The logistics industry faces a major dilemma: only with digitalisation and powerful IT can they survive in the market and against competitors, but this makes themselves and the supply chain more vulnerable. Within a very short time, cyber attacks, especially on logistics companies, have increased enormously. Securing the processing and control of goods and information flows is thus becoming the new decision criterion for customers and thus an absolute competitive advantage.
As numerous as cyberattacks themselves are the possibilities to protect against them. In our article"Cybersecurity: extortion in the supply chain" we describe various ways to make IT more secure. Furthermore, it is worth taking a closer look at two-factor authentication (2FA) to ensure a high security standard. The number of accounts in a wide variety of portals and applications has increased drastically in recent years, both professionally and privately. It is hopeless to assign and remember an individual and secure password every time. No wonder that "123456" or "password" still lead the hit list of passwords. The aim of single sign-on and password safes is to increase the complexity of passwords because employees only have to remember one. However, if this password falls into the wrong hands, the damage is great, because all doors are now open to the attacker. Logistics portals, which combine all the information in the supply chain and exchange it between the parties involved, are particularly affected. If access is only regulated via single sign-on, without a second factor, the risk of attack increases significantly. Even if only one of the participants is attacked, the entire supply chain is affected and logistics processes are disrupted. With a second factor for authentication, the complexity of passwords can be significantly reduced and IT security increased enormously.
Via 2FA, the user has to confirm his or her identity via another factor in addition to the password, which may be in physical possession, for example. This can be, for example, an authenticator such as an access token or a confirmation code that is sent to another device via SMS or app. If either component is incorrect or missing, access will not be granted. Two-factor authentication is part of multi-factor authentication (MFA), which requires more than two independent ways to identify the user. Possible factors for both types of identification are:
So if an attacker gets hold of one of the required factors, he cannot use it to penetrate the system because at least one other is missing. Two-factor authentication therefore also protects against phishing attacks and malware, as they can only obtain the login information, but not the second factor.
Now that logistics companies in particular are the focus of hacker attacks, 2FA is a quick way to increase IT security enormously and stand out from the competition. Spying on passwords is no longer enough to gain access to sensitive data. The requirements for a single sign-on password are usually very high, as they grant access to many connected systems. It usually has to consist of at least 8 characters with special characters, numbers and upper and lower case letters. If an employee forgets his password, access is blocked for the time being until IT takes care of the problem. With the use of two-factor authentication, a simple password is sufficient. If the user forgets his password, he can recover it himself via the second factor. Especially in logistics halls, it often happens that employees change devices and log on again. With 2FA, they receive an e-mail or push notification when logging on to each new device. This means that access by unauthorised persons is detected even faster and appropriate steps such as immediate blocking or changing the password can be taken. In logistics, departmental accounts are still used in some cases, making traceability much more difficult. Using 2FA, it is only possible to work with personalised accounts.
More and more logistics portals require two-factor authentication to better secure the logistics chain. Employers are now faced with the question of how to provide their employees with the second way in the simplest and most cost-effective way. The simplest means is verification via SMS-TAN or App-TAN. In both cases, a mobile phone is required. Many are now wondering whether they need to provide their dispatcher or truck driver with a work mobile phone. The answer is classically lawyerly: "It depends!". You can require your employee to use a second factor to access or access the IT systems, as you have the responsibility of IT security. According to the GDPR, you as the controller are obliged to implement technical security mechanisms. What you are not allowed to do, however, is to prescribe the use of the employee's private smartphone for this purpose. As an employer, you have the so-called right of direction, which allows you to instruct the use of 2FA/MFA. In some companies, the works council may also have to be involved. BUT - In principle, you have the duty to provide all work equipment that is required for work performance. This means that if there is no alternative to the SMS-TAN or PIN in the authenticator, such as an access token or RFID chip, then you must provide a work mobile phone. If 2FA/MFA is possible with a token and the employee has the choice of what to use, then it is their decision. But nevertheless, no matter which means is used, you have to think about the implementation of data protection obligations. For example, the duty to inform the employee, the inclusion of the procedure in the procedure directory or, if necessary, carrying out a data protection impact assessment.
The importance of cybersecurity will continue to increase in the future. A high IT security standard is therefore increasingly becoming a competitive factor. With a two-factor authentication in your portal, you show your customers at first glance the importance of IT security in your company and thus secure a competitive advantage. Especially when planning the transport of dangerous goods, it is essential to keep unauthorised persons out of the IT systems.
Add a comment