On the morning we sat down to write this, the National Crime Agency announced that it had arrested four individuals, between the ages of 17 and 20, in connection with the high-profile cyberattacks on Marks & Spencer, the Co-op and Harrods in April and May. The incidents were attributed to Scattered Spider, often described as a loose or semi-organised group of English-speaking teen and young adult hackers.
The same morning’s headlines included a report by Parliament’s Intelligence and Security Committee, warning that Iran posed as big a security risk to the UK as Russia and citing cyber attacks as a major weapon in its arsenal.
Those stories prove that, yes, hackers are teenagers in bedrooms, and yes, they are also nation states with serious resources and industrial-level operations. Both are threats, and any organisation thinking ‘that will never happen to me’ has its head well and truly in the sand.
In response to the flurry of media coverage – some of which suggested cars and vans could be remotely used for spying – the AFP issued a press release in May, instructing fleets to take a “proportionate response” to cybersecurity. Though hacking vehicles – stationary or moving – is technically possible, such stories are hyperbolic, not to mention that cars are not exactly the best espionage tools, and defence and security organisations will already have their own rules about who parks what and where. In short, there are much more ruinous digital threats to fleets than a teenage ninja Tesla bandit.
Phishing scams are among the most common, and typically comprise an email with a link which, when you click it, opens your digital door (‘smishing’, where victims receive bogus text messages, is another, and has been used overseas to con drivers into thinking they need to make a motorway toll payment). Emails from far-flung alleged relatives keen to transfer money are old news; today, they can be slick, AI-generated messages that may, even to the vigilant, genuinely look as though they were written by a colleague. The email address itself may only differ from an official one by a single character.
Cybersecurity training is now common and mock phishing emails are part of it. Specialists send them to the workforce, then contact employees who clicked the link – which will reveal it was a test – to improve their awareness of real attacks.
Fast reporting crucial
Fleetcheck’s chief technical officer, Neil Avent, explains how the all the above applies to company car and van drivers: “Invariably it’s because they’re multitasking. They’re sat in their van talking to someone, an email comes through, it hasn’t got their full attention and they click on the link.
“Time is really of the essence. If something happens, you need to know quick, and you need to have the right culture in the business where they feel safe to say there was a problem. If, say, the driver’s phone gets hacked, and he’s like, ‘oh, I can’t tell them about this’, you’re in trouble. You want to have that culture within the business where, if anything’s a bit odd, they’re not chastised for bringing it up with their manager.”
A hush-hush policy around cybersecurity is a hindrance here, and as Avent points out, openness encourages employees to flag up anything fishy: “We tell the staff things happen from time to time. If they understand that there are phishing emails, there are problems, they don’t feel so bad reporting it. If they feel your company’s had an unblemished record for 10 years, they really don’t want to report it.”
Hackers frequently conduct supply chain cyberattacks, where their entry point is not the target organisation, but a third party with an interlinked IT system. This means a fleet could either be a stepping stone or exposed by a contractor with a weaker setup. Running an old operating system is a big one, and among the easiest footholds for cybercriminals.
Alistair Wesson, director at Mongoose Cyber Security, explains how a supplier breach can have both operational and reputational consequences: “There’s a huge amount of third-party integrations – things that need to talk to each other through APIs – and there’s customer data in there. If someone gets that person’s mobile number and address from a text message, then it’s not like a nation state trying to do something really bad, but having a data breach – even of someone’s name and address and phone number – is enough to get a GDPR slap in the face and make the company look bad.”
Wesson is a big believer in “basics done well” (see below ‘The fleet manager’s cybersecurity checklist’, informed by him, for details) and recommends giving drivers access to nothing more than the data they need to do the job to minimise exposure (Avent is also a staunch advocate of this) and providing them with dedicated company devices with mobile device management (MDM) software.
“That [means] you can mandate what they can and can’t do on it, and you can wipe it. If they go, ‘oh, I’ve lost my iPhone’, you can log onto the dashboard and just say, ‘see you later’, and it turns it into a brick.
“[Also], if you can avoid using a personal device for a work function, and go with complete segmentation, it makes things a whole lot better.”
We can hear some fleet managers pointing out how much they already have on their plates, and that cybersecurity should not fall to them. That is, in part, true, and those employed by large organisations with a chief technology officer (CTO) could easily make the case.
M&S, the Co-op and Harrods probably have (or had) CTOs when they were attacked, though, and if you would rather avoid an M&S-style £300m drop in share values, or you work for a smaller, less resourced firm, then better the devil you know. Even better the devil you keep locked out.
How a cyberattack killed a 158-year-old haulier in three months
Haulage company Knights of Old was founded in 1865 and based in Kettering, Northamptonshire. It was the UK’s 42nd biggest haulier in 2022, according to the Motor Transport Top 100, with a 450-strong fleet and 900 employees across the group, collectively known as KNP Logistics.
On 14 June 2023, the company discovered hackers had planted ransomware in its IT system, which “encrypted key operating systems so that we couldn’t function”, as Knights of Old’s former director, Paul Abbott, explains. “We lost our transport system, we lost our warehouse system, we lost our email, we lost our finance system. It was all frozen.”
The firm had recently bought an extensive cyber insurance policy and was able to “parachute in a team of experts” who found the file instructing Knights to get in touch to discuss a ransom. No figure was disclosed, but the insurer’s seasoned specialists expected a fee of between $2.7m and $5.8m, payable in Bitcoin.
The hackers were believed to be the Akira group – a Russian cybercriminal organisation active since March 2023 which, according to online reports, made $42m in its first nine months by attacking more than 250 companies.
Despite the disruption, Knights’ hands-on-deck approach and the insurer’s expertise meant the former’s operations were quickly up and running again, and the hackers did not receive a penny. However, the attack meant the company was unable to provide its bank with financial reports, which ultimately meant funding was cut off.
“Everything else was fine, but we just couldn’t provide the reporting,” explains Abbott, who has since set up shop as a consultant specialising in cybersecurity. “If we could have, even if it was bad news, like, ‘we’ve got a £2m drop here somewhere’, we could have managed, and the bank would’ve supported us. But if you can’t report, they’re not going to say, ‘here’s a couple of million quid to keep you going’.”
Knights of Old closed its doors on 26 September 2023, three months and 12 days after the ransomware attack, 158 years since it began trading and with the loss of 730 jobs. If you needed a reason to up your cybersecurity game, there it is.
The fleet manager’s cybersecurity checklist
The list below, ranked by difficulty, is in no way exhaustive, but it is a start point for operators lacking in-house cybersecurity expertise. If any of this is beyond you (and if it is, that is completely forgivable), then skip straight to point 10 and do not be shy about asking for help.
Easy
Ensure all computers, mobile devices and vehicles have been updated and are running on the latest available operating systems.
Passwords should be at least 16 characters long, include letters, numbers, and symbols, and never used for more than one account.
Enable two-factor authentication for all accounts.
Use a VPN where possible and favour mobile data over public wifi networks.
Harder
Educate staff. Phishing emails are the most common entry points for hackers, so explain what they are and how to spot them.
Rigorously back up servers and/or cloud storage systems.
Secure Wi-Fi networks.
Establish a strong firewall.
Set up mobile device management (MDM) for all drivers using company phones/tablets/laptops etc and avoid using personal equipment.
Just do it
Contact a cybersecurity specialist.
