The executive of the German global logistics firm details the actions it carries out with both clients and suppliers and – especially – its human resources to prevent the increasingly frequent cyber attacks. And reveals that cybersecurity requirements today can even define bidding processes.
Although he is Ecuadorian by birth, the 23 years that Alejandro Palacios—CIO, SVP BPO and Customs for DHL Global Forwarding of the Americas —has been in Miami has made some dent in his Latin accent. His quarter century at the global logistics firm has seen him move through various positions, until reaching his current role, in which he commands a team of more than 200 people, focused on IT and Business Process Optimization. From there, he has had to coordinate the firm's cybersecurity actions, creating a close bond with workers and clients, to raise awareness and prevent the possible impact of cyber attacks on the industry. Attacks that were evident after the notorious NotPetya case in 2018, which affected different ports and shipping companies.
In this interview, the executive details to Américaeconomía the particularities of cybersecurity in the logistics business and the activities undertaken to protect the supply chain and the privacy of its clients.
-How relevant is the threat of cyberattacks for the logistics sector today?
We have witnessed attacks directed at both logistics and shipping companies and customs offices in several countries and governments. This, without a doubt, has affected us all, as an industry, in one way or another.
Unfortunately, these cyberattacks can emerge through different modalities and come from multiple places, because the more connection points there are, the more vulnerabilities are opened. These connection points exist throughout the chain: from our clients' manufacturing process, where inventories, production and material are defined, to the transmission of that information, the movement and handling of cargo, final delivery, billing and the payments.
-What are these cyber attacks like? How do they affect the core business of companies?
Simplifying and detailing the world of cyberattacks, these can be of certain types. At the information level, they can be information communication, management and storage. They can also occur at the infrastructure level, since absolutely everything, from a telephone, a watch, a printer or any machine that has a chip that receives and sends information, both personal and that of our clients, can be compromised.
In terms of impact, you may have an immediate paralysis of the business or a loss or hijacking of information - ransomware type - which may or may not impact the company's immediate process. But you know that this information, being very critical, can affect you at some point. Or you may even have instances where you don't know that the information has been affected, which is much more serious.
-What actions and investments has DHL deployed to protect itself from these cyber attacks?
One of our main focuses is the protection of our clients' data and processes. For this reason, I would divide it into two parts. At a macro level, we start by identifying the assets and systems we need to use. It sounds like a very simple thing, but in practice it is not. Basically I'm talking about the applications that the entire team is using. If I have a company phone, I can't let each person install whatever they want on the phone. Because any small application that seems very fun, useful or free can be an access point to later enter our systems. So, the first front is the identification of assets and systems. Then, the vulnerabilities of each of these assets and systems must be analyzed to know what the risks are and their possible impact: major, minor risk or misinformation. Subsequently, the necessary actions are taken to mitigate and limit these risks. This is the case throughout the ecosystem, even in our clients' systems. Once you have this, you can define, specifically, what preventive and corrective measures should be taken.
-How to align staff and suppliers in this effort?
For DHL employees —600,000 worldwide—, suppliers and customers, we have cybersecurity training processes and tools, which begin at the time of hiring, as part of the onboarding process. We do mandatory training every year, in addition to phishing drills in which emails are sent to simulate various attack situations with lures: the one that indicates that you have won a prize, an email sent by a supposed manager or any other version. . Likewise, in company communications we make articles and stories to show these dangers. All of this undoubtedly involves the entire human resource; all leaders and managers have to be involved at the same level as all employees.
Access the PDF of the Cybersecurity Special from the February edition of AméricaEconomía here.
-I imagine that there is also institutional coordination and even at the industry level.
We are stronger and better protected if we share information with all ecosystems and in all processes. Currently, we do joint testing with our clients, because we believe that the more structured communication you have with government agencies and third parties, the better. In addition, we have specific conversations with our clients about possible vulnerabilities and their eventual consequences. But all this works only if we are willing to share best practices and findings, in order to work together in constant interactions with customs and governments of different countries.
-Is the type of attacks that reach Latin America different or is there really no difference?
There is less and less difference. This started a lot with big goals in larger countries. Large institutions or companies in the United States or European countries, because the financial benefit is much greater. But cybercriminals will increasingly look for signatures where there are no security systems. Many cyberattacks look for places where vulnerabilities are most obvious and easy to access. And, as everything is increasingly interconnected, anywhere, anywhere in the world, theoretically, could be an entry point.
-Is there currently greater awareness about cyberattacks than a few years ago?
Now it is a topic that is not only constant in discussions with our clients or management, but has also reached the bidding processes. They already ask you questions about how you protect yourself and what policies you have as a company. It is a rating factor. It is something that is already in the compliance of companies. It is increasingly a standard, which is why a greater number of organizations are clear about the importance of collaborative work on the subject. We have to help each other because, in one way or another, we are interconnected.
-Cybersecurity is being seen as one of the ESG criteria of companies.
Fairly. Today a firm must have a minimum of cybersecurity measures and processes that have to be shared to qualify as a supplier. Because a vulnerability or attack can put my operation at risk. For this reason, conversations with our clients asking for transparency in their processes when they hire us are becoming more common, because it is of mutual interest.
At DHL we measure our ESG performance with cybersecurity, using the Mid-Site Rating, which is an objective number measured by an external organization. Our rating is 750 points and is the highest of all companies in the world. And in the end it also ends up being a strength that I can communicate to my client.
-How do you approach the issue of cybersecurity with a client? How does it affect the business?
As a company, DHL has a strong focus on compliance, the environment and the respect and secure handling of information. From the moment you achieve that, it's not just what you do, but why you do it. It is essential that people become aware of their actions. For example, last year we implemented Two-Factor Authentication, which is the same thing that many people today have activated in their bank account or app. You open the bank account, the phone scans your face and then asks you to send the code. So, what we explain to our colleagues is that they should have the same discipline that we ask of them in the company at home to protect themselves. Taking that to discussions with our clients, on certain topics they already have a certain level of maturity and understanding, but in some cases they do not. It is important to keep the issue on the table and explain what the impact is, the consequences in terms of cybersecurity.
We are in an industry where more and more elements can become commodities, where more and more discussions can only be at the price level. So how do you differentiate yourself? Assuring your clients that you not only deliver what you promised them, which is visibility and digitalization, but also continuity and security.
-How do you see cybersecurity for the logistics sector and for DHL in the coming years?
Our strategy to 2025 is called 'Delivering excellence to a digital world'. And, if you have the word digital, you also have digital risk considered. I am sure that the 2030 strategy will have elements about this, because it is not something that will disappear. On the contrary, it is going to become increasingly more sophisticated, since it is a topic that is growing and evolving daily. I think we are going to use more and more tools, such as artificial intelligence, to help us in the processes, since it allows you to scale the number of controls exponentially.
We talk a lot about prevention and risk mitigation. But what happens when something happens? What is the recovery plan? How do you stop or neutralize the attack? Where do you have backups of information or system redundancies? That is the last link that is also important to build and consider, as the process matures. Because, in one way or another, we are all susceptible, no matter what you do.