Security awareness training: A business-critical function for the logistics and transportation industries

June 25, 2021

Maintaining security awareness is something that many companies struggle to maintain, particularly in the logistics and transportation sectors. Even though cybercrime and other risks pose a major threat to these industries, awareness of threats like phishing attempts and ransomware remains low.

As a critical infrastructure sector, the transportation sector is a critical component in the supply chain and a vital component of the economy. A security event that affects this sector’s operations would also impact every organization that relies on transportation and logistics to operate.

The 2020 Phishing Benchmark Global report revealed that the transportation sector is woefully underprepared to combat modern phishing threats, with the sector having an above-average phishing email click rate of 24.7%. The transportation sector also had the second-highest number of phishing web-form completion rates, with 17.5% of users submitting their password to a phishing website.

Employees also admit they are unsure about how to stay safe online, with approximately 55% of logistics employees feeling ill-equipped to identify or handle a significant cyber-attack.

The data shows that the ability to recognize threats remains poor among employees in the transportation sector, suggesting that stronger security awareness training is needed to bring employees up to speed on the latest threats. Below, we’ll examine the most significant security challenges facing the logistics sector and how to leverage training opportunities.

The challenge: Training remote employees on cybersecurity best practices

One of the main reasons for the low level of cybersecurity awareness toward phishing threats is that logistics and transportation companies have a high reliance on contractors or remote workers focused on maintaining operations and are distributed across multiple locations.

Managing a large and distributed workforce makes it difficult to ensure that employees and contractors follow security awareness activities and apply proper cybersecurity procedures at any location and every time. IT security departments also have little control over employees’ training activities when the primary goals are to maintain business operations with minimal interruptions. For example, it’s difficult for a shipping company to train and verify that remote workers follow essential cybersecurity best practices like using a VPN to encrypt traffic or verify emails before they click for malicious links.

Training such users can also be a challenge since employees and contractors aren’t necessarily at their desks all the time. Less time at their desks means less time to complete training materials. For most shipping companies, the solution is about developing a lean security awareness program that provides unique support for CISOs, IT security leaders and users to enhance overall organizational awareness.

The solution: Increasing security awareness

There are several things that Chief Information Security Officers (CISOs), Chief Security Officers (CSO) and other security leaders can do to increase security awareness among a distributed workforce:

Identify high-risk employees.

Identify high-risk employees to pinpoint users who are vulnerable to cyber-attacks so that you can provide them with relevant training, educational materials, and phishing simulations to educate them about new threats and assess their overall knowledge of online threats.

Remind employees to select strong passwords.

Issue employees and contractors with regular reminders to select strong passwords and encourage them to protect their devices from hackers trying to steal their data. Include tips as part of a regular reminder email to ensure employees know what makes a strong password.

Create BYOD policies and support them with online training sessions.

Define clear BYOD policies to let employees know what security measures they need to follow to protect their devices when using them for work. To compliment your BYOD policy, you can provide training sessions detailing how to protect mobile devices and laptops from cyber criminals.

Use online training sessions.

Provide access to online training resources such as courses, tutorials, videos, or virtual instructor-led training, to educate employees on cyberthreats and remote working best practices.

Send out regular communication.

Produce regular email newsletters on the latest phishing and social engineering threats to keep cyberthreats top of mind for employees and increase the likelihood of detecting actual cyberattacks.

Limit network access.

Restrict network access to users who have completed security awareness training and demonstrated a strong awareness of online threats. Preventing users from accessing your network or susceptible systems until they have completed security awareness training will lower the chance of problematic behavior leading to a data breach.

While the logistics and transportation industries may have limited cybersecurity resources, security awareness training can transform the industry. Providing accessible training materials and phishing simulations to users will ensure they know how to protect their own devices and fend off modern cyber criminals whenever they confront them.

Theo Zafirakos is Chief Information Security Officer (CISO) at Terranova Security.

In this webinar, we are going to explore all the different cloud models used in video surveillance and cloud access control solutions. We will also discuss the rising trend of “Security as a service” and how this can impact the future of security buying, maintenance, and relationships between security providers and clients.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.