCC Group, said: “I can’t overstate the impact of a cybersecurity attack on a business and also the individuals. The time and effort needed to overcome it is all-consuming.

“Business email compromise is the most common attack. Cyber-attacks are worth around $10 trillion to attackers – it’s a criminal infrastructure.”

Artificial intelligence is compounding the issue with emails containing more context and better messaging to fool the recipient into thinking it is legitimate.

Last year, a deep fake scam conducted via an AI-generated video call duped an Arup employee into sending £20 million to criminals, for example.

“Cybersecurity is your most important risk,” said Brown. “But many companies have a lack of awareness of where to start if attacked.”

Johnty Morgan, global head of cyber risk management at Gallagher, added: “Many businesses are not prepared for an attack; they don’t know who to contact. But we are a global economy that largely uses three tech providers: Google, Amazon and Microsoft. There is huge potential for a systemic problem.”

Lack of business preparation was highlighted by another survey question, which found that 61% of audience members did not have a cybersecurity plan.

“You will be trying to make decisions and work things out in the thick of an attack,” Morgan said.

Outages are immediate and typically last one or two weeks but can take months to fully restore.

“Everything changes in an instant,” said Daniel Brind, head of IT security at Yusen Logistics Europe, which was hit in 2023 but restored operations over a three-month period.

“One thing we hadn’t appreciated was payroll: we didn’t foresee an issue in paying our employees if all IT systems were offline for any period of time,” Brind added.

“You are reliant on your people to solve the issue but if they can’t pay their mortgage, pay their rent or feed their families, that’s huge.”

Attacks tend not to happen during the working day, when IT is most vigilant; they occur overnight, at weekends or during bank holidays when nobody is looking at the systems to cause maximum damage.

Crichard said: “Every attack is different. But this isn’t an IT problem; it’s a human problem. Most incidents happen because someone made an assumption.

“A lot of organisations are ‘hopeful fixers’ – they hope to be back up in a few days. That expectation is out of kilter with reality.”

Should a company be hit by a cybersecurity attack, the best advice is to be open, honest and clear from the outset, not just with customers but also with the cyber community. This short-term pain will make everything easier to recover form in the long term.

Microlise had to handle its own cyber-attack last year.

Chief executive officer Nadeen Raza said: “We had done exercises, but going through it in real life was very different. You often look at things that you think are critical systems, but you will have ‘minor’ systems that are actually critical components, such as label printing which is critical to getting things out the door.”

Microlise’s cyber team is now talking to customers about its experience to help them implement mitigation and action plans.

Brown advises all companies should do mock testing to judge employees and systems reactive response.

“Where does cyber sit on our risk register?” he asked. “It should be top. There is a government consultation on forcing companies to report a cybersecurity attack. This is positive; we need to capture indicators of compromise to provide intelligence to help companies prevent future attacks.”

Raza urged companies to consider taking out cyber insurance: “Insurance companies know who all the right people are to go through the recovery process,” he said.

Brind added: “Take it seriously and plan effectively. You have to work collectively in your response.”