When Werner Enterprises workers saw a video of CEO Derek Leathers apparently announcing an end to all employee vacations, responses ranged from “this is crazy” to “I’m leaving.”
But the company created the ruse using a software tool and previous footage of Leathers. Werner was prompted by growing concerns a year and a half ago that a real cyberattack could mislead workers.
The company informed staff at an all-hands meeting 90 minutes after the broadcast occurred that it was fake, EVP and CIO Daragh Mahon said last week at the National Motor Freight Traffic Association Cybersecurity Conference in Cleveland.
“The idea of saying that he was removing all vacation and PTO effectively would be so ridiculous, people would pause,” he said. Some people realized the broadcast was fabricated, but most people thought it was a joke, Mahon said.
With outside parties able to replicate a CEO’s voice on a phone call or produce seemingly credible videos of personnel, the Nebraska-based carrier wanted to prevent staff from being misled.
“It's crazy that people at that level of an organization wouldn't pick up a phone or wouldn't walk into the boss's office and say, ‘Hey, did you really tell me to pay that $5 million bill like now?’ And it's happened,” Mahon said.
The average cost of a data breach in 2024 for the transportation industry was $4.3 million, according to a report by IBM. And many incidents involve a third-party vendor, said Carrie Yang, a cyber practice SVP at the insurance broker and risk adviser Marsh.
Sharing solutions
Tech leaders gathered for the three-day conference, which NMFTA Chief Operating Officer Joe Ohr said aimed to communicate about cybersecurity experiences and strategies, rather than scare attendees.
“Getting hacked happens to everybody. It shouldn't be seen as embarrassing,” he said. “So this conference is about sharing the story.”
Often times, issues can recur and solutions are not implemented unless a company is hacked, audited, sued or bought themselves, conference speaker Drew Blandford-Williams, head of cybersecurity at Condition Zebra (US).
“We will not learn until it happens to us,” Blandford-Williams said.
Preventing problems
At Werner, cybersecurity training is part of driver safety training, and with 95% of corporate cybersecurity attacks stemming from email last year, Mahon feels that method of communication is no longer needed anymore.
“I feel like that's an area that keeps me awake at night — because all it takes is one email to get through all your defenses and one person to click on it,” he said. “So we have to figure out a way to limit the use of email.”
Email phishing scams have become more sophisticated, swapping Cyrillic alphabet characters with similar looking English characters, which can lead people to click on a link that they shouldn’t, noted Steve Hankel, VP of IT at Fresno, California-headquartered Johanson Transportation Service.
Another attack vector, ransomware, can infiltrate firms’ systems and corrupt files, with attackers demanding payment to get access restored to a company’s data. While the FBI advises against making payments, nearly half of victims pay to get some data back, Blandford-Williams said.
Groups are also attacking the same victim multiple times, even after saying a payment would resolve the issue, conference keynote speaker Stephen Viña said.
Preparing plans
Viña, assistant national cyber director for legislative affairs with the White House’s Office of the National Cyber Director, noted several strategies for cybersecurity efforts, such as:
- Adhering to and sharing best practices, including multi-factor authentication
- Leveraging free resources, including tools from the Cybersecurity and Infrastructure Security Agency
- Building response plans and relationships with federal partners before an attack occurs
“You never want the first time that you're talking to the FBI, CISA or these federal agencies to be during a crisis,” he said.
