The news last month that Karmak was hit by a ransomware attack sent shockwaves through the truck dealer and aftermarket channels.
As one of the industry’s largest and longest-running business management system providers, Karmak is known for its technological prowess, innovation and expertise. The business invests heavily in its security systems and regularly preaches the importance of cybersecurity at its annual conference.
The company’s familiarity and understanding of cybersecurity was vital in response to the Feb. 14 attack. Karmak was able to contain the attack within hours, ensuring no customer data was breached and the impact to the company’s internal systems was minimal. Now mostly recovered from the incident, Karmak President and CEO Jim Allen recently sat down with Trucks, Parts, Service to share what Karmak has learned these last two months, how it will strengthen its security and how it intends to use the incident as a teaching moment for its hundreds of dealer and aftermarket customers and industry partners.
Allen says Karmak was fortunate. As a technology and software company, Karmak had a cyberattack crisis response plan ready and deployed it quickly to reduce the severity of the attack. The company’s coding expertise also has enabled Karmak to rebuild impacted systems in a matter of weeks. Dealers and aftermarket operations may not have that expertise to fall back on, he says.
“We were extremely fortunate to be able to turn this around the way we did. We were prepared for something like this,” Allen says. “Our goal now, we want to make sure we protect the people in our industry.”
‘Not if, when’
Allen credits Karmak’s teams for the company’s detailed cyberattack response plan, which went into effect immediately after the attack, containing it where it entered and securing all other systems and servers.
The company uses antivirus and security monitoring solutions within its systems at all times to monitor against and repel attacks. Employees also are required to complete regular cybersecurity training courses and are intermittently tested on their security knowledge.
He says dealer or aftermarket operation could be targeted for the same reason. “Thieves don’t rob empty houses,” he says. Ransomware attacks specifically, like the one that hit Karmak, are the most common cyberattacks on small businesses. Allen says no business in the trucking space should believe they are invulnerable from the risk.
Training is only as good as the student
Karmak’s system was accessed through an email phishing campaign followed by a social engineering scam to gain more access. Karmak’s internal security systems alerted the company to the phishing hack before the social engineering efforts took hold, but a single incorrectly clicked email link was still able to do plenty of damage.
“You can have the best security at your house but if someone hands [robbers] a key they can walk right in,” Allen says.
Karmak has required employees to complete cybersecurity training for nearly a decade. Associates are consistently notified of common scams and provided guidance on how to identify if an email may be a phishing attempt. The training is comprehensive. Allen says what matters is how employees commit to it.
“You can’t have people watching TikTok while they’re doing it,” he says. “Take it serious. Take it as if you were a recent [cyberattack] victim.”
Do not engage with bad actors
Allen was in touch with the Federal Bureau of Investigation (FBI) within hours of the attack and says not engaging with the bad actors was one of the bureau’s first pieces of advice. The legal teams the company has worked with throughout the process echoed the same. Cyberattacks like the one that hit Karmak are a federal crime. Allen says Karmak deferred any communication with the bad actors to the FBI and immediately began focusing on identify damaged systems and implementing repair procedures.
He says the company never even learned what the ransom was.
“We don’t do business with criminals,” he says.
Since the attack, the FBI has been attempting to create an encryption key to recover the files corrupted by the attack. Allen says Karmak has rebuilt almost all of them, but the company would still like the original data back for historical purposes.
Be transparent with customers and partners
Karmak notified customers, partners and OEMs of the attack the day it happened. Allen says he never thought otherwise. Even though the attack showed no evidence of a data breach, Allen says it was necessary to alert all impacted parties once the extent of the damage was known. Customer experiences were still going to be impacted, even if their data remained secure.
“With our CRM, we were able to send out immediate emails to all our customers. Then we started and sometimes twice-daily communication,” Allen says. Those messages were followed by phone calls, in-person meetings and video conferences to share more details and offer workarounds for customers who would be temporarily impacted.
Allen says full transparency didn’t make the follow-up meetings any easier — customers have asked tough questions — but it has made everyone more understanding.
“I would say 95% of people have been extremely supportive,” he says.
Have a recovery process in place
Karmak’s cybersecurity incident response plan follows the six-step process developed by the SANS Institute. Those steps are Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned. Allen says Karmak’s commitment to step one was what enabled the company to move so quickly through the other steps once the attack occurred. Identification occurred within minutes; containment was achieved in hours. Within days of being attacked, Karmak had deployed its software teams to begin rebuilding corrupted systems and make the business whole.
That’s an area where Allen knows the company is unique in the trucking space. Very few businesses could respond as fast to recover from encryption of resources. But that doesn’t mean dealers and distributors can’t have similar action plans. Consistent data backup plans can go a long way to reducing downtime in the wake of an attack. As do communication plans for customers, vendors and authorities. No business should be expected to withstand a cyberattack alone.
What happened in Carlinville on Feb. 14 is a Valentine’s Day card Allen wouldn’t wish on anyone. But that doesn’t mean everyone can’t learn from it.
“There is no magic button to solve any of this stuff,” he says. “Anything you are doing can be used as a hook for [bad actors] to get you. We need to have constant awareness about this stuff and know what to do.”