Dominic Weaver spoke to EY’s Isabelle Dumortier and Thijs Deweerdt about the evolution of these threats and the actions movers must take to mitigate them
Digitisation and data protection are an important part of the newly launched FAIM 2022 Standard. They were among the most-discussed topics at the 2022 FIDI Conference, at which incoming FIDI President Laura Ganon said she considers digital security one of the two biggest challenges facing the international moving industry.
During the conference, Thijs Deweerdt, senior manager and internal auditor at EY Consulting, held a workshop for Affiliates to discuss issues of cybersecurity – the protection of company software and data from ‘theft, loss and damage’ – which he says in the past decade has been the greatest emerging risk to businesses.
Deweerdt adds that, while many people imagine this as a threat coming purely from outside their organisation, paying attention to internal risk is just as important. This includes ensuring employees are aware of their own responsibilities with regards to protecting company data and ensuring there are procedures in place to help them do this. This requires both education and planning.
Employees can fall victim to ‘social engineering’ attacks, where they are deceived into revealing confidential information that could be used fraudulently. This includes ‘phishing’, where attackers pretend to be a business such as a bank or government organisation to steal data including login details or credit card numbers.
‘We’re seeing that these criminals are getting more and more professional,’ says Deweerdt. ‘Whereas 20 years ago, it was just individuals trying to hack something, now it’s criminal organisations, who are getting better and smarter, so this is really something to watch out for.’
Most cyber attacks are focused on making money, using malware or ransomware to destroy, block or gain unauthorised access to data. High-profile recent cases, such as last year’s customer data leak at French container transportation and shipping company CMA CGM, demonstrate the potential for these attacks to damage both finances and reputation.
‘If you are a data-sensitive organisation such as the moving industry, which can hold a lot of private data on its clients, something like ransomware is a real threat,’ says Deweerdt.
Phishing strategies have become more sophisticated, moving from general, often poorly worded and presented, emails and other messages, to more well-targeted approaches. Accordingly, the data security lexicon is expanding, with new terms such as ‘spear phishing’, where criminals use already-known data such as their targets’ names and interests; or ‘whale phishing’, where they target high-level employees such as CFOs or CEOs, with well-researched impersonations to gain access to information or money.
The issue has reached such a point that movers who have not yet taken action are advised to do so as a matter of urgency. With a critical mass of business now carried out online, protecting your transactions within this space is essential, says Deweerdt.
‘There are more than 20 billion devices connected to the internet already, so digital transformation is already here. In the past, when everything was on paper, you didn’t need that much protection – just a good lock and key for the door.
‘If you start digitising and you don’t pay attention to protecting the data, you’ll have a lot of problems and eventually you’ll go out of business,’ says Deweerdt, ‘If not for financial reasons, then operationally because you can’t work properly; or it will be due to reputation, if your clients or other organisations in your supply chain know you’re not data protection savvy.’
The pandemic speeded up the process of companies using digital information by several degrees, so the imperative to protect data is far stronger today than it was three years ago.
A balanced approach
Deweerdt adds that movers must strike a balance between using expert third parties and their own in-house approach to data security.
‘Some Affiliates outsource their data security and then think “OK, we don’t need to do anything else”, but you should make sure by performing certain checks yourself. You can have the Ferrari of data protection but if your employees don’t know how to work with it, there can still be a big threat.’
Training employees should include making them understand how important cybersecurity is, adds Isabelle Dumortier, Belgium Consulting Executive Director at EY. ‘A business can have a cybersecurity team but people don’t always understand the language they’re speaking,’ she says. ‘It can be hard for people to understand and be aware of what data security is. So, we need to make the invisible visible for them.’
It’s also important for business to grasp the fact that, however strong their data security precautions, there will always be some risk. ‘You will never have the perfect system that can block everything,’ says Deweerdt. ‘Instead, it’s about creating awareness and, with something like phishing, making sure your employees know about this and the techniques the criminals use.’
Concrete action
Protecting against big risks doesn’t have to be expensive, adds Deweerdt. Companies need to assess their tech for security and to identify those business-critical areas that should be prioritised.
‘You then need to take concrete actions,’ he says, ‘making sure everything, such as your operating system software, is properly updated’. This ‘patch management’ is essential to make sure IT systems are as strong as they can be against new computer viruses, for example. Managing user access – who can and can’t get into specific parts of your systems – should also be a focus, attending to aspects such as ‘two-factor’ authentication, in particular for staff working from home.
Having the right monitoring processes in place will ensure that you know if things do go wrong – and can take the right mitigative actions, too.
‘If something goes wrong, make sure you have an incident-response plan,’ says Deweerdt. ‘This includes who needs to do what, who needs to be informed, and how we make sure that [in the event a data breach has stopped business] we can start again in a short amount of time.’ Backing up data in real time is a crucial part of this planning, he adds.
An incident plan should also include international and external communications, says Dumortier. ‘Reputation management is a big thing. You need to make sure that within the company you communicate on what can be communicated with the outside world about what has happened, and that there is a clear understanding of how the company is going to respond.’
Certainly, now the demand for transparency within businesses and across supply chains is at an all-time high, ignoring a data breach – or worse, actively hiding it from clients – is unacceptable. Nor is not having a proactive plan for dealing with a digital crisis.
GLOSSARY
Malware: Software that is designed to disrupt, damage, or gain unauthorised access to a computer system
Patch management: The process of applying updates to software to keep it protected from cyber attacks
Phishing: The fraudulent practice of sending emails pretending to be from reputable companies to get individuals to reveal personal information
Ransomware: Malicious software designed to block access to a computer system until a sum of money is paid
Social engineering: The use of deception to get individuals to reveal confidential or personal information that may be used for fraudulent purposes, such as passwords and credit card numbers.
