Fighting back in a cybersecurity world where bad guys are getting bolder

NMFTA meeting on protecting carriers spotlights huge ransomware demand to show what’s at stake

The bad guys in cybersecurity are getting bolder and that was the subject of the NMFTA conference in Houston. (Photo: Jim Allen/FreightWaves)

HOUSTON — One hundred and seventy five million dollars.

That’s the figure Shelly Thomas of the cyber practice at insurance provider Marsh presented when the topic of ransomware came up at a conference sponsored by the National Motor Freight Travel Association.

Thomas, speaking Monday on the opening panel of the Digital Solutions Conference, said that $175 million was the largest ransomware demand she had seen this year. While the end figure the unidentified victim paid was “negotiated down” to an unspecified level, the sheer size of the original number “kind of shows you the depth and breadth of those ransom demands.”

The conference is the second sponsored by NMFTA, the main trade association for the less-than-truckload industry, on the issue of cybersecurity. However, it was clear that the organization was seeking to promote it to as wide a group as possible, unlike earlier, more closed-door versions. The 2023 version was sold out, and more than one person commented on the proximity between the hack at LTL carrier Estes and the timing of the meeting.


Ask attendees if their companies have been targeted by cyber bad guys, and the answer is always the same: We get attacked hundreds if not thousands of times a day. The key is making sure that breaches don’t occur, and if they do, that they are relatively minor and can be dealt with fairly easily.

From left to right: Antwan Banks, moderator, NMFTA; Ernesto Ballesteros, CISA; Shelly Thomas, Marsh; Takeda Parker-Bradford, TSA; Clarke Skoby, US Secret Service

Thomas said ransomware and privacy concerns are the biggest issue that Marsh has dealt with for its clients. “Something we’re talking a lot with our clients about is making sure there’s proper consent on the use of data,” Thomas said. She added that plaintiffs’ attorneys are “going after organizations for everything under the sun to see what will stick” by filing lawsuits over alleged privacy violations.

Drew Williams, the director of TretRecon Cybersecurity Services at Guidacent, approached his presentation through a series of lists, most of them a series of five questions that cybersecurity executives and their personnel should be considering.


Williams said anybody attending his session was probably aware of “five big issues”: being aware of pitfalls that could impact your operations (and presumably anybody who went to a trucking cybersecurity conference has met that requirement); protecting corporate assets; not fully understanding the consequences of what cybersecurity is all about; deciding where to focus cybersecurity investment dollars; and not being sure where to begin tackling the issues.

Williams said there are still some in the industry whose approach is, “What is cybersecurity? I’m not a very big company. Nobody’s going to bother me. It’s probably pretty pricey to put in all these tools and controls.”

And then there are the lists of things that company tech teams are asking, Williams said: What oversights are we forgetting? What is all the hype about phishing? Why are passwords such a pain to change? Is ransomware really an issue to worry about?

To some degree, protecting a company from a cybersecurity attack is easy and hard at the same time, at least based on some of the data Williams presented. He said 95% of cybersecurity breaches are caused by human mistakes. And 88% of companies have been hit by attempted phishing, raising the question of what’s happening at the other 12% since phishing seems ubiquitous.

Few companies ever admit to paying ransom. But Williams said that 80% of the companies that get hit with a ransomware attack end up paying. Williams said in his own experience, “I’ve gone through six ransomware attacks and spent $7 million in Bitcoin to get out.”

His address was filled with often commonsense advice: “Passwords are like toilet paper and toothbrushes. Don’t share them.” He also ran through a predictable list of too-frequent, easy-to-crack passwords, like “hello” and “qwerty.”

One of Williams’ lists jointly spelled out the opportunity and the drawback to cybersecurity. Under the heading “Don’t go it alone!” Williams presented a list of steps companies need to take to reach a high level of defense: security awareness training, governance, risk and compliance preparation, penetration testing, and so on. But next to all eight points, he had dollar symbols, recognizing that each one costs money.

All of this led to Williams’ recommendation that a company’s cybersecurity plan achieve five things:


  • Develop a business resilience and response plan.
  • Create immutable data backup plans (and Wiliiams observed that some backup programs are on the same main system that might get hacked, defeating the purpose.)
  • Establish an incident response plan.
  • Manage fleetwide cybersecurity training and briefings.
  • And schedule a “tabletop” exercise, which is a sort of war game for having to deal with a cybersecurity attack. The recommendation to “do a tabletop” and the question “Has your company done a tabletop?” was a frequent subject on day one of the conference.

But Thomas also expressed optimism that industries are starting to fully grasp the risk that cybersecurity attacks pose and are taking action. “I think that a lot of work that has been done over the last 18 to 24 months from a security posture has helped,” she said.

But there’s more to do. Ernesto Ballesteros, the cybersecurity state coordinator for the federal Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, spelled out a scenario in which an improperly handled email can wreak havoc.

Referred to as the “business mail compromise,” Ballesteros said it arises when “a thread aggregates into your operating environment and compromises the business email account.” And it doesn’t need to come from a company employee, Ballesteros said; a vendor email can open the door to the problem. “And then they’re going to use that account in order to try to either get some information to conduct some sort of social engineering attack, which is going to be very easy when you have a legitimate business email.”

But that can also be a “precursor to a ransomware attack, when you can send malicious content or you can get them to go to a website because they trust you using a legitimate email account.” That can then allow the cybercriminals to “get a foothold into the victim’s network, and start to move around laterally and identify what they’re going to target and execute.”

Part of the goal of the opening panel was to drive home the point that there are capabilities that companies can access to beef up cybersecurity. Ballesteros several times noted that his agency can help a company with cybersecurity issues, as did two other panelists: Takeda Parker-Bradford of the Transportation Security Administration and Clarke Skoby of the U.S. Secret Service.

While there was plenty of talk about insurance and control systems and other aspects of the battle for cybersecurity, Parker-Bradford made a point that was heard often on day one of the conference: Personnel need to be on the front lines and avoid making the mistakes that let the bad guys in.

“I know that people get complacent,” she said. “They feel like, oh, it’s not going to happen to me. This isn’t a me issue. Really increasing awareness among your staff or leadership, putting an emphasis on security and investment, I think that is probably the best thing you can do.”

More articles by John Kingston

Taking stock of what happened at Estes

TriumphPay’s EBITDA loss narrows, volume increases, factoring invoices stay flat

XPO’s Jacobs on his next venture: Wait and see

Exit mobile version