What the World’s Top CEOs Are Worried About Right Now (And Why It Should Stop You Cold)

The most dangerous phishing email hitting inboxes today doesn’t look dangerous.

It’s AI-generated. It sounds like your CFO. It looks like your most trusted vendor. It arrives at exactly the right moment.

And the leaders running some of the largest companies in the world are finally putting it on the record.

I’ve studied the data, the research and the field reports that are shaping how global executives think about cyber risk right now. What I found wasn’t surprising. It was confirming. Because the patterns showing up in boardrooms across every industry are the same ones I see when I get called in after a company has already been hit.

Same blind spots. Same gap between what leaders believed about their security and what was actually true.


The Threat They Were Preparing For Last Year Is Not the One Coming Now

In 2025, ransomware was the number one concern for CEOs worldwide.

In 2026, it dropped.

Cyber-enabled fraud and phishing took the top spot. AI vulnerabilities moved to second place. That shift doesn’t mean ransomware protection stopped mattering. It means the entry point changed, and most companies are still defending the door that already got closed instead of the one that’s actually open.

That shift matters more than most leaders realize. Because the most dangerous version of an attack today doesn’t announce itself. It’s personalized. It’s timed. And it’s increasingly built by AI to get past the defenses you already have.

Nearly three out of four executives surveyed said they or someone in their professional network had been personally affected by cyber-enabled fraud in the past year alone.

That’s not a niche threat. That’s nearly everyone in the room!

“The gap between what you believe about your security and what you can actually prove is where criminals live.”


94% Agree AI Changes Everything. But Most Companies Haven’t Changed Anything.

Ninety-four percent of executives surveyed identified AI as the most significant driver of change in cybersecurity right now.

Ninety-four!

And yet, roughly one-third of organizations still have no formal process to assess the security of their own AI tools before deploying them. Even fewer have built real AI threat detection into how they monitor those tools day to day.

I’ve stood in the aftermath of enough attacks to tell you what that gap costs. The companies that called on IT ArchiTeks after a breach knew cybercrime was a risk. They heard the warnings. They believed they were prepared.

What they couldn’t do was prove it.

The gap between belief and proof is one of the most expensive gaps in business today.


This Is Not a Technology Problem. It Never Was.

The research draws a sharp line between organizations with high cyber resilience and those without.

The single biggest differentiator? Leadership.

Among highly resilient organizations, 99% reported board-level involvement in cybersecurity. Regular updates. Active engagement. Defined roles.

Among organizations that described their resilience as insufficient, board engagement was nearly absent.

Cybersecurity isn’t an IT discussion. It’s a business continuity decision. It’s a margin protection strategy. It belongs at the same table as revenue, operations and risk.

“What isn’t owned isn’t prioritized. And what isn’t prioritized becomes exposed.”


The Blind Spots Haven’t Changed. Most Companies Haven’t Either.

The top barriers to cyber resilience: a rapidly evolving threat landscape, third-party and supply chain vulnerabilities and cybersecurity skills shortages.

I’ve been documenting those same gaps in the field for years.

I see backups never tested under real conditions, cybersecurity monitoring that exists on paper but not in practice, vendor credentials nobody revoked, flat networks with no segmentation, cloud environments assumed to be someone else’s responsibility. And people, still the most targeted entry point of all, with little to no insider threat detection in place to catch the moment someone inside the building becomes the risk.

None of these require a sophisticated attacker. They are simply the doors criminals find before you do.

And here’s what makes them so dangerous: they don’t look like problems. They look like confidence. They feel like preparedness. They sound like “we’ve got it covered.”

Until the day you find out they weren’t.

The research has confirmed what I see every day. The patterns are documented. The risk is named.

The question is whether you’ll act before you’re forced to, with managed cybersecurity services that catch what your team can’t see on its own, or after.

Book a free 20-minute strategy session  |
Schedule an independent risk audit  |
Book Melanie as a speaker

Data referenced throughout: WEF Global Cybersecurity Outlook 2026, published January 2026 in collaboration with Accenture.

This Is What Proof Looks Like. 18 Hours. Zero Ransom. Zero Data Loss.

I want to tell you about one of the best days of my cyber career.

I’m sitting in a conference room with a transportation client. A few months earlier we had completed a comprehensive risk assessment and uncovered some significant vulnerabilities. Since then we’d been in a holding pattern while they decided how they wanted to respond to what we found.

This was decision day.

I walked through the findings one more time. The gaps. The risks. What was at stake. Then I asked the question: how do you want to manage your risk?

They said yes. All of it. Our full cybersecurity stack.

I won’t pretend I wasn’t relieved. This is exactly the moment this work is for.

Over the next several months we onboarded them completely. Everything was running exactly as it should. Then at the end of December, just before the holidays, a ransomware attack launched from Russia hit their network through a business email compromise.

Our monitoring tools detected it immediately. Our team isolated the affected systems and engaged a forensics team within hours. The investigation took five days to ensure no residual threats remained.

Once forensics cleared the environment and gave us the green light, we had their systems back online within 18 hours. And because of a well-designed, tested backup and data recovery plan, their data was restored to within 15 minutes of the initial attack.

Zero data encryption. Zero data loss. Zero ransom paid. Business continuity maintained without interruption.

Chalk that one up as a win for the good guys.

That company is still in business today because they recognized the risks, made a decision, and gave us the time to build something proven before they needed it.

That is what proof looks like.


Why This Outcome Is Rare

I wish I could tell you this is the typical result. It isn’t.

Most of the companies we help recover after a ransomware attack are calling us after the fact. After the encryption. After the ransom demand. After the data is already gone or compromised. After dispatch is dark and drivers are sitting idle and customers are calling with nowhere to turn.

The difference between that company and the ones who don’t make it isn’t luck. It isn’t budget. It isn’t the size of the fleet or the sophistication of the criminals who targeted them.

It’s preparation. Specifically, preparation that was built, tested, and proven before anyone needed it.

The NMFTA Cybersecurity Best Practices Guidebook calls this out across multiple tiers: documented incident response plans, regular assessments, tested backups, disaster recovery planning, and business continuity protocols. These aren’t bureaucratic checkboxes. They’re the infrastructure that determines whether your company survives the hour everything goes wrong.


The Five Pillars That Made It Possible

When I look back at what made that recovery possible, it maps directly to the Proof to Profit framework I teach in my keynote presentations.

Prepare.
They completed a comprehensive risk assessment before the attack. They knew where their gaps were. They made informed decisions about how to address them.

Prove.
They didn’t assume their systems worked. They tested them. They validated their backup and recovery plan under realistic conditions before they ever needed it.

Practice.
Their team knew the protocols before the incident required it. When the attack hit, nobody was figuring out roles in real time. The response was practiced, not improvised.

Protect.
The right tools were in place and monitored around the clock. When the attack came through a business email compromise, the monitoring detected it immediately. Not days later. Not weeks later. Immediately.

Profit.
They’re still in business. Still moving freight. Still serving their customers. That is the profit. Not a financial metric. Survival. Continuity. The ability to keep operating when criminals tried to take that away.


What This Means for Your Company

The company in this story isn’t extraordinary. They’re a transportation company that made a decision. They recognized the risks, invested in the right framework, and gave us the time to build something solid before they needed it.

That decision is available to every trucking leader reading this.

Cybersecurity isn’t an IT problem with a technology solution. It’s a leadership problem that requires a leadership response. The trucking leaders who understand that are the ones who get to tell the success story instead of becoming the cautionary tale.

You don’t rise to the occasion in a cyber crisis. You fall to the level of your preparation.

The question isn’t whether an attack is coming. The question is whether you’ll be ready when it does.


Three Questions Worth Asking

  1. Do you have a documented, tested incident response plan that your leadership team has actually practiced?
  2. Has your backup and data recovery plan been tested under realistic conditions, against a clock, in the last twelve months?
  3. If an attack hit tonight, would your team execute a practiced response — or improvise one?

If those questions don’t have confident, documented answers, you know where to start.


Contact us at ITArchiTeks.com to start the conversation.

Because hope is not a strategy… and proof is how you protect profit.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

You Believe You’re Protected. Can You Actually Prove It?

Imagine building something for 95 years.

Three generations. Hundreds of employees. 75 terminals across the country. A name in the industry that meant something. A company your grandfather started, your father grew, and you were supposed to carry forward.

Then one night, everything goes dark.

Dispatch offline. Drivers unable to log trips. The call center silent. 800 computers encrypted. Ransom paid. Weeks of around-the-clock recovery work that still couldn’t save what had already been lost. The attack was the final nail in the coffin for a company already under financial strain.

A year later, they closed permanently.

What haunts me about this story isn’t just the loss. It’s that it was preventable. They had IT support. They had systems in place. What they didn’t have was a cybersecurity framework, independent verification that their systems actually worked, or any way to prove they were protected when it mattered most.

They believed they were. They couldn’t prove it.

That gap — between belief and proof — is what this post is about.


Three Gaps That Turn Belief Into a Liability

When I look back at situations like this one, the same three vulnerabilities show up every time. None of them are hard to fix. And most trucking companies I work with have at least one — often all three.

Gap 1: The Cloud Created a False Sense of Security

When a company moves to Microsoft 365, a cloud-based TMS, or any hosted platform, there’s often a collective exhale. Someone else is managing the infrastructure. The assumption — rarely stated but almost always present — is that security came along for the ride.

It didn’t.

Your vendor secures the underlying cloud infrastructure. Securing your data, your user access, your permissions, your configurations? That remains entirely your responsibility. It’s all spelled out in the fine print that nobody reads.

Just because you outsource your technology does not mean you outsource your risk.

Most trucking companies aren’t even having this conversation with their vendors. Many don’t have an inventory list of who their vendors are, let alone what security standards those vendors meet. At minimum, maintain a vendor list and send the NMFTA’s vendor vetting questions to each one. It starts a conversation most companies have never had.

Gap 2: The Network Had No Locked Doors

The NMFTA Cybersecurity Best Practices Guidebook lists internal network segmentation as a Tier Two control. The concept means dividing your network into separate sections so that if criminals get into one area, they can’t move freely into everything else.

Think of it like a warehouse with no locked doors between departments. Someone gets through the front entrance and suddenly they have access to the loading dock, the offices, the safe, and the server room.

Improper segmentation — or no segmentation at all — is one of the most common gaps we find in our fleet security audits. When ransomware enters a flat network it doesn’t stay where it landed. It moves fast and takes everything it can reach.

Gap 3: Nobody Had Independent Eyes on It

This is the one that connects everything back to that 95-year-old company.

Their IT partners were reporting that things were fine. Nobody had ever brought in an independent set of eyes to verify whether what they had actually worked. Your IT team and your MSP can’t assess their own work. Even the most well-intentioned internal team has blind spots they genuinely cannot see because they’re too close to the environment they built.

You cannot fix what you cannot see. And you cannot see what you’ve never had someone qualified look for.

If your IT provider resists independent scrutiny, ask yourself why. The answer matters more than the explanation.


Belief and Proof Are Not the Same Thing

I’m not writing this to frighten anyone. I’m writing it because I’ve sat across from too many trucking leaders who had every reason to believe they were protected — and discovered too late that they couldn’t prove it.

Your IT team may be excellent. Your MSP may be responsive. Your cloud vendor may be reputable. None of that is proof that your specific environment is actually secure.

Proof comes from independent eyes. From a framework built for your industry. From testing that happens before criminals do it for you.

Age and legacy are not safeguards against modern threats. The most expensive hour in your business is the one you assumed would never happen.


Three Questions Worth Asking

  1. Do you have a complete vendor list — and have you asked each vendor what they are responsible for securing versus what you are?
  2. Who outside of your internal IT team or MSP has independently assessed your security posture, and when?
  3. If ransomware entered your network today, what would stop it from reaching every system you operate?

If those questions don’t have clear documented answers, you have your starting point.


Contact us at ITArchiTeks.com to start the conversation.

Because hope is not a strategy… and proof is how you protect profit.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

Your People Are the Most Targeted Asset in Your Company. They Could Also Be the Most Powerful One.

Every cybersecurity conversation eventually lands on the same uncomfortable truth: most attacks don’t start with a sophisticated technical exploit. They start with a person. A click. A reply. A wire transfer that seemed completely legitimate until it wasn’t.

That gets framed as a human failure. I want to reframe it.

Your people aren’t being targeted because they’re careless or uninformed. They’re being targeted because criminals are sophisticated, patient, and specifically trained to exploit the way humans naturally communicate and trust each other. There’s a difference between a vulnerability and a character flaw. Your team most likely has the first, not the second.

But here’s the other side of that truth. Properly trained, aware, and empowered people are also your strongest line of defense. The same asset criminals target most is the one that stops them when it’s developed correctly.

Right now, most trucking companies have the risk. Very few have developed the defense.


What the NMFTA Says About the Human Layer

The NMFTA Cybersecurity Best Practices Guidebook for Mid-Sized Fleets lists basic cybersecurity awareness training as a Tier One prerequisite. Not a nice to have… or something to get to eventually. A foundational control that must be in place before anything else is built on top.

The guidebook also calls out alert monitoring and least privilege access as critical controls. Because the human layer isn’t just about training people not to click bad links. It’s about building systems that limit the damage when someone inevitably does.

All three of those controls show up consistently in our fleet security audits as gaps. Not because nobody thought they mattered. Because nobody was specifically hired to own them.


How Criminals Actually Get In

Let me walk you through two scenarios we see repeatedly in the trucking industry.

The fake invoice. A criminal researches your company, identifies a vendor you work with regularly, and sends an invoice that looks exactly like the real thing. Same logo. Similar email domain. Accurate freight details pulled from publicly available information or a previous data breach. Someone in accounting processes it. The money moves before anyone realizes the vendor’s email was off by one letter.

Vendor compromise. A third party you trust — a software provider, a logistics partner, an MSP — gets breached. Criminals use that trusted relationship as a bridge into your network. You didn’t click anything suspicious. You didn’t make a mistake. You trusted someone you had every reason to trust, and that trust became the attack vector.

Neither of these requires a technical genius. Both work because they’re designed around human behavior, not technical vulnerabilities.

And it’s escalating. Industry intelligence and peer conversations at conferences are surfacing a growing threat: AI-generated attacks that can impersonate your CFO’s writing style, replicate vendor invoice formats with perfect accuracy, and craft phishing emails written specifically for your organization. Companies that look exactly like yours are already encountering this.


The Alert Nobody Saw

One of the most painful patterns we uncover in post-attack investigations is the alert that was there all along.

In one case we responded to, security alerts had been coming in for months, going to a folder nobody was actively reviewing. The IT team wasn’t equipped to recognize what those alerts meant from a security standpoint. By the time the attack was visible, criminals had been inside the network for over a year.

The NMFTA guidebook is explicit: alerts are only useful if they’re configured correctly and watched in real time. That requires either dedicated internal resources or a security partner whose specific job is to monitor threats around the clock.

A generalist IT team managing day-to-day operations cannot reliably do this. That’s not a criticism. It’s a staffing reality.


Too Many People Have the Keys

The third piece of this — one that compounds every other vulnerability — is excessive access.

Imagine if every driver in your fleet had access to your company bank account. That’s essentially what excessive admin privileges look like inside a network. If a criminal gets access to one admin account, they have the keys to everything that account can reach.

The principle of least privilege is simple: people get access to what they need to do their job, and nothing more. The NMFTA lists this as a Tier One control. We find it misconfigured in many of the fleet security audits we conduct.


Real Talk: This Is Not a Training Problem Alone

Companies respond to human risk by scheduling annual cybersecurity awareness training. Watch a video. Pass a quiz. Check the box. That training has value. The NMFTA recommends it for good reason.

But training alone doesn’t stop a perfectly crafted fake invoice from a spoofed vendor domain. It doesn’t catch an alert sitting unread in a security folder. It doesn’t limit the damage when one compromised account has access to everything.

The human layer requires more than education. It requires systems, monitoring, and access controls that assume someone will eventually be fooled — because they will — and limit the blast radius when it happens.

Your people aren’t the problem. The absence of systems designed to protect them is.


Three Questions Worth Asking

  1. Are security alerts monitored around the clock, in real time?
  2. How many people in our organization have administrative access — and when was that list last reviewed?
  3. Has our team not just received but completed and passed cybersecurity awareness training in the last twelve months? Is someone monitoring your Employee Security Score to ensure staff is actually consuming and understanding it, not just clicking through?

If the answers are uncertain or overdue, you know where to start.


Contact us at ITArchiTeks.com to start the conversation.

Because hope is not a strategy… and proof is how you protect profit.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

The Ransomware Wasn’t the Problem. Trusting the Wrong People With the Wrong Job Was.

Most of the trucking companies we help recover after a ransomware attack weren’t careless. They had people handling cybersecurity. They had systems in place. They thought they were covered.

They weren’t.

Not because they failed to act. Because the people they trusted to act weren’t equipped for the job.

There’s a critical difference between IT and cybersecurity. Between a Managed Service Provider who keeps your systems running and a cybersecurity partner who keeps your systems protected. Most trucking companies have the first. Almost none have the second.


The NMFTA Built a Roadmap. Most Fleets Don’t Know It Exists.

The NMFTA Cybersecurity Best Practices Guidebook for Mid-Sized Fleets lays out four tiers of cybersecurity maturity. Tier One isn’t advanced. It isn’t optional. The guidebook calls it prerequisites — the foundational controls every fleet must have before anything else is built on top.

Tier One includes tested backups, MFA on every account, updated software, endpoint detection, secured wireless networks, and least privilege access. That’s the starting line. Not the finish line.

When we conduct a comprehensive fleet security audit, we look for everything — basic through advanced. And what we find, almost every single time, is that the starting line controls — the ones that should’ve been locked in years ago — have gaps nobody knew were there.


How It Happens to Smart, Well-Run Companies

A trucking company hires an IT team or contracts with an MSP. Those people are good at what they do. They keep the network running, manage updates when they can, and handle day-to-day technical issues. Leadership trusts them. Why wouldn’t they?

But IT isn’t cybersecurity. An MSP focused on uptime and helpdesk tickets isn’t a cybersecurity partner. The skill sets are related — but they’re not the same.

Cybersecurity requires a threat-first mindset. Someone who thinks like an attacker, not just like an administrator. Most IT teams and generalist MSPs were never trained that way — and were never hired to think that way.

So the backups get configured. But nobody tests whether they can actually be restored under pressure. MFA gets turned on for some accounts. But not all of them. Software updates get applied when convenient. But the end-of-life systems that haven’t been touched in years? Those sit quietly in the corner — and criminals find them before anyone else does.

Nobody skipped anything on purpose. The fundamentals just never got done properly because the people doing them didn’t know what properly looked like from a security standpoint.


The Three Tier One Failures We Find Most Often

01 · Backups That Have Never Been Tested

The NMFTA guidebook is explicit: testing backups is an equally important and often overlooked requirement. Not just running them — testing them. Restoring from them. Timing the process. Confirming the data is complete, uncorrupted, and accessible when everything else has gone dark.

We’ve helped companies recover after an attack only to discover the backup existed but couldn’t be used — corrupted files, incomplete data, backups stored on the same network ransomware just encrypted, companies that couldn’t locate their own decryption key.

Think of it like a spare tire. Owning one isn’t enough. You need to know it’s inflated, you can get to it, and someone on your team has actually changed a tire before.

02 · MFA That Isn’t Everywhere

Multi-Factor Authentication is one of the most effective and affordable controls available. The NMFTA lists it as a Tier One prerequisite. Yet we consistently find it turned on for some systems and completely absent from others — email accounts, remote access, administrative accounts.

Criminals don’t hack into networks. They log in. A stolen password with no MFA behind it is an open door.

03 · Unpatched and End-of-Life Systems

Running unpatched software is like driving on bald tires. Trucking operations run specialized software that doesn’t always get updated — maintenance diagnostic tools, TMS platforms, legacy systems running since before anyone thought to ask whether they were still supported.

Criminals scan the internet for these vulnerabilities the way a predator scans for the weakest animal in the herd. If you’re behind on patches, you’re the easy target.


The Conversation Nobody Prepares You For

When we sit down with a company and walk through what we found, the reaction varies. Some leaders lean in immediately. They want to know everything. They’re relieved someone finally looked closely enough to find it. Healthy teams with healthy cultures respond that way.

But sometimes there’s defensiveness. If your IT person has been managing cybersecurity for years, our findings can feel like a grade on their work. That’s a hard thing to receive in front of leadership, and we respect that.

We’re not here to replace your IT team or expose them. We’re here to fill the gaps they were never trained or hired to fill. Our goal is to be their security extension — to stand them up and make them look like heroes.

Cybersecurity is a specialty. Expecting a generalist IT team to cover it completely is like expecting your dispatcher to also handle your DOT compliance audits. Related world. Different expertise.


This Is a Leadership Conversation, Not an IT Conversation

Cybersecurity isn’t an IT problem you can hand off and stop thinking about. It’s a business risk that requires leadership to ask hard questions, demand proof not assumptions, and understand the difference between a team that keeps the lights on and a team that keeps the criminals out.

The question worth sitting with isn’t whether you have someone handling cybersecurity. It’s whether you’ve ever asked them to prove it.


Three Questions Worth Asking

  1. When did we last restore from backup under realistic conditions — and how long did it take?
  2. Which accounts in our organization don’t have MFA enabled right now?
  3. What systems are we running that are no longer supported by the manufacturer?

If those questions get answered quickly with documented proof, that’s a good sign. If they’re met with hesitation or vague reassurances — you now know where to focus.


Contact us at ITArchiTeks.com to start the conversation.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

You Have an Incident Response Plan. Has Anyone Actually Practiced It?

Most trucking companies have an incident response plan. Almost none have practiced it under pressure. The NMFTA framework and ransomware data agree: a plan no one has rehearsed is not a plan. It’s paperwork.


The ransomware hit at 6:12 a.m.

Dispatch went dark. TMS was inaccessible. Drivers were calling. Customers were calling. And the executive team was staring at each other asking a question no one had ever actually answered before:

Who is in charge right now?

Not “who is technically responsible for IT.” Who makes the decision to shut systems down? Who calls legal? Who calls the insurance carrier? Who authorizes the forensics firm? Who communicates with drivers? Who notifies customers?

If your team would have to answer those questions for the first time during an active incident, your incident response plan has never been practiced.

A plan no one has practiced is not a plan. It’s paperwork.


The NMFTA Framework Is Explicit About This

The NMFTA Cargo Crime Framework requires a documented incident response plan that is regularly tested and kept up to date — not written once and filed. Tested. Meaning someone ran a scenario, people made real decisions, gaps were exposed, and those gaps were corrected before the real incident revealed them.


What the Ransomware Data Tells Us

  • 64% of closed claims in 2025 were resolved with no out-of-pocket loss — the direct result of rapid, practiced response (Coalition 2026)
  • 65% average reduction in ransom demands via negotiation — but negotiation requires time, legal authority, and a coordinated team that knows their roles (Coalition 2026)
  • The gap between a breach and the first class-action filing has shrunk to days (Chubb 2026)

If your team is making decisions for the first time during the incident, you are not responding. You are improvising. And improvisation under pressure is how recoverable situations become catastrophic ones.


The Five Decisions That Must Be Pre-Made

  • Containment authority — who can take systems offline right now, without a committee?
  • Legal notification — who calls counsel, and when? Breach notification laws may require action within 72 hours.
  • Insurance activation — who calls the carrier, and do they have the policy number memorized?
  • Forensics authorization — who engages a forensics firm, and do you have one on retainer?
  • Communication authority — who speaks to drivers, customers, and media?

These decisions need to be made before the crisis. Written down. Distributed. Practiced until they are muscle memory.


What a Tabletop Exercise Actually Looks Like

A tabletop exercise is not a presentation about cybersecurity. It is a structured simulation in which your leadership team walks through a realistic scenario and makes real decisions in real time.

It exposes who hesitates when they should move, who moves when they should escalate, and where your documented plan breaks down against reality. Then those gaps get fixed — before the real incident.


The Proof to Profit Argument

You don’t rise to the occasion. You fall to the level of your preparation.

And preparation that has never been practiced is not preparation. It’s intention.

At the NMFTA Convention this year, Proof to Profit is my answer to that question. It’s a leadership framework built on five disciplines: Prepare. Prove. Practice. Protect. Profit.

Criminals have practiced. They’ve rehearsed this. They know what they’re doing when they hit your systems.

The question is whether you do.

Book a Tabletop Exercise with IT ArchiTeks  |  Register for NMFTA Convention 2026


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

Your Backups Are Not Protection. They’re Hope.

“We have backups” is one of the most dangerous sentences in trucking cybersecurity. The NMFTA framework and real ransomware data tell the same story: untested backups aren’t a safety net. They’re a false confidence trap.


I’ve heard it too many times.

“We have backups.”

Said with confidence… as a full answer… as if those three words close the conversation about ransomware preparedness.

They don’t.

Here is what “we have backups” actually tells me: You have files somewhere that are supposed to contain copies of your critical data. Whether those files are complete, uncorrupted, current, accessible under pressure, and restorable within a timeframe your business can survive… that you don’t know. Because you haven’t tested it.

Untested backups aren’t protection. They’re hope. And hope is not a strategy for a trucking company facing ransomware at 3 a.m. when dispatch is offline, drivers are calling, and customers are sending angry emails.


What the Data Actually Says

  • 70% of ransomware claims in 2025 involved both encryption and data exfiltration (Coalition 2026 Cyber Claims Report)
  • Average ransomware demands crossed $1 million for the first time — a 47% year-over-year increase
  • 86% of victims refused to pay — because organizations with tested backups had options the others didn’t

The difference between those two groups isn’t budget. It’s proof.


The NMFTA Framework on Technology Resilience

The NMFTA Cargo Crime Framework calls out specific controls that determine whether you reach your backups at all:

  • Proactive EOL Management — software exploits were the most common ransomware attack vector in 2025 (38% of confirmed incidents per Coalition)
  • Device encryption — data at rest encrypted; data in transit using secure protocols
  • Network segmentation — special-purpose devices isolated so ransomware entering one doesn’t reach everything

Three Questions That Reveal Your Real Backup Posture

1. When did we last restore from backup — the full environment, under realistic conditions?
If the answer is “when we set it up,” you have not tested your backups. You have assumed they work.

2. Are our backups stored where ransomware cannot reach them?
Backups connected to the same network as your primary systems can be encrypted alongside everything else. Immutable, offsite, or air-gapped backups are different. Do you know which you have?

3. How long does a full restoration actually take — and can your business survive that long?
A backup that takes three weeks to restore is not a ransomware recovery tool. It’s a disaster.


The Proof to Profit Moment

One of the five gaps I consistently see inside trucking companies is backup confidence: the belief that having backups is the same as being able to use them under pressure.

If you haven’t tested your backups, you don’t have a recovery plan. You have a theory.

It’s time to test the theory before someone tests it for you.

Schedule a Backup Validation Assessment with IT ArchiTeks  |  Learn More About Proof to Profit at NMFTA Convention


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

Your Vendor Has Access to Everything. Have You Tested Them?

Your TMS provider. Your telematics platform. Your fuel card processor. They all have access to your data, your systems, your operations. The NMFTA says vendor exploitation is a primary cargo theft vector. What have you actually verified?


You don’t just have one attack surface. You have dozens.

One for every vendor who touches your systems. Your TMS provider. Your telematics platform. Your fuel card processor. Your payroll system. Your maintenance software. Your cloud backup service. Your ELD vendor.

Every single one of them connects to your environment. Every single one of them is a potential entry point. And in most trucking companies, the honest answer to “what access do your vendors have and what security do they maintain?” is somewhere between “I think I know” and “I’d have to ask someone.”

That’s a gap. And criminals are exploiting it.

The NMFTA’s Cybersecurity Cargo Crime Reduction Framework is direct: organized criminal networks are actively targeting supply chains by infiltrating vendors, trading partners, and third-party service providers. They use collusion. They use coercion. They establish shell companies. They compromise legitimate vendors to gain access to the companies those vendors serve.

Your vendor’s breach is your breach. Your vendor’s negligence is your liability.


The Vendor Problem Most Fleets Won’t Say Out Loud

“We trust our vendors.”

That’s not a security posture. That’s a relationship.

Trust has nothing to do with your attack surface. A vendor you’ve worked with for a decade can still be compromised. A vendor with an excellent reputation can still have a disgruntled employee. A vendor with a signed contract can still have inadequate security practices that your contract never required them to prove.

Three questions every fleet executive should be able to answer:

  1. Do you have a current, complete list of every vendor with access to your systems or data?
  2. When did you last assess their security posture — not review a contract, but actually validate their controls?
  3. Does your contract require specific cybersecurity standards and breach notification within a defined timeframe?

If the answer to any of those is no or “I’m not sure,” you have a gap a criminal can walk through.


What Vendor Exploitation Actually Looks Like

Sometimes it looks like a legitimate vendor’s employee being recruited by an organized criminal network — approached, paid, and turned into an insider threat with unfettered access to your dispatch data or shipment schedules.

Sometimes it looks like a compromised vendor sending a routine software update that contains malware or opens a backdoor.

Sometimes it looks like your telematics vendor’s platform being used to track high-value shipments in real time — so criminals can time a physical interception with precision.

This isn’t hypothetical. It’s documented in the NMFTA framework.


The Controls That Close This Gap

  • Documented vendor management program — every vendor, every access level, every security requirement in writing
  • Role-based access control — vendors access only what their job requires, nothing more
  • Contractual security requirements — MFA, encryption, and incident notification timelines in every vendor contract
  • Regular reassessment — a vendor’s security posture at onboarding is not their posture 18 months later

The Proof to Profit Question

Your vendor list is your attack surface. At the NMFTA Convention this year, Proof to Profit will address vendor risk as one of the five gaps I see most consistently inside trucking companies. The fleets being hurt aren’t being hurt by strangers. They’re being hurt by access they granted and never monitored.

Book a Security Assessment with IT ArchiTeks  |  Learn More About NMFTA Convention


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

The Load Board Lie: How Criminals Use Your Own Systems to Steal Your Freight

The NMFTA’s newly released Cybersecurity Cargo Crime Reduction Framework identifies Online Freight Platform Exploitation as one of the six primary vectors through which cargo crime is now being executed. Their description is clinical. The reality is devastating.


What’s Actually Happening on Your Platforms

The rise of digital freight matching platforms, load boards, and online brokerages has created something criminals find irresistible: centralized, accessible, credential-dependent systems that connect freight to carriers at scale.

The same efficiency that makes these platforms valuable to you makes them valuable to criminals. Here’s how the attack typically unfolds:

Step 1 — Reconnaissance.
Criminals monitor platforms, identify active shippers and brokers, and map freight networks. High-value commodities like electronics, pharmaceuticals, and food are prioritized.

Step 2 — Credential theft.
Through phishing, social engineering, or brute force, attackers gain access to legitimate accounts. They don’t need to create new accounts if they can take over existing ones.

Step 3 — Impersonation.
Using a compromised account or a lookalike domain, criminals communicate with drivers, shippers, or brokers as if they are you or your platform.

Step 4 — Pickup.
A fraudulent carrier arrives at the dock with the right paperwork. And leaves with your freight. By the time the real carrier calls asking about the load, it’s gone.


The Gap the NMFTA Is Pointing At

The framework is specific about what’s missing in most organizations. It’s not hardware. It’s not software. It’s discipline.

  • Documented service inventory — a complete, current list of every load board, freight platform, and account your organization uses
  • Documented communication protocols — so your team has a baseline to flag as suspicious when criminals deviate from it
  • User awareness training — actual behavioral training, not annual compliance videos
  • Multi-factor authentication — enforced on every account that touches freight data or load assignments

The Proof to Profit Connection

Here’s what I see consistently in trucking companies that have been victimized through their freight platforms: they knew they were supposed to have these controls. They had policies that described them. Some had even purchased tools to support them.

What they hadn’t done was prove those controls were working.

Preparation is not proof. And in the gap between the two, freight disappears.


What You Should Do This Week

  1. Pull a list of every freight platform your team accesses. If you can’t produce it in 10 minutes, that’s your first gap.
  2. Confirm MFA is enforced — not just available — on every account.
  3. Document how each platform is authorized to communicate with your team. Deviations require out-of-band verification.
  4. Ask your IT team when the last phishing simulation was run against dispatchers and operations staff.

Contact us at ITArchiTeks.com to start the conversation.

Because hope is not a strategy… and proof is how you protect profit.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.

What Prepared Fleets Do Differently

Same Attack. Different Outcome. Here’s What Separates Them.

Picture two fleets. Similar size. Similar technology. Similar customer base.

Both get hit by the same ransomware attack.

One’s back to full operations in 18 hours. The other is still partially down three weeks later, negotiating with criminals, fighting with their insurance carrier, and fielding calls from customers who’ve already started moving their freight elsewhere.

Same attack. Completely different outcome.

The difference isn’t budget. It isn’t company size. It isn’t which security software they purchased. One fleet prepared, proved, and practiced before pressure arrived. The other assumed they were ready — and found out they weren’t.

Most executives treat cybersecurity preparedness as an IT problem.

I’m here to tell you it’s a leadership problem.

Your IT team cannot authorize the incident response. They can’t decide when to shut systems down, who calls legal, who contacts your insurance carrier, who communicates with your drivers and customers, who controls the message to the outside world.

Those are executive decisions. And if you’ve never made them before, never walked through them, never practiced them, never assigned them… you will be making them for the first time in the worst possible moment. Under pressure. With everything on the line.

That’s not preparation. That’s hope with a job title.


THEY TREAT CYBERSECURITY AS A LEADERSHIP RESPONSIBILITY

The single most consistent characteristic of prepared fleets isn’t technical. It’s organizational.

Someone at the executive level owns cybersecurity. Not IT tickets. Not help desk response times. Risk. That executive asks hard questions, receives regular briefings in business language, and is accountable for making sure preparation is validated, not assumed.

What isn’t owned isn’t prioritized. And what isn’t prioritized becomes exposed.


THEY KNOW THEIR NUMBERS BEFORE SOMEONE FORCES THEM TO

Ask a prepared fleet executive what one hour of operational downtime costs their business — in dollars per hour — and they’ll tell you. They’ve run the numbers. They know which systems are non-negotiable. They know how long they can realistically operate without each one.

Ask the same question in an unprepared fleet and the answer’s usually a pause followed by “I’d have to check with IT.”

That pause is assumption. And assumption isn’t a revenue protection strategy.


THEY PRACTICE BEFORE PRESSURE REQUIRES IT

You can have a forty-page incident response plan… perfectly written, fully approved, and completely useless… if no one’s ever actually practiced it.

If I asked your executive team to run a tabletop exercise right now, most of you would look at me and say ‘What’s a tabletop exercise?’

And that’s okay. You’re experts in trucking. You’re not expected to speak cybersecurity.

But here’s what I know to be true: we are experts in both. We understand how a trucking business is supposed to run… what it means to dispatch a load, manage a driver, deal with the pressure of keeping trucks moving. And we understand the security side that most MSPs serving this industry don’t.

The gap between those two worlds is exactly where most fleets get hurt. And it’s exactly where we live.

You don’t need to know what a tabletop exercise is. You need to be willing to do one. That’s it. We’ll handle the rest.

Practiced teams respond. Unpracticed teams react. The difference between those two words is measured in hours of downtime, thousands in recovery costs, and customer relationships that either hold or don’t.


THE PROOF TO PROFIT FRAMEWORK IN PRACTICE

We built the Proof to Profit Framework around the five disciplines we see consistently in fleets that weather disruption and come out stronger:

  • Prepare — Define ownership, identify what you can’t afford to lose, vet every vendor.
  • Prove — Validate independently that your controls work.
  • Practice — Rehearse your response so decisions come from muscle memory, not panic.
  • Protect — Build layered defense that detects, contains, and recovers at speed.
  • Profit — Resilient fleets retain customers, protect contracts, and preserve revenue when disruption hits everyone around them.

Prepared fleets aren’t lucky. They’re disciplined.


Contact us at ITArchiTeks.com to start the conversation.

Because when trucks stop moving, money stops moving… and the fleets that lead in resilience are the ones that keep moving.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.