How can the rental sector fight growing threat of cyber attacks?

“Last year there was a cyber attack every 14 seconds, this year every nine seconds... next year - every 5 seconds?”

This stark warning was part of DKR Projects David Riley’s recent talk at the European Rental Convention in Amsterdam in September, which showcased the ERA‘s new ‘Cybersecurity Best Practice Guide’ for the equipment rental industry.

The risk of cyber attacks in the rental sector is increasing. Credit: Jakub Porzycki/Nurpho via Reuters Connect.

It sums up the accelerating pace of cyber crime, and the fact that this is a focus for the ERA demonstrates a pressing need to keep up.

Incidents in recent times bear this out. In September, Nordic accommodation rental company Adapteo was the target of a cybersecurity attack, with the breach affecting the company’s servers and core business applications.

And in early 2021, hydraulic lifting, loading and handling specialist Palfinger experienced a ransomware attack that froze operations at its sites across Europe, North America, South America and Asia for a week (as reported in August by KHL journalist Lucy Barnard for www.internationalcranes.media).

In 2017, the purchase ledger team at Loxam Powered Access also experienced a potentially devastating phishing attack; and It’s likely that these three incidents are a small portion of a rising number of cyber crimes experienced or attempted in this sector.

ERA’s Cybersecurity Working Group
“The volume but more importantly the sophistication of cyber attacks is increasing year on year,” says Gareth Lloyd, chief digital & information officer at Loxam Powered Access and member of the ERA‘s Cybersecurity Working Group.

“It’s very unlikely that it will stop any time soon. It’s a very profitable criminal enterprise and there are a lot of soft targets.”

“The global economic cost of cyber-crime is projected to reach $6 trillion a year in 2021,” he adds.

And he describes the experience of the 2017 cyber attack on Loxam Powered Access as a wake-up call.

Gareth lloyd, chief digital & information officer at Loxam Powered Access and member of the ERA‘s Cybersecurity Working Group.

“Like every company that is going through digital transformation, there comes a point when everyone realises that the exciting opportunities presented by digital technology come with a corresponding level of risk,”

While ultimately the phishing incident didn’t result in serious losses, the large sum at risk meant the company‘s exec team “really sat up and took notice of cyber security.”

“Fortunately we were already making progress with a lot of cyber security basics. But that incident meant we got the buy-in, the understanding of the importance of this, to allocate the budget and focus needed to really accelerate our security maturity, which we have been doing ever since. ”

Commercial cost of cyber attacks
Understandably, few companies are prepared to disclose the financial impact of a cyber attack. Potential future threats are also difficult to quantify given the global reach and complex supply chains of the rental sector. However, as a starting point, fines alone can be significant, says Lloyd.

“For example, if the attack results in a big data breach, then the GDPR (General Data Protection Regulation) fine can be up to 4% of your global revenue.”

Other impacts from serious cyber attacks can amount to untold opportunity costs. “It is also about loss of revenue while you are offline, loss of reputation with customers, the time it takes to recover if you have something like a big ransomware attack. ”

Guy Dulberger, vice president, information security, at online equipment auctioneer Ritchie Bros. tells IRN the company has upped its cyber security as part of its digitalisation program.

Guy Dulberger, Vice President, Information Security, Ritchie Bros.

“Ritchie Bros is traditionally a construction equipment auction house, but really it has evolved into a tech company in recent years and that digitalisation means new challenges from a cybersecurity perspective.”

“Once protection was an anti-virus and firewall. Nowadays you have to think very differently. Covid has also created a big shift because now our network has expanded from being in the cloud to being everywhere your employees are. If they’re all logging in from their home email provider and router, that creates more vulnerabilities.”

Merger and acquisitions activity in the rental sector is also creating poorly integrated systems and weak points, Dulberger says, while smart machines are another potential “soft spot” due to their dependence on the Internet of Things, according to Loxam’s Gareth Lloyd.

“As soon as you connect a machine to the Internet, there’s a risk. We’ve seen it in the past, with smart vending machines, printers and so on used as a weak point of entry for an attack.”

“It’s important for telematics providers to get the security right and ensure that rental fleets remain secure once they are connected to the Internet. There’s probably going to be more regulation around this too, so it will be a case of upgrading machines and telemetry to keep up with best practice, just as we have to patch our computers regularly.”

Email attacks are also growing more complex and sophisticated, says Lloyd.

“It used to be ‘spray and pray’ bulk emails but now there is a lot more ‘spear-phishing’ which is much more targeted at specific individuals, whether they are junior staff in finance or senior executives.

Ritchie Bros has recently implemented two simple but effective measures to ensure cyber security.

“That increasing sophistication could mean that we see things like CEO impersonation move from email or SMS to deep fake voice impersonations via the phone.”

Palfinger cyber attack
Following the Palfinger attack in January, vice president of ICT, Alexander Wörndl-Aichriedler, tells IRN the company is increasingly monitoring the Dark Web, which, among other things, hosts lists of firewalls affected by an exploit. These can be downloaded as CSV files for use by criminals on IP addresses.

Alexander Wörndl-Aichriedler, VP ICT Palfinger AG

Unfortunately a single company quickly reaches its capacity limits in terms of research and analysis, at which point, he says companies often buy in external services and analytics.

However as a rule of thumb, any IT department in a typical rental sector company should develop a system for regular reviews and audits and strictly enforce compliance with policies, he says. “And it has to do this at all levels, at headquarters as well as at remote sites.”

Meanwhile, Ritchie Bros has recently implemented two simple but effective measures, says Dulberger.

“Firstly we made sure that MFA, or multi-factor authentication, is enforced for everyone in the company. Once upone a time, a VPN or virtual private network would protect you, but now the rise of cloud services means people are logging into a wide range of platforms.

“MFA is a good line of defence. If someone tries to log in in as you from somewhere else, they’ll get prompted with an additional layer of identification such as a code via text message. This is especially important if someone has fallen for a phishing attack and disclosed their credentials.”

“The second thing we’ve done is to adopt EDR, or endpoint detection and response, which is next generation anti-virus solution that allows your security team to have visibility from anywhere in the world.”

The human element is also critical, says Lloyd. “There’s a huge part of security which is about building awareness amongst people – how to spot potential threats, how to react, why certain processes need to be followed, and so on.

“Because of the sector we are in, the best analogy is to think of cyber security like we think about health and safety, it is everyone’s responsibility, all the time.”

He adds that speedy adoption is advisable.

“Often in IT, we’re going at the speed that users will accept change, rather than the speed we could. We would have prevented that phishing attack if we had two factor authentication rolled out fully – but we were doing it slowly, to accommodate perceived user resistance.”

Rental response to cyber threat
As demonstrated by the ERA’s new guide, the inter-dependency of the rental supply chain suggests a sectoral response.

Lloyd warns that if rental companies are vulnerable to attack, this may impact their customers.

“Equally, rental companies may be at additional risk if their suppliers and customers are not adequately protected, so they must protect themselves vertically, up and down the supply chain.”

Regardless of company size, Gareth Dulberger adds that cybersecurity is an attainable goal, with smaller companies often best serviced by appointing a third-party consultancy to ensure they have the right protections.

“Cybersecurity doesn’t have to be expensive. There’s a misconception that you need to spend millions of dollars, but often it’s a case of sitting down with your stakeholders and working out what your contingency plan will be.”

Looking ahead, Palfinger’s Wörndl-Aichriedler says companies thoughout the sector must be braced for an acceleration in activity.

“Previously, companies assumed they would be hit by a successful massive ransomware attack once every ten years. That was a calculable risk. The new situation and the incalculable risk that it brings with it mean that the willingness to invest substantially more in security is increasing. ”

“What is even more important is that cybersecurity has to be seen as a task worth every effort, not only by individuals or companies but by society and governments. Cybercrime affects everybody.”

To view the differing types of cyber attack that pose a threat to the sector, click here.