Werner’s Mahon Details Aggressive Approach to Cybersecurity

"We’re one of the biggest carriers in the United States; if we were down for a couple weeks, that is an impact on the supply chain," Werner Enterprises Chief Information Officer Daragh Mahon says. (National Motor Freight Traffic Association)

[Stay on top of transportation news: Get TTNews in your inbox.]

CLEVELAND — Werner Enterprises cybersecurity lead Daragh Mahon detailed his aggressive and innovative approach to cybersecurity during a conference Oct. 29.

Mahon, who serves as executive vice president and chief information officer for the carrier, made his comments during a presentation at the National Motor Freight Traffic Association Cybersecurity Conference 2024. His presentation focused on two key challenges: managing the transition from legacy systems and addressing email vulnerabilities.

“We’ve taken a very hard-fisted approach to it,” Mahon said. “Yes, employees don’t enjoy it. Yes, it scares them. Yes, it makes them worried. But that’s sort of the goal. We want to get in their faces about this. We want them to understand the risks they put, it’s not just the company, it’s their own jobs, it’s America. We’re one of the biggest carriers in the United States; if we were down for a couple weeks, that is an impact on the supply chain.”

RELATED: Industry stakeholders discuss top concerns

Werner ranks No. 16 on the Transport Topics Top 100 list of the largest for-hire carriers in North America and No. 30 on the TT Top 100 list of the largest logistics companies in North America.

Mahon has led the company’s cybersecurity efforts the past four years. A major component of that was doubling the information security (InfoSec) experts to five personnel. He also stressed the importance of hiring people with a passion for the work.

“The other part that’s really important to me is training,” Mahon said, “so we have a small training team on the cybersecurity, on the InfoSec, team. That’s because you need full employee engagement from a training perspective. We do an awful lot with workday training.”

Mahon added that drivers and employees are expected to take an online training course once a quarter. They will have to undergo additional training if they failed three tests over a rolling 12-month period. But he is especially focused on the back office, where email threats like phishing and social engineering are massive attack vectors.

“We do a ton of phishing testing,” Mahon said. “We hit them with all these phishing tests, and what we’re trying to do is get them to click on a link, or report it. That’s the result. If you click on it, you fail, if you report it, you pass. What the feedback I got from employees in the first six months of doing this is, you’ve almost made us scared to click on a link, and I’m like, perfect.”

Werner CEO Derek Leathers also played a major role in a recent and unique surprise test, sort of. The cybersecurity team bought deep-fake software to better understand the technology and see whether it could trick its coworkers. It took about a week of work with the final render taking about eight hours. They then broadcast a video to their coworkers of this fake version of their boss saying they were removing vacation days as a cost cutting measure.

“It looked like him, it sounded like him, it was believable to the extent that, not everyone, but 80% of the company had a heart attack about it,” Mahon said. “We broadcast an hour and a half before an all-hands meeting, and then he walked in and said, that wasn’t really me, but you all believed that it was. So we do stuff like that on the InfoSec team, just to show everybody what can be done, and show everyone the importance of security.”

Mahon added that there were a handful of employees that were able to figure out it was a deep fake. The rest that didn’t fall for it thought it was a joke. But on the opposite end there were even a few employees that threatened to quit until they found out it was a test. But these surprise tests aren’t just limited to digital spaces. Mahon also has done exercises such as ensuring employees don’t let people into buildings without identification.

“You just have to train your people to be careful and be ready for that,” Mahon said. “I even do that now. I walk in, and people know me and recognize me, and I’ll say, ‘hey, I forgot my badge,’ and I want that person to say, no, sorry, can’t let you in, you got to go to the front desk. But it is surprising how many people don’t do that. By the way, you let bad guys into your building, you really are hosed.”

Want more news? Listen to today's daily briefing below or go here for more info: