The global risk of cyberattacks in distribution


Transportation and distribution companies are the neural network of our global infrastructure, and that makes them a target for cyberattacks.


As these companies digitize operations and integrate data from external partners and devices, they open more points of potential attack worldwide. Some companies have limited tech integration and might think that attackers aren’t seeking their data. “It’s true that most transportation and distribution companies do not have the kinds of radioactive content that hospitals and banks do — like health information or retail credit cards,” noted Grant Thornton Risk Advisory Services Principal Johnny Lee. However, attackers aren’t always looking for data they can use.

Headshot of Johnny Lee

“We’ve worked investigations where it was clear that the threat actor didn’t know which company they’d compromised.”

Johnny Lee

Grant Thornton Risk Advisory Services Principal


Ransomware cyberattacks can shut down a company’s network while attackers demand a payment to release it again. “We’ve worked investigations where it was clear that the threat actor didn’t know which company they’d compromised,” Lee said. “They just knew they’d locked up data, hoping that it was valuable enough for someone to pay a ransom.”


“That’s the leverage ransomware provokes,” Lee said. “Ransomware is still king for a reason — it’s remarkably effective, and it's very hard to defend against.”


In transportation and distribution, companies depend on relationships with other partners in the broader ecosystem. Cyberattacks can put those relationships at risk of service failures, and those breakdowns can produce financial losses.


Downtime can be a ticking clock where your losses add up until you are ultimately forced to meet an attacker’s demands. 




Where are you vulnerable?


Beyond ransomware, transportation and distribution companies need to guard against other unauthorized access and data breaches. As companies integrate Internet of Things (IoT) devices, the opportunities and impacts for potential attacks expand.


Many companies in transportation and distribution have outdated technology or unknown vulnerabilities. “They’re often using older technologies, housed in someone else’s cloud environment, so knowing how to secure that is very artful science — especially if that cloud provider isn’t a world-class outfit with firmly established security protocols,” Lee said.


It can be hard for a company to monitor, or even fully know, the vulnerabilities in its environment. This might sound like an issue for the IT team, but it has much broader implications.




Recognize the enterprise issue


To successfully implement cybersecurity and incident response, companies need to coordinate across business teams. “They need to treat cybersecurity like a category of enterprise risk, where you bring a multidisciplinary team together and say, ‘OK, what would HR’s role be to prevent or respond to an incident?’” Lee said. “What about legal’s role? What about finance?”


IT certainly plays a critical role in cybersecurity, but “each team needs to own how it will respond and recover if it can’t access its own data,” Lee said. “Sometimes, that’s daunting for a team to hear, because they’ve never confronted this issue before.” It’s easy for teams to assume that IT owns everything related to data, because IT manages the technical aspects. “However, these data do not belong to IT — they belong to whatever team has obtained, created, and/or maintained them,” Lee said.


That ownership is important because it highlights which teams are accountable for defining alternative business processes in case a data store becomes inaccessible — as well as how each team will validate whether a data backup or recovery is truly complete. “You need to be able to confirm: Did you get it all back — 100% or 10%?” Lee said. By making cybersecurity an issue of enterprise risk, you can require functional teams to discuss business continuity issues for the data types that they own. You can also help them understand that they need to think of cybersecurity and incident response any time they talk about a business process involving data in the future.


“It elevates the conversation away from a technology discussion to a business discussion in a very productive way,” Lee said. “It’s like doing a tabletop exercise. The utility of those exercises isn’t to have executives in a room playing games — it’s to clarify who’s in charge of what, so that those roles are clear and you can work out the kinks before the truly bad day.”


“A lot of transportation and distribution companies haven’t done that introspection for years, and I think that’s probably at the heart of the concern,” Lee said.




Have the conversation


You can’t stop every possible issue, but you should be resilient to the issues that are most likely to affect your organization — so start by setting priorities. Business teams must work together to identify the most important data stores, define how to segment them and plan post-incident recovery — all aligned with your risk profile and cybersecurity program.



Understand your data


“The first thing to do is to enumerate those types of data that house the things you need in order to run your business,” Lee said. “More specifically, envision what the organization would do if those data were to be made public. Is that an existential threat to the organization, or is it a mere inconvenience? If you need to, could you go offline for 10 days and manage your business obligations via paperwork alone?”


A distribution company might have logistics information that is proprietary and could interfere with billing if it isn’t available, but those data might not substantially damage customer relationships or violate privacy laws if made public. The organization might have viable backups and be able to bounce back, ultimately losing only a few days of data, but that could take a week to accomplish. Consider what you would do in the meantime and how you would reassure auditors that your records are complete at the end of the period.


“A data inventory is the first step to making sure that you know what you need to run your business,” Lee said. In addition to the introspection of identifying those critical components, you also gain insight into the nature of how those critical data are stored — and secured.



Segment your data


Once you identify your most important data, it’s also important to segment those data from the other areas of your corporate network. That means storing data in a way that, if someone gains access to one data store, they don’t have access to other data stores.


Different types of data should have different levels of security, so they should live on different parts of the network. “To the extent that you can segment those more important data to more secure parts of the network, you’re going to be more resilient,” Lee said. “To the extent that you can segment the data backups from the main network so that the backups are not compromised even if the main network is, that’s another step in the maturity ladder.” Plus, of course, you should not acquire or store any data that you don’t truly need. If you cannot demonstrate the business rationale for having data, then you should not have the data at all.  This last point is becoming increasingly important as data privacy laws expand across the United States.


“Enterprise introspection starts with a risk assessment,” Lee said. But a risk assessment also needs to be informed by specific guidance. The assessment needs to include an articulation of the organization’s most critical day-to-day data, versus those things you need to close the books once a quarter, or once a year.

Headshot of Johnny Lee

“Design a resilience plan, knowing that someday someone’s going to make a mistake, there’s going to be a third-party vulnerability, your hosting provider is going to be unavailable or there will be a ransomware attack.”

Johnny Lee

Grant Thornton Risk Advisory Services Principal


“Then, design a resilience plan, knowing that someday someone's going to make a mistake, there's going to be a third-party vulnerability, your hosting provider is going to be unavailable or there will be a ransomware attack,” Lee said.



Plan your recovery


To plan your recovery, consider the timelines and requirements you need to meet. Defense contractors might face regulations that require near-constant availability, and it’s important to consider whether you are such an entity or serving one.


Some transportation and distribution companies might not be subject to such regulations, so they might feel like they have sufficient security — “but we shouldn’t conflate compliance with security,” Lee said.


To establish appropriate targets for security and recovery times, many transportation and distribution companies can benefit from considering a broader framework like the National Institute of Standards and Technology (NIST) Cybersecurity Framework. “The NIST framework is useful because it illustrates that this is a business discussion,” Lee said. Leaders can use the NIST framework to guide planning for how they identify risks and plan the company’s response and recovery.


“The framework can be helpful in the same way that elevating the conversation from an IT discussion to an enterprise risk discussion is helpful,” Lee said. “It gives you a structure that demonstrates the need for multidisciplinary teams to be involved. It requires a multidisciplinary team to answer the crucial questions related to business resilience.” The framework pushes teams to identify how they will work together to identify, protect, detect, respond and recover for cyberattacks or other data issues.


When you think about cybersecurity as an enterprise risk, think of the risk management maxim: What you cannot prevent, you must detect. Lee added an addendum to that: What you can neither prevent nor detect, you must insure. A framework can give organizations a reference point for cybersecurity insurance, if needed. “You can’t reasonably select adequate insurance until you quantify how hard it will be to come back from an incident that affects different types of enterprise data,” Lee said. That requires having conversations at an enterprise business level and understanding the recovery processes required.




Improve your planning


When a transportation or distribution company understands its data risks and defines its response plans, it can improve its planning for the future — and its maintenance over time.


“If you don’t need it, don’t collect it — and if you do need it, identify why and house it according to its risk profile,” Lee said. “These are easy things to say, but they’re really hard to enforce over time, because business models and core technologies change. You might have repositories that you’ve deprecated, but not necessarily taken completely offline.”


That’s why it can be important for business teams across transportation and distribution companies to collectively revisit their preparedness and response plans for cyberattacks regularly. “It’s that combination of resilience and responsiveness that you can only get through practice before the bad day,” Lee said.


These discussions can help the companies in this critical industry revise their risk planning and echo the priority of cybersecurity into the decisions that each team makes as they plan their paths ahead.



Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.


Our transportation featured industry insights