There are two main reasons. Firstly, the number of cyberattacks is increasing globally. Every company, regardless of the industry, needs to prepare for potential attacks that could disrupt operations or lead to ransom demands. This means not only having a clear response strategy in place, but also building resilience to withstand and recover from such attacks.
Secondly, since the EU introduced the next step of their NIS regulation (NIS-2) in January 2023, postal and courier services have been nominated as important business sectors. Consequently, all such companies have to implement higher cybersecurity standards and need to comply with this new regulation, which has been active since October 2024.
Our experience shows that many modern parcel and courier companies focus on the obvious cybersecurity countermeasures, such as regular OS and application patching, anti-virus software, VPN-connectivity and so on. However, what’s often overlooked are the lower levels of sortation systems, including equipment managed by low-level software like PLCs and FSCs. These are the brains behind the sortation equipment, and they often go untouched for years.
If the software on these systems isn’t updated or protected, for example by a new firewall or secure coding, they become easy targets. Hackers may bypass the application layer and directly access the equipment layer, potentially shutting down operations or encrypting systems to demand a ransom. It’s like locking the main door, but leaving all the windows and back doors open in a house – you’re just inviting trouble.
If a hacker gains access through a low-level system, they can potentially move laterally through the network. That means they could reach high-level systems, customer databases and other facilities. It’s not just about one machine going down, it could compromise the entire network.
One big mistake is the assumption that being “inside your own network” means you’re safe. Many companies still rely on outdated practices, such as using the same keys and passwords for all cabinets or not encrypting internal communications. Another issue is underestimating the human factor. Employees might plug in a USB stick or unknowingly click on a phishing link, opening the door to attackers.
There are many, but maybe one of the most prominent recent examples is the WannyCry ransomware attack, which demanded ransom payments from over 200,000 computers. Other examples often involve employees clicking on emails, inadvertently opening doors for hackers to enter the system, and encrypt servers and data.
We recommend that they think outside of the box, not only looking at software applications, but the complete environment, including third party suppliers within the supply chain. There are many issues to be taken care of, including: site access; backup and business contingency scenarios; access to infrastructure and premises; and unsecured terminals available to unauthorised personnel.
Looking into the details of EU legislation, such as NIS-2, is an excellent place to start. It is not the sole responsibility of all industry partners to comply with those regulations, but each customer’s own responsibility to become compliant, with support from the industry.
Once cyber resilience is achieved in operations, it should be checked for vulnerabilities or signs of intrusions on a regular basis – at least every 12 months. You don’t have to test the same things every time (like server access) but have different scenarios at hand, so you surprise yourself and your employees to identify loopholes.
Companies need to have backup scenarios and incident response plans in place. That includes knowing who to call, how to reroute parcels, and how to continue operations manually if needed. It’s not just about technology, it’s about people, processes and planning. Identifying best practices to increase awareness about cybersecurity, as well as regular training and updates about common pitfalls and threats, might prevent issues from occurring.
Cloud services offer both opportunities and risks. On the one hand, they make it easier to update systems across multiple sites. On the other hand, they introduce new vulnerabilities if not managed properly. Some customers are still hesitant to adopt cloud solutions, because they fear losing control over their data. That’s why trust in your IT team and service providers is so important.
Firstly, we develop our products with Secure by Design principles, which means security is built-in from day one of the design phase. Secondly, we offer consultancy services to help customers to become compliant with existing and upcoming legislation. Examples here include performing joint risk assessments and advising them on frameworks for managing cybersecurity and resilience. We don’t provide a full IT consultancy, but we can guide them in the right direction and connect them with specialist partners.
They will evolve because new tools are being introduced, and with the rise of AI and increased automation, threats will become more sophisticated. AI in criminal hands is such a powerful tool, but even misused AI functionality may easily find loopholes and open gateways. On the other hand, AI may improve security tremendously, as leaks might be easier to identify.
With the EU assignment of parcel and courier companies as important business sectors, you can see the current importance of such services. But it’s not only the banking, military, electricity infrastructure and health service sectors that are the focus of potential attackers. It’s the disruption of modern society’s vital everyday routines that makes cyber threats increasingly dangerous, with both interest and risk increasing exponentially over the past ten to 15 years.
Don’t wait until it’s too late. Cybersecurity is no longer optional, it’s a business-critical priority, a license to operate and – at least in the future – a differentiator in sales. And it’s not just about protecting your systems and data: it’s about protecting your customers, your reputation and your future.
Every parcel company and market are different. This is reflected by the various layouts of depots and sortation centres. Our experts are available to offer help and advice in every respect.