Cybersecurity has been a growing concern for freight and logistics companies over the past few decades. By now, all major companies have at least some online presence and have taken efforts to protect data. However, only 54% of companies around the globe include third-party risk management in their cybersecurity programs.
Third-party risk management, a key point of emphasis for the National Motor Freight Traffic Association, Inc. (NMFTA)™, is the process of monitoring and managing interactions with external parties, and it’s an element of cybersecurity that many transportation companies have neglected, according to Joe Ohr, COO of NMFTA.
“A carrier can do all the right things, but if a key vendor fails to be vigilant about its own cybersecurity, the carrier can still fall victim to a breach that jeopardizes everything from its data to its financial security and reputation,” said Ohr. Even a carrier’s ability to operate trucks or other hardware may be at risk if hackers can manipulate the vehicles’ telematics systems, sensors, or onboard diagnostic systems.
In a webinar recently hosted by NMFTA, Erika Voss, Ph.D., vice president of information security at DAT Freight & Analytics, said that most executives would be surprised if they asked a third-party risk specialist to map out all of their third-party vulnerabilities. “If you look at everything, there will be a massive list of appetite and risks, and you’d probably realize, ‘My information is out there everywhere,’” Voss said.
The supply chain footprint expands quickly when third-party vendors outsource their functions to other providers, often around the globe. “It’s not just tier 1 you have to be aware of. You also have to think about tiers 2, 3 and 4. There might be companies you’ve never heard of hosting and processing your data at certain stages,” said Voss.
“Developing a solid TPRM program requires a serious commitment, most critically requiring the buy-in of executive leadership, along with a deep dive into the supply chain to understand where the greatest vulnerabilities may lie,” said Ohr. Getting leadership onboard with a TPRM program, Ohr says, is as simple as demonstrating the real potential risks: reputation loss, regulatory fines, and brand damage.
Third-party risk management starts with a deep examination and analysis of all vendors and their security protocols. “Know ahead of time what you need to protect if something fails with a third-party vendor,” Ohr said.
When assessing third-party vendors, here’s what to look for:
- What type of services are they providing?
- What type of data do they have access to?
- Will they process or host your data?
- What functions of your organization rely on that third party to operate?
- What are the terms of your relationship?
- Are there integrations between your systems?
- Will they be embedded into your product?
- Can they demonstrate compliance with regulations?
- What type of risks do they pose?
- How critical are they to your operation?
Different types of data require varying levels of security, so a robust data classification system is a prerequisite to any cybersecurity system. Wide-ranging information hosted or processed by vendors may be confidential or sensitive from an ethical, security, and legal standpoint.
“Knowing someone’s name and email address might not be a concern, but if you attach a date of birth, you have to add a layer of security,” Voss explained. “You have to think about what types of data are more sensitive than others to formulate your classifications and procedures.”
While data breach is a major concern, it’s not the only failure to prepare for when it comes to third parties. Any vendor at risk of bankruptcy or acquisition by another firm can potentially result in the loss of important data. “You have to be constantly aware of the health of your third-party vendors to protect your business’s financial health. If they go under or face serious issues, you have to know ahead of time how you’re going to protect your data and your processes,” Voss said.
Proper planning and risk management start before entering into any kind of contractual agreement. “When you go into your next vendor relationship, play the what-if game ahead of time to protect your company’s reputation,” said Voss. “If you’re publicly traded, for instance, you have to protect stock prices and reputation.”
This planning extends beyond assessing and monitoring a vendor while transactions are ongoing and includes contingencies for procurement and offboarding, as every step of a business relationship can incur risks.
Risk assessment, however, is only the first step. Remediating that risk is vital, Ohr says. If any of your functions or products are dependent on a vendor, you have to have a concrete plan in place to address and remediate your risks.
A practical way to start improving risk mitigation immediately, according to Voss, is to develop automated responses to any incidents that affect vendors. “Automating responses prevents you from being bottlenecked by manual reporting. You need to be able to act quickly in the event of any third-party failure,” Voss said.
Likewise, having a reliable source of data compiled on all third parties is key to making an appropriate plan of action. Using overlapping tools can present foggy and sometimes contradictory pictures of a company’s third-party risk situation. According to Voss, “If you don’t integrate all of your data on third parties into a single source of truth, you might have to sort through conflicting data at a crucial moment.”
Implementing meaningful risk remediation requires policy, procedure, guidelines and metrics, but these need to be actionable. “Conduct tabletop exercises to figure out who needs to be notified and what contingency needs to be put in place for every kind of potential disruption,” Ohr said.
Join Joe Ohr, Erika Voss, Ph.D., and other trucking cybersecurity leaders at the NMFTA Cybersecurity Conference on October 27-29, 2024, in Cleveland, OH. This unique event is the trucking industry’s only conference dedicated to cybersecurity. Attendees will delve into critical issues, gain insights, explore the latest research, and learn strategies tailored for trucking leaders and IT professionals in the digital age. Learn more and register today.