November 6, 2025 • 40 mins
Cybersecurity is no longer a side issue for supply chains.
As global logistics becomes more connected and digitally dependent, protecting data and operations from cyber threats has become mission critical.
In this episode, Ellen Wood sits down with Caleb Mattingly, CEO of Secure Cloud Innovations, to unpack the evolving risks facing logistics networks. From compliance pressures to insider threats and even the vulnerabilities hidden in everyday devices, Caleb shares what leaders need to know to keep their supply chains resilient in an era of constant digital risk.
In this episode:
As global logistics becomes more connected and digitally dependent, protecting data and operations from cyber threats has become mission critical.
In this episode, Ellen Wood sits down with Caleb Mattingly, CEO of Secure Cloud Innovations, to unpack the evolving risks facing logistics networks. From compliance pressures to insider threats and even the vulnerabilities hidden in everyday devices, Caleb shares what leaders need to know to keep their supply chains resilient in an era of constant digital risk.
In this episode:
- Why logistics is becoming a prime target for cyber attacks
- The role of compliance frameworks and insurance in building resilience
- How companies can protect data while expanding automation and connectivity
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
The companies that you're selling to are going to want
(00:01):
to see that whatever way you've been acted, AI is
not going to put their data at risk. That's really
important because nowadays data is almost as valuable, if not
more valuable, than the actual products that we sell to people,
and that has a lot of implications. And so how
do you show improve to people that you are secure
and that you're handling it securely.
Speaker 2 (00:21):
That's an interesting assertion that the data that we handle
could be more valuable than the actual products that we're producing, shipping, transporting,
and selling. I'm absolutely flum mixed by that. Hello, and
welcome to Speaking of Supply Chain, where we explore trends,
(00:42):
current events, and innovations impacting the logistics and supply chain industries.
I'm your host, Ellen Wood. Today we'll dive into one
of the most critical issues shaping modern supply chains, cybersecurity.
With global logistics becoming more interconnected and digitally dependent, protecting
data ups and infrastructure from cyber threats is no longer optional.
(01:04):
It's mission critical. Joining us is the CEO of Secure
Cloud Innovations, Caleb Mattingly, who's going to share his insights
on evolving risks compliance pressures and strategies to build resilience
in supply chain and logistics networks. Welcome Caleb.
Speaker 1 (01:20):
Yeah, thanks, Ellen. Really excited to be on the show today.
Speaker 2 (01:23):
I'm excited to get to our conversation because I don't
know of anyone who hasn't experienced some sort of hiccup
or disruption with cybersecurity. So I'm sure that there is
going to be something for everyone in this conversation. But
before we get started, let's get to know you a
little bit better. So our ice breaker for today is
what is the worst style or fashion trend you ever embraced.
Speaker 1 (01:49):
It's a good and fairly weighted question here, But in
high school, actually I embraced the whole fancy for Friday
trend that kind of was going around. I don't know
where I saw, probably on like Instagram or something at
the time, but ended up dressing suit just about every
(02:09):
Friday of my junior and senior years.
Speaker 2 (02:13):
Oh my goodness. And how did that work out for
your social standing in high school? Because high school can
be a cruel place.
Speaker 1 (02:20):
Well, let's just say I didn't get any additional dates
from doing that.
Speaker 2 (02:26):
Did anyone accuse you of like being part of the
debate team or going on a job interview or anything
like that.
Speaker 1 (02:32):
No, I went to a pretty country esque school, so
there was no debate team, and all future farmers of
America knew that I was not part of it.
Speaker 2 (02:43):
So yeah, gotcha. Well, you know, those jackets are very distinguishable,
so like you would know if you saw the future
farmers walking around in their jackets. It's not just regular
formal where we have something similar. We do work where
Wednesdays here at the office where most of the time
we're pretty casual, but on Wednesdays we all get dressed
(03:03):
up and it's just the most random thing in the
middle of the week. I would say the worst fashion style. Now,
I'm a child of the eighties, so I had like
the crazy bangs in high school, the permed hair, all
of those. I think though, the craziest one that I
did was for a while I really enjoyed. I want
(03:25):
to say it was in junior high. Junior high's a
terrible time for kids. It's just the worst period of
anyone's life. No one, I think has a great time
in junior high. But I was trying some different fashions
than and it was it was in the early nineties,
and I want to say that dressing in men's clothes,
like men's shirts and like a mini skirt and like
(03:47):
that fashion. I really took to that one, and I
don't know why it was. It was really bad. Oh goodness,
you know what. I'm I'm lad that those days are over.
I don't think anyone could pay me enough money to
go back to junior high or high school and have
to deal with other people judging you on your appearance
(04:08):
like that. It's just it's crazy, crazy, crazy.
Speaker 1 (04:15):
That's true. Totally agree.
Speaker 2 (04:16):
So the crazy thing we're talking about today though, is cybersecurity,
and it feels like not a day goes by when
we don't hear of something else in the news, some
other breach, some other data leak. And so, in your view,
what are some of the biggest risks facing our industry
(04:37):
so that the supply chain logistics, you know, what risks
are we facing today and what's different from even something
I can't believe COVID was five years ago, but even
something since COVID that we've had to, you know, change
and adapt the way that we approach cybersecurity.
Speaker 1 (04:56):
Yeah, a great question. You know, logistics is always seen
as kind of a separate business entity than operations and
other pieces of businesses, right, but functionally from a cybersecurity standpoint,
there can be just as many risks in logistics as
in any other part of the business. And I think
(05:19):
one of the biggest overlooked pieces of that, especially by
people that end up being in cybersecurity within like information
technology as opposed to operational technology. And I can speak
to the difference there, but is lack of connectivity. So
I was actually just talking with a friend of mine.
(05:39):
He's part of a full service solution for a logistics
company or biologistics company, and what they ended up doing
is they created a satellite based tracking system for shipments
and specifically identifying when those cargo containers were opened or closed.
So this was crazy because I had no idea about
(06:02):
this until talking with him. But apparently people will wait
until tractor trailers are out in the middle of like
the desert, right, and then they will go and essentially
like break into the tractor trailer that's on this highway
when it loses connection with the internet or like with
cellular service networks, and that steal whatever's in there. I
(06:25):
think that happened with like a lot of PlayStations actually
recently PlayStation fives and and so in doing so, like
when they lose internet connection and they lose like cell service,
the driver can't call for help, right, can't call law
enforcement for help, and it creates a window of opportunity.
And people think like cybersecurity is very focused on just
(06:46):
like being on a computer and typing on a keyboard
and somebody screaming on I'm here, you know, But like
the reality is that it also deals with these situations
that are in the physical world right where connectivity and
interconnectivity is so important for securing a variety of things,
and in this case it's transportation vehicles and what they
(07:06):
are transporting. And so what I've I've found very interesting
is a lot of companies haven't been thinking about that
as much, and especially within the logistics space and specifically
around stealing and that happens across the board, right, Like
in it we call insider threat, right, you have like
insider trading that occurs, or you have someone that goes
(07:28):
in and maliciously makes changes to your application or your
infrastructure and stuff. Well, in logistics it ends up being
something very similar where you could have an insider threat
of someone that is acting nefariously right or acting as
a as a bad actor and not a bad actor
like how Nicholas Cage gets his reputation stuff, but like
(07:49):
a bad actors and someone is doing something that and
they they go in and and and they find where
is the whole like where is the point where uh
they're there is no connectivity or where's the point where
we can take something and no one finds out right?
Or input change inputs in the in the database, right,
so that instead of showing one hundred and one in
(08:11):
this case PlayStation's there's only one hundred that are in
the box, and so I get to steal this one
and no one knows, right Like that that's a significant
part of logistics and just retail in general, right of
a bad data input or people acting and putting in
false information.
Speaker 2 (08:30):
So well, and you mentioned something about the difference between
information technology and operational technology. Do you want to expound
on that a little bit?
Speaker 1 (08:41):
Yeah, So information technology typically deals with you know, your computers,
your servers. It's the things that harness and have information,
whereas operational technology is as you would probably imply, stuff
that is being operated or like in the physical world,
is in operation. So example of this is actually your
(09:02):
HVAC system. So your HVAC system is an operational technology
that crazy enough, could be hacked. And there's a ton
of examples, and I think one of the most famous
and kind of funniest examples, although it still has weight,
is a casino that was hacked because someone broke into
(09:23):
the fish tank monitor that was connected to the Internet
and was able to steal millions of dollars through that spot.
So yeah, that'll probably be the best example of an
operational technology being taken advantage of.
Speaker 2 (09:41):
Well, and you know, we laugh because that sounds so
absurd to use the fish tank monitor in order to
enable the theft of millions of dollars. It sounds like
some sort of you know, crazy story that would be
the next Ocean's eleven. But you know, when you think
about all of the different operational technologies that facilities have
(10:06):
within their production, within their their warehousing and distribution networks,
you know that's a significant amount of risk and you know,
potential for an in if someone wanted to do something nefarious,
if someone wanted to disrupt their business. So why do
you think supply chain or logistics is of interest to
(10:32):
any of these individuals. Are they doing it for that
personal gain of you know, perhaps you know, stealing product,
or are they doing it to try to disrupt individual businesses?
What types of things do you see?
Speaker 1 (10:47):
Yeah, that's a good question, and I think it depends
on the reason behind the attack, and I know that
kind of is what your question is. However, as an example,
right a couple of years ago, actually when when the
whole political situation with Israel and Palestine started taking off,
there's actually a brewer that was utilizing some brewing equipment
(11:13):
that was Internet connected and was associated with an Israeli company,
and the hackers actually attacked that that equipment turned off
all the taps in the brewery because of that, and
and then essentially when people logged in, they would see
stuff that was very anti Israel on on the on
the on the pieces that they're hacking into, and so
(11:37):
very interesting because that was politically motivated, right to be
able to say like, we just are anti this, and
and that's that's that. Whereas you have other people that
are bringing into things too potentially like steal company information.
I mean, I'm sure that there are people out there
that are trying to get you know, Coca Cola's secret
ingredient or pepsizing, you know, see and everything, and those
(12:02):
people are trying to do it for an entirely different
reason than the group that was that was hacking this brewery, right,
So it really depends on the attacking group or person
uh in a lot of those cases. But with logistics
in particular, I think one of the reasons why it
ends up being such a big target for cyber security
(12:24):
or cyber attackers is because of the fact that logistics
is very often overlooked and your supply chain specific overlooked,
and and more recently it's it's coming to light that like,
we can't be doing that, but your supply chain also
consists of all the vendors that are in that in
that list, right, Like uh, Target actually a few several
(12:45):
years ago had a huge hack that occurred, and it
ended up being that one of the contractors that they
were using actually was the one that brought the virus
and brought brought like all of that exploit into their
their network and their system. It wasn't a target employee.
Target had like really good practices in place or decent
practices in place. I guess if they were really good,
(13:06):
it wouldn't have happened, right, But there was an oversight
right on the full supply chain implications of we're using
these vendors. They don't have to go through any kind
of rigorous security process, so we just accept what they
say that they're doing and that's that. And that ended
up being kind of an advent for why we have
(13:27):
so many frameworks now that that state requirements that you
have to meet in order to do business with enterprises
like Target or Walmart or you know, Fortune five hundred companies.
Speaker 2 (13:38):
That really leads into my next question endpoint, and that's
you know, what are what are some of those regulations
that are being enacted and what are some of those
guide posts that are being set in order to say, okay,
you need to be checking upstream and downstream with your
suppliers and your vendors and understanding what their security measures are.
(14:00):
Is anything changing from that legal perspective where there is
at least maybe a shift in accountability.
Speaker 1 (14:11):
The International Standards Organization or ISO publishes a ton of
different frameworks. We could say the most common that we
deal with this twenty seven zero zero one, and that
deals with information security management systems. But they have a
ton and I'm sure that organizations that are out there
that do consumer products and stuff are building consumer products
(14:36):
deal with a lot of the QA, ISO, CERTI or standards,
but there are several that actually pertain to using information
security systems or information management systems and then also AI.
So there's a new one that actually came out recently
called ISO four two zero zero one, and that deals
with your AI system, and that one's going to become
(14:58):
a lot more prominent now because most people don't know
how to secure AI. And I think from logistics companies
and other companies involved in supply chain all the way
to your traditional IT companies, everybody's kind of figuring out
how do we utilize AI and our processes right to
make things more efficient, to stop having so many bottlenecks
(15:22):
in the process of creating either documentation or responses or
whatever it is right or processing documentation UH. And so
as we continue to move and progress in implementing AI
across the business functions, I think that that specific standard
is going to become more and more prominent across all
(15:45):
of the different types of companies and sectors within business
that we that we see on a day to day,
especially in the supply chain, because your your vendors that
you're the companies that you're selling to, right like as
a as a vendor in logistic the companies that you're
selling to are going to want to see that whatever
way you've enacted AI is not going to put their
(16:06):
data at risk, right And that that's really important because
nowadays data is almost as valuable, if not more valuable
than the actual products that we sell to people, and
that has a lot of implications. And so how do
you show and prove to people that you are secure
and that you're handling it securely.
Speaker 2 (16:25):
That's an interesting assertion that the data that we handle
could be more valuable than the actual products that we're producing, shipping,
transporting and selling in stores. What I'm absolutely flum mixed
(16:46):
by that. So what kind of data are they typically
looking for in order to try to cause a disruption
when you find those cases?
Speaker 1 (16:57):
I mean, it could it could really be a variety
of things, and sure it could be anything military esque data,
you know, like knowing that, hey, we don't know exactly
where this plane is flying that holds this important person,
but we do know that this airport was shut down
for this period of time. We know that this airport
was shut down for this period of time, and we
(17:17):
know that a flight you know, came in and left
for those two airports. Like that data can be crudal
critical to someone in like a military perspective, but from
from more of a commercial space or commercial side perspective,
you know, like the data of how much your contracts
are worth can be very important, right, Like someone knows
how much you're bidding, that they can essentially underbid you,
(17:41):
and that can be very heavy, heavy consequences if someone
gets gets access to your financial data. But yeah, there's
a lot of there's a lot of different types of
data and and ways that they could correlate between different
data points to draw conclusions that you know, maybe you
don't have that directly in your spreadsheet, but by taking
(18:04):
two different spreadsheets and analyzing them together and seeing the overlaps,
you can draw necessary conclusions to get data that you
wouldn't otherwise have.
Speaker 2 (18:12):
So yeah, I'm sorry I laughed at that when you
said it, but my immediate thought was one of the
end zcenes of a few good men where they're trying
to prove that a flight took place and they have
these log books and they can't prove it. It's a
misdirection in the end. But you know, to that point,
there's all kinds of information that we now have digitized
(18:36):
that you know, we have even in the past, you know,
fifty years, we haven't had this volume of data just
available for someone to access. It's all been you know,
much more siloed, much more protected, you know, when things
are not connected to the internet, and now everything is
connected to the Internet, and so therefore the data can
(18:58):
be accessed if someone is diligent enough or tenacious enough
to keep trying to find to find a way in.
Speaker 1 (19:08):
Well. I can also say something else that's very interesting
about in twenty nineteen, I worked with an industrial control
system cybersecurity company and we were looking for ways to
try to get data like that, right, like how do
you how do you how do how would an attacker
come up with these things? Like you've got to kind
of think like the attacker in order to you know,
defend against this. And one of the things that we
(19:31):
came up with is temperature fluctuations in a room when
someone walks in, so like you actually get a slight
temperature fluctuation when someone comes in or leaves a room, right,
so like based on that you can actually identify how
many people are in the room versus not in the
room and things like that. It was very interesting. But
there's a lot of implications when you start taking a
(19:53):
ton of data points, right, and you aggregate them together
and you can see where they overlap, like I was saying,
and then you can draw conclusions that you wouldn't necessarily
have had.
Speaker 2 (20:03):
So when there is a cyber breach and it affects
something in the supply chain, whether it's a supplier or
a vendor carrier, when it goes through the entire supply
chain and affects those multiple organizations like you were mentioning
with the target and it was just a contractor that
(20:24):
they were using. What strategies help companies build the resilience
against those types of disruptions. Is it just a matter
of having more policies in place to say, hey, you know,
you have to be able to demonstrate your security measures
and at least you know, have everybody's teas dotted and
I crossed so that you know everybody has their own
(20:48):
scope of responsibility. Or is more interaction and more collaboration
needed between individuals or companies or groups within those chains
in order to make this a robust solution that's going
to truly protect the data.
Speaker 1 (21:06):
I typically tell companies kind of tongue in cheek that
a lot of the compliance frameworks end up being sort
of like pyramid scheme in the sense that when you
when you first take on like SoC two or ISO whatever,
a lot of times the advice that's given, and it's
not a mandated requirement, but it's pretty heavily advised, is
(21:28):
to have all of your vendors then become compliant or
only do business with vendors that are compliant with soft
to or go and such. And while it is somewhat
of a joke, uh and and and people typically laugh
and stuff when when I bring that up, it's not
a bad practice in and of itself because it sets
(21:49):
a baseline for who you're doing business with and how
they're handling data. And can they lie about it? Yes,
anybody can lie about like what they're doing. And you know,
from a business standpoint, you know vendors lie all the
time and say like, hey, we do this thing, and
then they don't write or it's on the roadmap and
it's not on the roadmap. But the reality is that
you need something that someone signs off on and says
(22:10):
baseline wise, we have this in place, and this is good.
What we have found in doing business with organizations is
they need something. And on top of having this like
framework in place, you have to have cybersecurity insurance nowadays.
(22:30):
Like you have to. It doesn't matter what business you're in.
It doesn't matter what kind of business you're in. Cybersecurity
insurance is mandatory. If you have anything that touches the Internet,
including a fish tank, you need cybersecurity insurance in order
you do you do, I mean it's true, in order
to do that, and a lot of people overlook that.
You know, heck, a lot of businesses overlook general liability insurance,
(22:53):
and please don't do that. If you're listening to this
right now, please make sure the have general liability insurance,
but also make sure that you cybersecurity insurance because that's
that can make you break your business. You know, like that,
it's so important. And I think also just a tidbit
as like somebody that works with a lot of different
(23:13):
types of companies and specifically companies that are sometimes outside
the norm of who you would think needs cybersecurity. Make
sure that you have back like, make sure you have
backup a data data backups. When we were just talking
right like about your data can be almost more important,
potentially than even the products that you're pushing. Make sure
(23:35):
the have backups of that data.
Speaker 2 (23:37):
So absolutely absolutely, So you were talking about certifications, we're
talking about insurance. How do businesses make the business case
for these investments in logistics and supply chain, which, as
you've already said, is often overlooked. So what does it
take in order to get these stakeholders aligned and bought
(24:01):
in to the idea that this information or or you know,
this aspect of their business is open to threat.
Speaker 1 (24:11):
Like, how do you make someone aware that they are
exposed in some manner?
Speaker 2 (24:15):
Yeah? What what is it that helps change their mind?
What is it that opens their eyes to understand what
the risk is, what the what the mitigation is if
a risk goes unprotected and there is a breach, you know,
balancing those costs of yes, it's going to cost money
to have cyber security insurance. Yes, it's going to cost
(24:38):
money to go through the process of being certified in
this or that or the you know the other standard.
Why should they do that when they're looking at it
and saying it's you know, it's just easier to write
off that truckload of product. It's not that big a
deal in the scheme of things. That's you know, a
handful of product compared to their larger portfolio.
Speaker 1 (25:00):
That's a good question. And another good question. You've had
a lot of good questions, Ellen, I think there's a
couple of different questions actually embedded in that.
Speaker 2 (25:14):
Yeah, there was. That was a whole little monologue, is.
Speaker 1 (25:17):
The last one. First, I would not advocate for spending
more money on a solution to deter a problem, like
a risk, then the risk itself would incur if it
is realized. So and in cybersecurity and anytime, like you're
(25:43):
looking at risk, you need to do a cost analysis, right,
like if this, if this risk is realized, what is
what is the problem? And like if it's hey, once
a year we lose a whole shipment's worth of whatever
it is that we're pushing because of theft or because
of something cybersecurity related. But then and that shipment is
worth I don't know, let's just say two hundred thousand dollars, right,
(26:08):
But if I'm going to pay insurance. It's going to
cost me three hundred thousand dollars a year in order
to have the insurance, then it doesn't make sense, right
like that, that doesn't make sense to have. That's that's
a very It's a tough way of looking at it,
because you know, to an extent, you want to have insurance, right,
(26:28):
you want to have like these these things in place,
these deterrences, but at the same time, you don't want
to spend more for them than if if you actually
have the risk occur, so the attack occur, the problem occurs.
So that that's I think that was the final question
that you asked is how how do they you know,
determine that And in regards to the rest of it,
(26:52):
how do you get buy in right? Like, how do
you get buy in on on this? Let's just say
that it's you know, fifty thousand dollars for the insurance
for the year. I have. I have no idea what
anybody generally speaking cybersecurity insurance would.
Speaker 2 (27:03):
We It will truly depend on what their business does
and how big the risks are. I mean, the insurance
suggesters know how to you know, tweak their own numbers.
Speaker 1 (27:13):
I'm thrown out numbers that are way bigger than what
we pay, and so it's like, but just for the
sake of argument, you know, and let's just say it's
fifty thousand, and for them to lose a shipment of
worth of supplies or product in the year would be
still about two hundred thousand dollars. Well, I think at
that point it's pretty easy to get buy in because
(27:34):
you have numbers there. I think generally speaking, businesses and
business leaders are willing to put forth the effort and
to show actually I would I would go so far
as to say in logistics and in supply chain, it's
a lot easier to get buy in than in most
other organizations when you have a software product. When you
have a software product and you're trying to pitch like, hey,
(27:56):
we need to have this new security tool in place
because X, Y and Z could happen, you're kind of
guessing as to how much fallout is going to be there, right,
how much like the monetary impact at risk being realized?
Whereas in logistics and especially in more consumer goods types
of industries, you have a direct like one hundred percent,
(28:20):
we know how much this stuff was worth and how
it was how much it was going to sell for.
You're able to like watline, like, hey, this is how
much a cost to make it. This is how much
we were going to sell for. This is how much
we would have made h and now we've lost all
of that. And and here's here's the the way that
we would fix the problem, right, and this is how
(28:40):
much costs. This is how much this cost. And if
it's higher or lower, you can make your decision based
off of that. But going to someone and showing them like, hey,
you know, if we get this compliance framework in place,
target will do business with us. And that's an additional
two million dollars a year that we get and to
get it in place is going to cost us, I
don't know, fifty grand or one hundred grand a year.
It's obvious that someone's going to go forward with that, right,
(29:02):
you know, spend one hundred grand in there, Yeah dollars.
Speaker 2 (29:04):
Right, yeah, that's a no brainer.
Speaker 1 (29:06):
Exactly exactly. And that's one of the best parts about
working in logistics and supply chain is that you were
able to show oftentimes, not every time, and I'm not
going to make a broad sweeping, you know, generalization, but
oftentimes you're able to show a direct business impact and
direct monetary impact on the business for the risk itself
(29:29):
and the term so and I know you.
Speaker 2 (29:32):
Were talking about AI earlier and which is a whole
other topic in and of itself, but one thing that
we tend to see a lot of happening in facilities
now is greater automation. I was talking about it just
a couple of weeks ago on the podcast with someone else,
and we were talking about, you know, labor and how
you know, robotics is taking over a lot of just
(29:56):
function in a lot of these warehouses and a lot
of the production facilities, just because labor is so hard
to come by, their people who don't want these jobs.
So we now have machines doing these and these machines
are connected, They're connected to a computer that's telling them
what to do, and that is yet another risk. So
as companies are increasing automation, increasing their reliance on you know,
(30:21):
computer run programs, whether it's a robot, whether it's you know,
their WMS or their ERP system, you know, all of
that data is being passed back and forth between multiple
systems all throughout the hours of the day. What other
threats should they be looking for in order to make
(30:43):
that that threat assessment, that risk assessment, in order to
you know, justify the cost or even understand what the
risk is.
Speaker 1 (30:51):
In those cases where you have, you know, your business
network which has all of your IT stuff on it,
and then more operational network will call with all the
OT on it, there needs to be very clear lines
between the two. That's incredibly important. You know those robots,
the computers that those are hooked up to, and and
(31:13):
that whole network should not be able to directly talk
to your business network with all the finances and all
of that. That's never that's a no no, right.
Speaker 2 (31:24):
And then some silos are good, some.
Speaker 1 (31:27):
Are good, And in the defense world there's a lot
of air gapping that happens, and I believe that that
happens in some cases in like the manufacturing world as well,
where you're completely siloed from the Internet and you have
to essentially bring things from one place onto that network,
like from one network to another network, right and and
(31:50):
keeping completely logically separated. When you have either of those
two cases, whatever touches your operational network needs to be
following some kind of standard, and in that case it's
typically around your contractors that you need to be very cautious, right,
and you know, one of one of the things that
(32:12):
is really interesting and I've I've thought about a lot
lately is how tax law actually is somewhat unhelpful in cybersecurity,
and specifically it's specifically specifically because so when you have
a ten ninety nine contractor, you're not allowed to give
them a computer. If you give, if you furnish any
(32:35):
kind of equipment to them, then they become a W two. However,
if you have contractors that are coming onto your network
and then you have to essentially be okay with how
their business runs, like their computers and their mobile device
management and all of that. Whereas I think it would
make a lot more sense if we were able to
give computers, you know, to these people that are that
(32:58):
are contractors that are coming from another another company and
being like, hey, when you when you're working with our systems,
you use our systems, right, and you use security standards.
But I would be curious to see if that ever changes.
I'd be interested in seeing if if we can make
a business case for for that to be changed.
Speaker 2 (33:20):
That would be an interesting change to have cybersecurity change.
Tax law.
Speaker 1 (33:26):
Yeah, I mean, I'm sure crazy your things have happened,
but I don't know, Uh, I think I think we'll
have to get your podcast Ellen in front of some
some politicians or something in order to get.
Speaker 2 (33:37):
I don't know, I don't know that that sounds like
a daunting uh prospect. So you just said there's some
crazy situations. What is the craziest cybersecurity attack you've ever
personally dealt with? Besides the fishbowl? I mean that was
just the news.
Speaker 1 (33:58):
Well okay, so, so craziest cybersecurity attack we've ever dealt
with is we had a company that was like an
ed tech company and they essentially helped teach languages to kids,
and someone previous to us coming on and working with them,
had created a It was it was actually a little creepy,
(34:20):
but they found out the CEO's husband's name and then
made an account on the on the easy two instance,
like the server itself under his name, and then started
uh changing all of the different links to point to
like Indonesian casinos and stuff like that. It was really
it was really odd, very interesting, easy cleanup, so that
(34:42):
was good. Lots of backups were taken and that's what
I was saying, though, is like you really want backups, right,
so then you know, like, okay, we can see when
something changed and when when an attack occurred, and we
can revert back before that. But but that was that
was pretty odd, and it's it wasn't odd because of
like the reader. It was odd because they went through
such a rigorm role to find out personal information, right like,
(35:05):
and then leveraging that in the attack. That it was
a little creepy. But yeah, that was probably the craziest.
Speaker 2 (35:12):
Yeah, that sounds like it has a note of personal
to it.
Speaker 1 (35:16):
Yeah, yeah, it did. It did feel that way a
little bit. It was, yeah, odd. But favorite story it
would definitely be Stucksnet, which I think still kind of
applies here. And that was almost twenty years ago now,
I think, but maybe fifteen. And essentially Iran had their
you know, nuclear facilities that were processing uranium and everything,
(35:40):
and someone decided to hack into that through a through
a consultant, through a contracting company because they were leveraging
portable drives so like the little the USB sticks. Yeah, yeah,
so they were leveraging that, and so they hacked the
contra company the contract and company had to drive. It
(36:02):
was a super sophisticated attack. But they pulled the drive
out and then like took it into this facility, plugged
it in to do their work, and everything ended up
being that drive installed a worm inside of the nuclear
plant and then in that process degradated the fans or
something along those lines. I'm blanking full full all the
(36:26):
terminal details the story. Yeah, the details for the story,
but essentially it ended up causing it to get to
the point where it could reach critical mass and everything
it was. It was wild, but that process and that
story was crazy. And thinking about how cybersecurity and how
the supply chain plays such a huge role in even
(36:47):
our nation's infrastructure right like, because that stuff is happening
out in the world right now, and it's like how
do we how do we protect against that? And we
have to be thinking about that in a consistent manner.
Speaker 2 (36:58):
So yeah, now, and I remember that story that you
mentioned about Iran because where when at that time, I
was working for HSBC bank, and I remember the memo
that came out that said no unauthorized USB drives and
you had to check your computer. Now this is when
we still had desktops, so you had to check your
(37:19):
computer and every possible port before you turned it on
each morning. It was like a new policy that we
had to do in order to check that someone wasn't,
you know, plugging in a keystrokelogger or anything like that
into your computer in order to get access. And I
mean that was at the time. It was a huge deal.
And you know, the idea that someone could just plug
(37:41):
in this little stick and it would record every single
keystroke you did for that day, and then they could then,
to your point, you know, deconstruct it, figure out what
you did when you logged into something, what that user
name was, what the next string of characters that was
your password, and then they had access to all of
your information just because they plugged in a USB stick.
(38:02):
And even to this day, there are a lot of
clients when when I go to a trade show or
anything like that and I have USB sticks that are branded,
you know, here's a nice memory stick for you. Oh sorry,
our company doesn't allow us to use you know, promotional
sticks that we get from some unauthorized, unknown individual. And
(38:23):
I mean that's twenty years old and still a practice
to this day in a lot of different organizations, and
not without president clearly.
Speaker 1 (38:32):
Yeah, I mean there's this whole social engineering attack that
you can do. Especially like the good guys come up
with cool ideas and then publish them. You know, who
knows what all the bad guys are trying and stuff,
but the good guys will publish this stuff. And one
of one of my favorites that I read about is
you put a bunch of of essentially malware onto these sticks, right,
(38:54):
and then you go out into the parking lot of
the business that you want to work in, and you
just drop a couple on the ground. Yeah, and then
people take them and they take them home where they
take them in the office and they go, I wonder
what's all this, you know, and they plug it in
and then bam, you got you got access, you know,
like it's it's it's wild. But also I personally love
(39:15):
learning about this stuff because it's amazing to think of
like how creative these people are right coming up with this,
and then how creative we have to be as defenders
to try to fight against it.
Speaker 2 (39:26):
Exactly if only we could harness that that negative creativity
for a more positive use. Well, thank you so much
Caleb for sharing your perspective with our audience today.
Speaker 1 (39:39):
Yeah, of course, it was. It was awesome being on
the on the podcast with the Allen, your great host.
Speaker 2 (39:44):
Thank you. As we heard today, cybersecurity is no longer
just a technical safeguard. It's foundational to supply chain resilience
and business continuity. Companies that recognize this will be the
ones position to lead in the years ahead. To our listeners,
if you found today episode valuable, be sure to like
and follow Speaking in Supply Chain wherever you get your
(40:04):
podcasts Spotify, Apple Music, Amazon Music, or iHeartRadio, and be
sure to tune in next time.
The companies that you're selling to are going to want
(00:01):
to see that whatever way you've been acted, AI is
not going to put their data at risk. That's really
important because nowadays data is almost as valuable, if not
more valuable, than the actual products that we sell to people,
and that has a lot of implications. And so how
do you show improve to people that you are secure
and that you're handling it securely.
Speaker 2 (00:21):
That's an interesting assertion that the data that we handle
could be more valuable than the actual products that we're producing, shipping, transporting,
and selling. I'm absolutely flum mixed by that. Hello, and
welcome to Speaking of Supply Chain, where we explore trends,
(00:42):
current events, and innovations impacting the logistics and supply chain industries.
I'm your host, Ellen Wood. Today we'll dive into one
of the most critical issues shaping modern supply chains, cybersecurity.
With global logistics becoming more interconnected and digitally dependent, protecting
data ups and infrastructure from cyber threats is no longer optional.
(01:04):
It's mission critical. Joining us is the CEO of Secure
Cloud Innovations, Caleb Mattingly, who's going to share his insights
on evolving risks compliance pressures and strategies to build resilience
in supply chain and logistics networks. Welcome Caleb.
Speaker 1 (01:20):
Yeah, thanks, Ellen. Really excited to be on the show today.
Speaker 2 (01:23):
I'm excited to get to our conversation because I don't
know of anyone who hasn't experienced some sort of hiccup
or disruption with cybersecurity. So I'm sure that there is
going to be something for everyone in this conversation. But
before we get started, let's get to know you a
little bit better. So our ice breaker for today is
what is the worst style or fashion trend you ever embraced.
Speaker 1 (01:49):
It's a good and fairly weighted question here, But in
high school, actually I embraced the whole fancy for Friday
trend that kind of was going around. I don't know
where I saw, probably on like Instagram or something at
the time, but ended up dressing suit just about every
(02:09):
Friday of my junior and senior years.
Speaker 2 (02:13):
Oh my goodness. And how did that work out for
your social standing in high school? Because high school can
be a cruel place.
Speaker 1 (02:20):
Well, let's just say I didn't get any additional dates
from doing that.
Speaker 2 (02:26):
Did anyone accuse you of like being part of the
debate team or going on a job interview or anything
like that.
Speaker 1 (02:32):
No, I went to a pretty country esque school, so
there was no debate team, and all future farmers of
America knew that I was not part of it.
Speaker 2 (02:43):
So yeah, gotcha. Well, you know, those jackets are very distinguishable,
so like you would know if you saw the future
farmers walking around in their jackets. It's not just regular
formal where we have something similar. We do work where
Wednesdays here at the office where most of the time
we're pretty casual, but on Wednesdays we all get dressed
(03:03):
up and it's just the most random thing in the
middle of the week. I would say the worst fashion style. Now,
I'm a child of the eighties, so I had like
the crazy bangs in high school, the permed hair, all
of those. I think though, the craziest one that I
did was for a while I really enjoyed. I want
(03:25):
to say it was in junior high. Junior high's a
terrible time for kids. It's just the worst period of
anyone's life. No one, I think has a great time
in junior high. But I was trying some different fashions
than and it was it was in the early nineties,
and I want to say that dressing in men's clothes,
like men's shirts and like a mini skirt and like
(03:47):
that fashion. I really took to that one, and I
don't know why it was. It was really bad. Oh goodness,
you know what. I'm I'm lad that those days are over.
I don't think anyone could pay me enough money to
go back to junior high or high school and have
to deal with other people judging you on your appearance
(04:08):
like that. It's just it's crazy, crazy, crazy.
Speaker 1 (04:15):
That's true. Totally agree.
Speaker 2 (04:16):
So the crazy thing we're talking about today though, is cybersecurity,
and it feels like not a day goes by when
we don't hear of something else in the news, some
other breach, some other data leak. And so, in your view,
what are some of the biggest risks facing our industry
(04:37):
so that the supply chain logistics, you know, what risks
are we facing today and what's different from even something
I can't believe COVID was five years ago, but even
something since COVID that we've had to, you know, change
and adapt the way that we approach cybersecurity.
Speaker 1 (04:56):
Yeah, a great question. You know, logistics is always seen
as kind of a separate business entity than operations and
other pieces of businesses, right, but functionally from a cybersecurity standpoint,
there can be just as many risks in logistics as
in any other part of the business. And I think
(05:19):
one of the biggest overlooked pieces of that, especially by
people that end up being in cybersecurity within like information
technology as opposed to operational technology. And I can speak
to the difference there, but is lack of connectivity. So
I was actually just talking with a friend of mine.
(05:39):
He's part of a full service solution for a logistics
company or biologistics company, and what they ended up doing
is they created a satellite based tracking system for shipments
and specifically identifying when those cargo containers were opened or closed.
So this was crazy because I had no idea about
(06:02):
this until talking with him. But apparently people will wait
until tractor trailers are out in the middle of like
the desert, right, and then they will go and essentially
like break into the tractor trailer that's on this highway
when it loses connection with the internet or like with
cellular service networks, and that steal whatever's in there. I
(06:25):
think that happened with like a lot of PlayStations actually
recently PlayStation fives and and so in doing so, like
when they lose internet connection and they lose like cell service,
the driver can't call for help, right, can't call law
enforcement for help, and it creates a window of opportunity.
And people think like cybersecurity is very focused on just
(06:46):
like being on a computer and typing on a keyboard
and somebody screaming on I'm here, you know, But like
the reality is that it also deals with these situations
that are in the physical world right where connectivity and
interconnectivity is so important for securing a variety of things,
and in this case it's transportation vehicles and what they
(07:06):
are transporting. And so what I've I've found very interesting
is a lot of companies haven't been thinking about that
as much, and especially within the logistics space and specifically
around stealing and that happens across the board, right, Like
in it we call insider threat, right, you have like
insider trading that occurs, or you have someone that goes
(07:28):
in and maliciously makes changes to your application or your
infrastructure and stuff. Well, in logistics it ends up being
something very similar where you could have an insider threat
of someone that is acting nefariously right or acting as
a as a bad actor and not a bad actor
like how Nicholas Cage gets his reputation stuff, but like
(07:49):
a bad actors and someone is doing something that and
they they go in and and and they find where
is the whole like where is the point where uh
they're there is no connectivity or where's the point where
we can take something and no one finds out right?
Or input change inputs in the in the database, right,
so that instead of showing one hundred and one in
(08:11):
this case PlayStation's there's only one hundred that are in
the box, and so I get to steal this one
and no one knows, right Like that that's a significant
part of logistics and just retail in general, right of
a bad data input or people acting and putting in
false information.
Speaker 2 (08:30):
So well, and you mentioned something about the difference between
information technology and operational technology. Do you want to expound
on that a little bit?
Speaker 1 (08:41):
Yeah, So information technology typically deals with you know, your computers,
your servers. It's the things that harness and have information,
whereas operational technology is as you would probably imply, stuff
that is being operated or like in the physical world,
is in operation. So example of this is actually your
(09:02):
HVAC system. So your HVAC system is an operational technology
that crazy enough, could be hacked. And there's a ton
of examples, and I think one of the most famous
and kind of funniest examples, although it still has weight,
is a casino that was hacked because someone broke into
(09:23):
the fish tank monitor that was connected to the Internet
and was able to steal millions of dollars through that spot.
So yeah, that'll probably be the best example of an
operational technology being taken advantage of.
Speaker 2 (09:41):
Well, and you know, we laugh because that sounds so
absurd to use the fish tank monitor in order to
enable the theft of millions of dollars. It sounds like
some sort of you know, crazy story that would be
the next Ocean's eleven. But you know, when you think
about all of the different operational technologies that facilities have
(10:06):
within their production, within their their warehousing and distribution networks,
you know that's a significant amount of risk and you know,
potential for an in if someone wanted to do something nefarious,
if someone wanted to disrupt their business. So why do
you think supply chain or logistics is of interest to
(10:32):
any of these individuals. Are they doing it for that
personal gain of you know, perhaps you know, stealing product,
or are they doing it to try to disrupt individual businesses?
What types of things do you see?
Speaker 1 (10:47):
Yeah, that's a good question, and I think it depends
on the reason behind the attack, and I know that
kind of is what your question is. However, as an example,
right a couple of years ago, actually when when the
whole political situation with Israel and Palestine started taking off,
there's actually a brewer that was utilizing some brewing equipment
(11:13):
that was Internet connected and was associated with an Israeli company,
and the hackers actually attacked that that equipment turned off
all the taps in the brewery because of that, and
and then essentially when people logged in, they would see
stuff that was very anti Israel on on the on
the on the pieces that they're hacking into, and so
(11:37):
very interesting because that was politically motivated, right to be
able to say like, we just are anti this, and
and that's that's that. Whereas you have other people that
are bringing into things too potentially like steal company information.
I mean, I'm sure that there are people out there
that are trying to get you know, Coca Cola's secret
ingredient or pepsizing, you know, see and everything, and those
(12:02):
people are trying to do it for an entirely different
reason than the group that was that was hacking this brewery, right,
So it really depends on the attacking group or person
uh in a lot of those cases. But with logistics
in particular, I think one of the reasons why it
ends up being such a big target for cyber security
(12:24):
or cyber attackers is because of the fact that logistics
is very often overlooked and your supply chain specific overlooked,
and and more recently it's it's coming to light that like,
we can't be doing that, but your supply chain also
consists of all the vendors that are in that in
that list, right, Like uh, Target actually a few several
(12:45):
years ago had a huge hack that occurred, and it
ended up being that one of the contractors that they
were using actually was the one that brought the virus
and brought brought like all of that exploit into their
their network and their system. It wasn't a target employee.
Target had like really good practices in place or decent
practices in place. I guess if they were really good,
(13:06):
it wouldn't have happened, right, But there was an oversight
right on the full supply chain implications of we're using
these vendors. They don't have to go through any kind
of rigorous security process, so we just accept what they
say that they're doing and that's that. And that ended
up being kind of an advent for why we have
(13:27):
so many frameworks now that that state requirements that you
have to meet in order to do business with enterprises
like Target or Walmart or you know, Fortune five hundred companies.
Speaker 2 (13:38):
That really leads into my next question endpoint, and that's
you know, what are what are some of those regulations
that are being enacted and what are some of those
guide posts that are being set in order to say, okay,
you need to be checking upstream and downstream with your
suppliers and your vendors and understanding what their security measures are.
(14:00):
Is anything changing from that legal perspective where there is
at least maybe a shift in accountability.
Speaker 1 (14:11):
The International Standards Organization or ISO publishes a ton of
different frameworks. We could say the most common that we
deal with this twenty seven zero zero one, and that
deals with information security management systems. But they have a
ton and I'm sure that organizations that are out there
that do consumer products and stuff are building consumer products
(14:36):
deal with a lot of the QA, ISO, CERTI or standards,
but there are several that actually pertain to using information
security systems or information management systems and then also AI.
So there's a new one that actually came out recently
called ISO four two zero zero one, and that deals
with your AI system, and that one's going to become
(14:58):
a lot more prominent now because most people don't know
how to secure AI. And I think from logistics companies
and other companies involved in supply chain all the way
to your traditional IT companies, everybody's kind of figuring out
how do we utilize AI and our processes right to
make things more efficient, to stop having so many bottlenecks
(15:22):
in the process of creating either documentation or responses or
whatever it is right or processing documentation UH. And so
as we continue to move and progress in implementing AI
across the business functions, I think that that specific standard
is going to become more and more prominent across all
(15:45):
of the different types of companies and sectors within business
that we that we see on a day to day,
especially in the supply chain, because your your vendors that
you're the companies that you're selling to, right like as
a as a vendor in logistic the companies that you're
selling to are going to want to see that whatever
way you've enacted AI is not going to put their
(16:06):
data at risk, right And that that's really important because
nowadays data is almost as valuable, if not more valuable
than the actual products that we sell to people, and
that has a lot of implications. And so how do
you show and prove to people that you are secure
and that you're handling it securely.
Speaker 2 (16:25):
That's an interesting assertion that the data that we handle
could be more valuable than the actual products that we're producing, shipping,
transporting and selling in stores. What I'm absolutely flum mixed
(16:46):
by that. So what kind of data are they typically
looking for in order to try to cause a disruption
when you find those cases?
Speaker 1 (16:57):
I mean, it could it could really be a variety
of things, and sure it could be anything military esque data,
you know, like knowing that, hey, we don't know exactly
where this plane is flying that holds this important person,
but we do know that this airport was shut down
for this period of time. We know that this airport
was shut down for this period of time, and we
(17:17):
know that a flight you know, came in and left
for those two airports. Like that data can be crudal
critical to someone in like a military perspective, but from
from more of a commercial space or commercial side perspective,
you know, like the data of how much your contracts
are worth can be very important, right, Like someone knows
how much you're bidding, that they can essentially underbid you,
(17:41):
and that can be very heavy, heavy consequences if someone
gets gets access to your financial data. But yeah, there's
a lot of there's a lot of different types of
data and and ways that they could correlate between different
data points to draw conclusions that you know, maybe you
don't have that directly in your spreadsheet, but by taking
(18:04):
two different spreadsheets and analyzing them together and seeing the overlaps,
you can draw necessary conclusions to get data that you
wouldn't otherwise have.
Speaker 2 (18:12):
So yeah, I'm sorry I laughed at that when you
said it, but my immediate thought was one of the
end zcenes of a few good men where they're trying
to prove that a flight took place and they have
these log books and they can't prove it. It's a
misdirection in the end. But you know, to that point,
there's all kinds of information that we now have digitized
(18:36):
that you know, we have even in the past, you know,
fifty years, we haven't had this volume of data just
available for someone to access. It's all been you know,
much more siloed, much more protected, you know, when things
are not connected to the internet, and now everything is
connected to the Internet, and so therefore the data can
(18:58):
be accessed if someone is diligent enough or tenacious enough
to keep trying to find to find a way in.
Speaker 1 (19:08):
Well. I can also say something else that's very interesting
about in twenty nineteen, I worked with an industrial control
system cybersecurity company and we were looking for ways to
try to get data like that, right, like how do
you how do you how do how would an attacker
come up with these things? Like you've got to kind
of think like the attacker in order to you know,
defend against this. And one of the things that we
(19:31):
came up with is temperature fluctuations in a room when
someone walks in, so like you actually get a slight
temperature fluctuation when someone comes in or leaves a room, right,
so like based on that you can actually identify how
many people are in the room versus not in the
room and things like that. It was very interesting. But
there's a lot of implications when you start taking a
(19:53):
ton of data points, right, and you aggregate them together
and you can see where they overlap, like I was saying,
and then you can draw conclusions that you wouldn't necessarily
have had.
Speaker 2 (20:03):
So when there is a cyber breach and it affects
something in the supply chain, whether it's a supplier or
a vendor carrier, when it goes through the entire supply
chain and affects those multiple organizations like you were mentioning
with the target and it was just a contractor that
(20:24):
they were using. What strategies help companies build the resilience
against those types of disruptions. Is it just a matter
of having more policies in place to say, hey, you know,
you have to be able to demonstrate your security measures
and at least you know, have everybody's teas dotted and
I crossed so that you know everybody has their own
(20:48):
scope of responsibility. Or is more interaction and more collaboration
needed between individuals or companies or groups within those chains
in order to make this a robust solution that's going
to truly protect the data.
Speaker 1 (21:06):
I typically tell companies kind of tongue in cheek that
a lot of the compliance frameworks end up being sort
of like pyramid scheme in the sense that when you
when you first take on like SoC two or ISO whatever,
a lot of times the advice that's given, and it's
not a mandated requirement, but it's pretty heavily advised, is
(21:28):
to have all of your vendors then become compliant or
only do business with vendors that are compliant with soft
to or go and such. And while it is somewhat
of a joke, uh and and and people typically laugh
and stuff when when I bring that up, it's not
a bad practice in and of itself because it sets
(21:49):
a baseline for who you're doing business with and how
they're handling data. And can they lie about it? Yes,
anybody can lie about like what they're doing. And you know,
from a business standpoint, you know vendors lie all the
time and say like, hey, we do this thing, and
then they don't write or it's on the roadmap and
it's not on the roadmap. But the reality is that
you need something that someone signs off on and says
(22:10):
baseline wise, we have this in place, and this is good.
What we have found in doing business with organizations is
they need something. And on top of having this like
framework in place, you have to have cybersecurity insurance nowadays.
(22:30):
Like you have to. It doesn't matter what business you're in.
It doesn't matter what kind of business you're in. Cybersecurity
insurance is mandatory. If you have anything that touches the Internet,
including a fish tank, you need cybersecurity insurance in order
you do you do, I mean it's true, in order
to do that, and a lot of people overlook that.
You know, heck, a lot of businesses overlook general liability insurance,
(22:53):
and please don't do that. If you're listening to this
right now, please make sure the have general liability insurance,
but also make sure that you cybersecurity insurance because that's
that can make you break your business. You know, like that,
it's so important. And I think also just a tidbit
as like somebody that works with a lot of different
(23:13):
types of companies and specifically companies that are sometimes outside
the norm of who you would think needs cybersecurity. Make
sure that you have back like, make sure you have
backup a data data backups. When we were just talking
right like about your data can be almost more important,
potentially than even the products that you're pushing. Make sure
(23:35):
the have backups of that data.
Speaker 2 (23:37):
So absolutely absolutely, So you were talking about certifications, we're
talking about insurance. How do businesses make the business case
for these investments in logistics and supply chain, which, as
you've already said, is often overlooked. So what does it
take in order to get these stakeholders aligned and bought
(24:01):
in to the idea that this information or or you know,
this aspect of their business is open to threat.
Speaker 1 (24:11):
Like, how do you make someone aware that they are
exposed in some manner?
Speaker 2 (24:15):
Yeah? What what is it that helps change their mind?
What is it that opens their eyes to understand what
the risk is, what the what the mitigation is if
a risk goes unprotected and there is a breach, you know,
balancing those costs of yes, it's going to cost money
to have cyber security insurance. Yes, it's going to cost
(24:38):
money to go through the process of being certified in
this or that or the you know the other standard.
Why should they do that when they're looking at it
and saying it's you know, it's just easier to write
off that truckload of product. It's not that big a
deal in the scheme of things. That's you know, a
handful of product compared to their larger portfolio.
Speaker 1 (25:00):
That's a good question. And another good question. You've had
a lot of good questions, Ellen, I think there's a
couple of different questions actually embedded in that.
Speaker 2 (25:14):
Yeah, there was. That was a whole little monologue, is.
Speaker 1 (25:17):
The last one. First, I would not advocate for spending
more money on a solution to deter a problem, like
a risk, then the risk itself would incur if it
is realized. So and in cybersecurity and anytime, like you're
(25:43):
looking at risk, you need to do a cost analysis, right,
like if this, if this risk is realized, what is
what is the problem? And like if it's hey, once
a year we lose a whole shipment's worth of whatever
it is that we're pushing because of theft or because
of something cybersecurity related. But then and that shipment is
worth I don't know, let's just say two hundred thousand dollars, right,
(26:08):
But if I'm going to pay insurance. It's going to
cost me three hundred thousand dollars a year in order
to have the insurance, then it doesn't make sense, right
like that, that doesn't make sense to have. That's that's
a very It's a tough way of looking at it,
because you know, to an extent, you want to have insurance, right,
(26:28):
you want to have like these these things in place,
these deterrences, but at the same time, you don't want
to spend more for them than if if you actually
have the risk occur, so the attack occur, the problem occurs.
So that that's I think that was the final question
that you asked is how how do they you know,
determine that And in regards to the rest of it,
(26:52):
how do you get buy in right? Like, how do
you get buy in on on this? Let's just say
that it's you know, fifty thousand dollars for the insurance
for the year. I have. I have no idea what
anybody generally speaking cybersecurity insurance would.
Speaker 2 (27:03):
We It will truly depend on what their business does
and how big the risks are. I mean, the insurance
suggesters know how to you know, tweak their own numbers.
Speaker 1 (27:13):
I'm thrown out numbers that are way bigger than what
we pay, and so it's like, but just for the
sake of argument, you know, and let's just say it's
fifty thousand, and for them to lose a shipment of
worth of supplies or product in the year would be
still about two hundred thousand dollars. Well, I think at
that point it's pretty easy to get buy in because
(27:34):
you have numbers there. I think generally speaking, businesses and
business leaders are willing to put forth the effort and
to show actually I would I would go so far
as to say in logistics and in supply chain, it's
a lot easier to get buy in than in most
other organizations when you have a software product. When you
have a software product and you're trying to pitch like, hey,
(27:56):
we need to have this new security tool in place
because X, Y and Z could happen, you're kind of
guessing as to how much fallout is going to be there, right,
how much like the monetary impact at risk being realized?
Whereas in logistics and especially in more consumer goods types
of industries, you have a direct like one hundred percent,
(28:20):
we know how much this stuff was worth and how
it was how much it was going to sell for.
You're able to like watline, like, hey, this is how
much a cost to make it. This is how much
we were going to sell for. This is how much
we would have made h and now we've lost all
of that. And and here's here's the the way that
we would fix the problem, right, and this is how
(28:40):
much costs. This is how much this cost. And if
it's higher or lower, you can make your decision based
off of that. But going to someone and showing them like, hey,
you know, if we get this compliance framework in place,
target will do business with us. And that's an additional
two million dollars a year that we get and to
get it in place is going to cost us, I
don't know, fifty grand or one hundred grand a year.
It's obvious that someone's going to go forward with that, right,
(29:02):
you know, spend one hundred grand in there, Yeah dollars.
Speaker 2 (29:04):
Right, yeah, that's a no brainer.
Speaker 1 (29:06):
Exactly exactly. And that's one of the best parts about
working in logistics and supply chain is that you were
able to show oftentimes, not every time, and I'm not
going to make a broad sweeping, you know, generalization, but
oftentimes you're able to show a direct business impact and
direct monetary impact on the business for the risk itself
(29:29):
and the term so and I know you.
Speaker 2 (29:32):
Were talking about AI earlier and which is a whole
other topic in and of itself, but one thing that
we tend to see a lot of happening in facilities
now is greater automation. I was talking about it just
a couple of weeks ago on the podcast with someone else,
and we were talking about, you know, labor and how
you know, robotics is taking over a lot of just
(29:56):
function in a lot of these warehouses and a lot
of the production facilities, just because labor is so hard
to come by, their people who don't want these jobs.
So we now have machines doing these and these machines
are connected, They're connected to a computer that's telling them
what to do, and that is yet another risk. So
as companies are increasing automation, increasing their reliance on you know,
(30:21):
computer run programs, whether it's a robot, whether it's you know,
their WMS or their ERP system, you know, all of
that data is being passed back and forth between multiple
systems all throughout the hours of the day. What other
threats should they be looking for in order to make
(30:43):
that that threat assessment, that risk assessment, in order to
you know, justify the cost or even understand what the
risk is.
Speaker 1 (30:51):
In those cases where you have, you know, your business
network which has all of your IT stuff on it,
and then more operational network will call with all the
OT on it, there needs to be very clear lines
between the two. That's incredibly important. You know those robots,
the computers that those are hooked up to, and and
(31:13):
that whole network should not be able to directly talk
to your business network with all the finances and all
of that. That's never that's a no no, right.
Speaker 2 (31:24):
And then some silos are good, some.
Speaker 1 (31:27):
Are good, And in the defense world there's a lot
of air gapping that happens, and I believe that that
happens in some cases in like the manufacturing world as well,
where you're completely siloed from the Internet and you have
to essentially bring things from one place onto that network,
like from one network to another network, right and and
(31:50):
keeping completely logically separated. When you have either of those
two cases, whatever touches your operational network needs to be
following some kind of standard, and in that case it's
typically around your contractors that you need to be very cautious, right,
and you know, one of one of the things that
(32:12):
is really interesting and I've I've thought about a lot
lately is how tax law actually is somewhat unhelpful in cybersecurity,
and specifically it's specifically specifically because so when you have
a ten ninety nine contractor, you're not allowed to give
them a computer. If you give, if you furnish any
(32:35):
kind of equipment to them, then they become a W two. However,
if you have contractors that are coming onto your network
and then you have to essentially be okay with how
their business runs, like their computers and their mobile device
management and all of that. Whereas I think it would
make a lot more sense if we were able to
give computers, you know, to these people that are that
(32:58):
are contractors that are coming from another another company and
being like, hey, when you when you're working with our systems,
you use our systems, right, and you use security standards.
But I would be curious to see if that ever changes.
I'd be interested in seeing if if we can make
a business case for for that to be changed.
Speaker 2 (33:20):
That would be an interesting change to have cybersecurity change.
Tax law.
Speaker 1 (33:26):
Yeah, I mean, I'm sure crazy your things have happened,
but I don't know, Uh, I think I think we'll
have to get your podcast Ellen in front of some
some politicians or something in order to get.
Speaker 2 (33:37):
I don't know, I don't know that that sounds like
a daunting uh prospect. So you just said there's some
crazy situations. What is the craziest cybersecurity attack you've ever
personally dealt with? Besides the fishbowl? I mean that was
just the news.
Speaker 1 (33:58):
Well okay, so, so craziest cybersecurity attack we've ever dealt
with is we had a company that was like an
ed tech company and they essentially helped teach languages to kids,
and someone previous to us coming on and working with them,
had created a It was it was actually a little creepy,
(34:20):
but they found out the CEO's husband's name and then
made an account on the on the easy two instance,
like the server itself under his name, and then started
uh changing all of the different links to point to
like Indonesian casinos and stuff like that. It was really
it was really odd, very interesting, easy cleanup, so that
(34:42):
was good. Lots of backups were taken and that's what
I was saying, though, is like you really want backups, right,
so then you know, like, okay, we can see when
something changed and when when an attack occurred, and we
can revert back before that. But but that was that
was pretty odd, and it's it wasn't odd because of
like the reader. It was odd because they went through
such a rigorm role to find out personal information, right like,
(35:05):
and then leveraging that in the attack. That it was
a little creepy. But yeah, that was probably the craziest.
Speaker 2 (35:12):
Yeah, that sounds like it has a note of personal
to it.
Speaker 1 (35:16):
Yeah, yeah, it did. It did feel that way a
little bit. It was, yeah, odd. But favorite story it
would definitely be Stucksnet, which I think still kind of
applies here. And that was almost twenty years ago now,
I think, but maybe fifteen. And essentially Iran had their
you know, nuclear facilities that were processing uranium and everything,
(35:40):
and someone decided to hack into that through a through
a consultant, through a contracting company because they were leveraging
portable drives so like the little the USB sticks. Yeah, yeah,
so they were leveraging that, and so they hacked the
contra company the contract and company had to drive. It
(36:02):
was a super sophisticated attack. But they pulled the drive
out and then like took it into this facility, plugged
it in to do their work, and everything ended up
being that drive installed a worm inside of the nuclear
plant and then in that process degradated the fans or
something along those lines. I'm blanking full full all the
(36:26):
terminal details the story. Yeah, the details for the story,
but essentially it ended up causing it to get to
the point where it could reach critical mass and everything
it was. It was wild, but that process and that
story was crazy. And thinking about how cybersecurity and how
the supply chain plays such a huge role in even
(36:47):
our nation's infrastructure right like, because that stuff is happening
out in the world right now, and it's like how
do we how do we protect against that? And we
have to be thinking about that in a consistent manner.
Speaker 2 (36:58):
So yeah, now, and I remember that story that you
mentioned about Iran because where when at that time, I
was working for HSBC bank, and I remember the memo
that came out that said no unauthorized USB drives and
you had to check your computer. Now this is when
we still had desktops, so you had to check your
(37:19):
computer and every possible port before you turned it on
each morning. It was like a new policy that we
had to do in order to check that someone wasn't,
you know, plugging in a keystrokelogger or anything like that
into your computer in order to get access. And I
mean that was at the time. It was a huge deal.
And you know, the idea that someone could just plug
(37:41):
in this little stick and it would record every single
keystroke you did for that day, and then they could then,
to your point, you know, deconstruct it, figure out what
you did when you logged into something, what that user
name was, what the next string of characters that was
your password, and then they had access to all of
your information just because they plugged in a USB stick.
(38:02):
And even to this day, there are a lot of
clients when when I go to a trade show or
anything like that and I have USB sticks that are branded,
you know, here's a nice memory stick for you. Oh sorry,
our company doesn't allow us to use you know, promotional
sticks that we get from some unauthorized, unknown individual. And
(38:23):
I mean that's twenty years old and still a practice
to this day in a lot of different organizations, and
not without president clearly.
Speaker 1 (38:32):
Yeah, I mean there's this whole social engineering attack that
you can do. Especially like the good guys come up
with cool ideas and then publish them. You know, who
knows what all the bad guys are trying and stuff,
but the good guys will publish this stuff. And one
of one of my favorites that I read about is
you put a bunch of of essentially malware onto these sticks, right,
(38:54):
and then you go out into the parking lot of
the business that you want to work in, and you
just drop a couple on the ground. Yeah, and then
people take them and they take them home where they
take them in the office and they go, I wonder
what's all this, you know, and they plug it in
and then bam, you got you got access, you know,
like it's it's it's wild. But also I personally love
(39:15):
learning about this stuff because it's amazing to think of
like how creative these people are right coming up with this,
and then how creative we have to be as defenders
to try to fight against it.
Speaker 2 (39:26):
Exactly if only we could harness that that negative creativity
for a more positive use. Well, thank you so much
Caleb for sharing your perspective with our audience today.
Speaker 1 (39:39):
Yeah, of course, it was. It was awesome being on
the on the podcast with the Allen, your great host.
Speaker 2 (39:44):
Thank you. As we heard today, cybersecurity is no longer
just a technical safeguard. It's foundational to supply chain resilience
and business continuity. Companies that recognize this will be the
ones position to lead in the years ahead. To our listeners,
if you found today episode valuable, be sure to like
and follow Speaking in Supply Chain wherever you get your
(40:04):
podcasts Spotify, Apple Music, Amazon Music, or iHeartRadio, and be
sure to tune in next time.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Ruthie's Table 4
For more than 30 years The River Cafe in London, has been the home-from-home of artists, architects, designers, actors, collectors, writers, activists, and politicians. Michael Caine, Glenn Close, JJ Abrams, Steve McQueen, Victoria and David Beckham, and Lily Allen, are just some of the people who love to call The River Cafe home. On River Cafe Table 4, Rogers sits down with her customers—who have become friends—to talk about food memories. Table 4 explores how food impacts every aspect of our lives. “Foods is politics, food is cultural, food is how you express love, food is about your heritage, it defines who you and who you want to be,” says Rogers. Each week, Rogers invites her guest to reminisce about family suppers and first dates, what they cook, how they eat when performing, the restaurants they choose, and what food they seek when they need comfort. And to punctuate each episode of Table 4, guests such as Ralph Fiennes, Emily Blunt, and Alfonso Cuarón, read their favourite recipe from one of the best-selling River Cafe cookbooks. Table 4 itself, is situated near The River Cafe’s open kitchen, close to the bright pink wood-fired oven and next to the glossy yellow pass, where Ruthie oversees the restaurant. You are invited to take a seat at this intimate table and join the conversation. For more information, recipes, and ingredients, go to https://shoptherivercafe.co.uk/ Web: https://rivercafe.co.uk/ Instagram: www.instagram.com/therivercafelondon/ Facebook: https://en-gb.facebook.com/therivercafelondon/ For more podcasts from iHeartRadio, visit the iheartradio app, apple podcasts, or wherever you listen to your favorite shows. Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.