When talking to Forward Air’s (NASDAQ: FWRD) Jay Tomasello, the company’s chief information officer, about the cyberattack that hit the company just before Christmas, the main thing that comes through is a sense of satisfaction that the company handled it extremely well.
It’s as if Forward Air considers what occurred a success story. And therein lies a lesson.
“You’re starting to see a shift in thinking in the industry and among C-suite executives that the stigma that used to be attached to a cyber event is something we’re looking at differently,” Tomasello said in a recent interview with FreightWaves. The interview was part of Forward Air’s continuing efforts to be strikingly up front about what happened to the company — an effort that included an interview granted by CEO Thomas Schmitt to FreightWaves about his views of the incident. (Schmitt also will be giving a fireside chat as part of the upcoming FreightWaves Global Supply Chain Summit.)
Earlier focus was all about prevention, Tomasello said. Now, it’s prevention but it’s also “the leadership through the crisis” and “response and recovery.”
The idea that a cyberattack is not something that should be hidden and hushed up, like a crazy family relative, is also part of Tomasello’s views of the type of person a company should hire for jobs such as CIO. A prerequisite should be that he or she has been battle-tested through some sort of crisis, as Tomasello was in an earlier stint at FedEx, which got hit with a cyberattack that ultimately cost it several hundred million dollars.
“When I talk to CEOs or CFOs and they talk to me about cyber, one of the first things I tell them is to make sure at the very start that the CIO you are hiring has been through a crisis, whether it’s business-related or personal,” Tomasello said. The goal, Tomasello said, would be to have somebody in position who can “understand they are in the middle of a crisis, can keep cool and calm, and lead the team strongly through the event.”
Tomasello echoed much of what Schmitt said in the CEO’s FreightWaves interview — that Forward Air had extensively prepared for a cyberattack, running what amounted to a fire drill just a few weeks before the incident. He did not suggest that the fact Forward Air was attacked meant it hadn’t prepared property. Instead, he praised his co-workers for implementing the plans that had been put in place over many months.
At least three times during the interview, Tomasello used the term “the fog of war” to describe what Forward Air went through, and what other companies have been through and unfortunately will go through.
The leader, whether he or she holds the position of CIO or some other title, does need to create “proper structure and proper resources” for dealing with a cyberattack. But beyond that, “the main job of a leader is to ensure that their team can operate effectively and can cut through the fog of war,” Tomasello said.
When Forward Air went down, the assumption was that the cyberattack had taken down pretty much all its key assets. For example, the company’s website was down, replaced with what amounted to a “skin” of the list of services Forward Air provides.
But Tomasello said the outside perception was incorrect. When the cyberattack hit the company on Dec. 15, Forward Air put into place its plan to, as the CIO described it, start “pulling up the drawbridge” to ensure that further attacks would be cut off by taking down some operations on its own. (However, Tomasello would not say whether taking down the website was part of the attack or part of the response.)
“There was no equivocation on what was needed to be done or how extreme the measures were that we would need to take to protect shareholders,” Tomasello said of the way that his colleagues quickly did what had long been planned. .
Pulling up the drawbridges created a “moat,” Tomasello said. But as the company started reviewing its systems in the wake of the Dec. 15 attack, Tomasello said Forward Air was able to decide by the 16th that some systems could be brought back online.
Tomasello was asked whether cybersecurity guidelines are emerging that say a company should spend a certain percentage of revenues on protecting its systems. He said there was “debate back and forth” on that subject, but what is “more important is that you are taking a layered approach to security.” There need to be “multiple technologies in place” to prevent attacks and monitor company systems at all times to look for any signs of an incoming assault.
But Tomasello kept coming back not just to prevention but to response. One aspect of that is to not be too top-heavy and have staff members concerned about crying wolf. Teams need to be “empowered to escalate alarms” if they see something. And if it turns out to be a false alarm, “there should be no penalty for that.”
The preparation at Forward Air to get ready for a cyberattack involved developing what Tomasello called “partnerships.” For example, Forward employs a law firm that focuses on cybersecurity.
That’s fine for a company with the resources of Forward Air. But as Tomasello said, cyberattacks are “much more frequent than what is reported in the media.” Publicly traded companies are usually open about it, and if the incident is significant enough, they’ll need to file a statement with the Securities and Exchange Commission, as Forward Air did. “What you don’t see is if a local dentist is under ransomware attack and they need to pay $5,000 to get their data back,” Tomasello said.
Tomasello did not disagree with the conventional wisdom that transportation companies seem to be under particular attack. He said he does believe that there can be a “targeting and saturation of a particular industry.” The good news, he said, is that “once a certain amount of value is extracted from the industry, by and large these threat actors move on to another industry that maybe hasn’t been attacked.”
To get on the right track toward being able to put together a prevention program as well as a response plan, Tomasello said it is vital that a company’s board views cybersecurity as a high priority. When he joined Forward Air last year, he deemed cybersecurity as his top priority. “What I learned from the board was that it was their No. 1 priority as well,” he said.