Imagine building something for 95 years.

Three generations. Hundreds of employees. 75 terminals across the country. A name in the industry that meant something. A company your grandfather started, your father grew, and you were supposed to carry forward.

Then one night, everything goes dark.

Dispatch offline. Drivers unable to log trips. The call center silent. 800 computers encrypted. Ransom paid. Weeks of around-the-clock recovery work that still couldn’t save what had already been lost. The attack was the final nail in the coffin for a company already under financial strain.

A year later, they closed permanently.

What haunts me about this story isn’t just the loss. It’s that it was preventable. They had IT support. They had systems in place. What they didn’t have was a cybersecurity framework, independent verification that their systems actually worked, or any way to prove they were protected when it mattered most.

They believed they were. They couldn’t prove it.

That gap — between belief and proof — is what this post is about.


Three Gaps That Turn Belief Into a Liability

When I look back at situations like this one, the same three vulnerabilities show up every time. None of them are hard to fix. And most trucking companies I work with have at least one — often all three.

Gap 1: The Cloud Created a False Sense of Security

When a company moves to Microsoft 365, a cloud-based TMS, or any hosted platform, there’s often a collective exhale. Someone else is managing the infrastructure. The assumption — rarely stated but almost always present — is that security came along for the ride.

It didn’t.

Your vendor secures the underlying cloud infrastructure. Securing your data, your user access, your permissions, your configurations? That remains entirely your responsibility. It’s all spelled out in the fine print that nobody reads.

Just because you outsource your technology does not mean you outsource your risk.

Most trucking companies aren’t even having this conversation with their vendors. Many don’t have an inventory list of who their vendors are, let alone what security standards those vendors meet. At minimum, maintain a vendor list and send the NMFTA’s vendor vetting questions to each one. It starts a conversation most companies have never had.

Gap 2: The Network Had No Locked Doors

The NMFTA Cybersecurity Best Practices Guidebook lists internal network segmentation as a Tier Two control. The concept means dividing your network into separate sections so that if criminals get into one area, they can’t move freely into everything else.

Think of it like a warehouse with no locked doors between departments. Someone gets through the front entrance and suddenly they have access to the loading dock, the offices, the safe, and the server room.

Improper segmentation — or no segmentation at all — is one of the most common gaps we find in our fleet security audits. When ransomware enters a flat network it doesn’t stay where it landed. It moves fast and takes everything it can reach.

Gap 3: Nobody Had Independent Eyes on It

This is the one that connects everything back to that 95-year-old company.

Their IT partners were reporting that things were fine. Nobody had ever brought in an independent set of eyes to verify whether what they had actually worked. Your IT team and your MSP can’t assess their own work. Even the most well-intentioned internal team has blind spots they genuinely cannot see because they’re too close to the environment they built.

You cannot fix what you cannot see. And you cannot see what you’ve never had someone qualified look for.

If your IT provider resists independent scrutiny, ask yourself why. The answer matters more than the explanation.


Belief and Proof Are Not the Same Thing

I’m not writing this to frighten anyone. I’m writing it because I’ve sat across from too many trucking leaders who had every reason to believe they were protected — and discovered too late that they couldn’t prove it.

Your IT team may be excellent. Your MSP may be responsive. Your cloud vendor may be reputable. None of that is proof that your specific environment is actually secure.

Proof comes from independent eyes. From a framework built for your industry. From testing that happens before criminals do it for you.

Age and legacy are not safeguards against modern threats. The most expensive hour in your business is the one you assumed would never happen.


Three Questions Worth Asking

  1. Do you have a complete vendor list — and have you asked each vendor what they are responsible for securing versus what you are?
  2. Who outside of your internal IT team or MSP has independently assessed your security posture, and when?
  3. If ransomware entered your network today, what would stop it from reaching every system you operate?

If those questions don’t have clear documented answers, you have your starting point.


Contact us at ITArchiTeks.com to start the conversation.

Because hope is not a strategy… and proof is how you protect profit.


Written by Melanie Padron

Vice President of Strategic Growth · IT ArchiTeks
Risk Strategist · National Cybersecurity Speaker

Melanie Padron brings nearly three decades of risk management experience, spanning insurance and cybersecurity, to help trucking and logistics leaders validate security posture, strengthen resilience, and protect revenue before pressure reveals what preparation concealed.

She’s a nationally recognized cybersecurity keynote speaker and the creator of two acclaimed talks:

  • Surviving a Cyber Crisis: Real Stories. Real Lessons. Real Money.
  • Proof to Profit: How Leaders Protect Revenue in the Age of Ransomware and AI

To bring either conversation to your conference, association, or leadership team — visit ITArchiTeks.com or connect with Melanie directly on LinkedIn.