By fully educating your team on the most efficient ways to reduce cyber risk, you can save everyone from numerous headaches in today’s highly digital environment. John Riley sits down with Sten Svendsen, vice president of the ASF Liquid Logistics Division, to discuss the importance of building and nurturing a culture of cybersecurity in your organization. Drawing from his first-hand experiences dealing with cyber disasters, Sten explains why training your team about cybersecurity from the get-to is essential in combating the rising threat of data breaches and attacks. He also shares what it takes to handle the use of AI for fraudulent means and how to maintain your integrity as you pursue all of your business goals.
—
Watch the episode here
Listen to the podcast here
Building A Culture Of Cybersecurity With Sten Svendsen
Welcome to Navigating Cyber Risk with your host, John Riley, where we explore the challenges faced by executives as they grapple with new cybersecurity mandates. We have an amazing guest who is a 25-year resident of the United States. He’s been sailing in the Gulf with a glass of wine. He’s the vice president of Liquid Logistics for ASF. Welcome, Sten Svendsen.
I very much appreciate it.
Difference Between Cybersecurity And Cyber Risk
Thanks for being on the show here, Sten. We’re going to jump right in. The main question that we’ve got is, what do you see as the difference between cybersecurity and cyber risk?
They’re late because if you don’t have the security, you’re at risk inherently. Having had personal experience with a cyber incident, as it was called internally in the organization I was with at the time, I know firsthand how disruptive it can be to a company. This was a global company, and this happened on a global scale. Risk is every single day, whether it’s an email, it’s a text, or it can be a phone call. Having the security in place helps you mitigate some of those issues and some of those risks before they even hit people’s inboxes, or hopefully also their phones, which can be very difficult. Most people nowadays are using their personal phones. They don’t necessarily have a company phone. They’re much interlinked, to be quite honest.
Using those personal devices, there is a lot of work from home, and devices that are not controlled. Trying to track those and understand what those risks are, it became more complicated during COVID in general. In a new world, that risk is higher than it was, maybe than previously.
The experience that I had personally happened during COVID, which, for the most part, started innocently enough, but then it snowballed very quickly to the extent that no one could communicate. You had to essentially create a new Gmail account to sound somewhat similar to your old company account, which was a red flag from Google. That got shut down, and then you had to start another one. There were several days before anyone could communicate across platforms in a way that you could keep business going. Being in logistics, that’s a 24/7, 365, complete global economy.
If you, for whatever reason, are shut down, living on the Gulf Coast, as you do as well, we have hurricanes. We have storms. You may lose power for a couple of days, depending on where you live, but losing visibility to your business was massively disruptive. Even though it got rectified relatively quickly within a week or two, those two weeks were hugely detrimental to the company. This was also at the same time as we were onboarding a company that had just been acquired. You have all these uncertainties and all these factors that are coming in from left and right. Customers can’t contact you.
You don’t have access to the POs or purchase orders. You don’t have access to documentation, so customers can get their cargo. It was a nightmare. When it comes to the security side of things, I’m a huge proponent for that, having had very firsthand experience with the extreme negative side. Even though it wasn’t necessarily a ransom thing, some people on the other end held the cards for a while. It got alleviated. How? I don’t know. I wasn’t privy to that. That was a little bit above my pay grade. There can be no doubt that if you don’t have measures in place, it can be extremely disruptive to your business.
Weaponizing Innocent-Looking Emails
Along those lines, if you’re running a company, what do you see as being the most significant cyber threats that are out there?
The first touchpoint many people get is via email. It can be an innocent email, where it looks similar enough to a colleague or a superior who is sending an email with a link or an attachment. They’re asking you to open it. That’s how the incident happened that I was just talking about. Somebody clicked on a link, and they went in. Train people how to be a little bit vigilant about not just hitting an open attachment or a link just because it looks somewhat similar, because all it takes is one digit or one letter that is different. It is something I’ll get into a little bit later, as well as with some other risks that are associated with this.
We’ve had people call me on my mobile phone or via my work number. We were using Teams at the time. He was impersonating someone that were supposedly sitting with the CEO of our company. He needed a $50,000 transfer immediately because he was about to close a business. I know that’s bogus, but a junior person who may have just joined a company has no idea. They want to save and keep that job there, depending on where it is in the world.
When they get a call like that, there’s some cultural aspect that plays into it, and they are taught to follow orders essentially. That was scary as well. They haven’t for a while, shortly after the cyber incident that I just mentioned. There are many aspects. With AI coming into play as well, it can become more and more difficult to decipher what’s an actual email versus one that’s 100% bogus.
Prioritizing Cybersecurity From The Get-Go
They’re even taking that a step further because it’s not just email anymore. It’s also voice patterns. It’s being able to use the CEO’s voice to make a phone call. It’s getting to be very difficult, especially as an employee or something, trying to differentiate. If you get the email and then you get a voicemail from the CEO saying the same thing, “Wait a minute, now I’ve got two or three different ways of being asked.” That’s got to be real. That’s one of the struggles that is going to come from that. When you’re talking about that, if you were a CEO, how would you prioritize that cyber risk? You’ve got to run your business. You’ve got to make money. You’ve got to do all these things. Where do you feel that cyber risk piece should land?
It’s like when you hire someone. In my line of business, if it’s a non-revenue-generating position, you have to justify it. That’s from hiring IT people, where you need to have IT systems. Security people can also be in my line of work when it comes to air freight. You need to have a person who is up to speed with anything that is TSA-regulated with the Transportation Security Administration. If I were to start a company from scratch, it would rank very high on my priority list.
Let’s say you’re a startup. You are five or ten people starting up, and then you grow to 100 people. That’s still a relatively small company. You are just as much at risk as a large organization because you may have fewer fail-safes in place. It can be an expensive piece of investment to make early on, but you have to build it into your business plan from the get-go. Also, investors or banks will look at, “What plans do you have in place when it comes to cybersecurity?”
If I’m going to invest X amount of money into your company and that money is going to walk out the door because you have to pay somebody ransom to give you back your passwords or whatever it is, at the end of the day, it’s an uncomfortable conversation to have up front. It needs to happen. Otherwise, you are going to be so exposed, or can be so exposed, because nobody is safe anymore. I don’t want to sound like doom and gloom, but there were emails coming into my inbox that I had to verify with some colleagues whether they were correct or not. Working for a small or midsize freight forwarding company, we are just as much at risk as some of the bigger players in the market.
Building that culture of security from the beginning is important. One of the things you mentioned was a growth company going from 10 employees to 100 employees. There’s a point where the CEO may not necessarily know every single person. Especially if you’re in a high-growth industry where you’re just hiring people, you need butts in the seats. It becomes, “Who is this person?” Maybe you’re doing background checks, and maybe you’re doing the best that you can. That’s when the controls start to become important because you don’t have that personal knowledge. You’re not going out for lunch with the CEO. You lose some of that, especially in a high-growth, quick environment like that.
One thing you didn’t add on to that is if you have offices in other countries, with different time zones, you can’t get a hold of someone because it’s in the middle of the night. You can’t get verification because so and so is asleep or traveling, or whatever it might be. It becomes, in some cases, more difficult because there are more layers. Especially if you’re in a rather large organization, there are a lot of layers to it. Getting someone to answer a question very quickly becomes difficult.
Addressing The Rampant Use Of AI Tools
What do you think is going to have the biggest influence coming up? What are the technologies and such that are happening? What do you think is going to happen with cybersecurity with some of these new technologies, and what will have the biggest impact?
Even though I’m not trying to date myself here, I am dabbling with AI because resistance is futile as far as I’m concerned. You might as well embrace it because it’s going to happen. It’s happening. There are more and more tools becoming available on a daily basis. Everyone would be kidding themselves if they said they haven’t used AI to write a letter or at least proofread letters and stuff like that, because it’s very easy to do that. It’s becoming convenient.
Likewise, when it comes to cybersecurity, there may be some measures in place where there will be companies that will be able to give you a tool that will give you at least a first line of defense, so that you have a little bit of a firewall. I use a good old terminology there from back in the day, but they’re still very much true. With something like that coming into play, there will be more tools at your disposal. Sometimes, it will be relatively affordable, but then there will also be likewise on the other side. Someone’s going to be investing a lot of time, money, and effort into breaking those systems.
It is very much so. We’ve got AI. We’ve got quantum computing. We’ve got a lot of things that are starting to come out. Even the robotics and automation, there are going to be a lot of changes that are going to happen here over the next period. I always like to hear where those pieces are coming from for everybody else because it’s almost like being too close to understanding all of those things. Everything looks like a big impact on where we’re going.
Making Cybersecurity As A Top Business Priority
The next question I’ve got for you is along the lines of, and you’ve partially already answered it because you’ve lived it, what do you think it feels like to be in that situation where all the data is hacked? Since you already talked about that, were you prepared? Did you have a disaster recovery plan? Did you have a communication plan? You may not have been in that situation at that level. If you were looking at it today, do you think that the company was prepared for it? Were they practiced at it?
As much as they could be at the time. To answer your question, I was in charge of an office here in Houston with 50 people, part of a global organization, and very much in communication with others overseas on a daily basis. I had people’s phone numbers. I could text a message to people on WhatsApp and whatnot. We use WhatsApp a lot to try to get ahead, communicate, and also give staff the ability to contact customers and overseas colleagues.
Being in logistics, we move containers from A to Z and communicate with vendors to keep the ball rolling. It was hugely disruptive, as I mentioned early on. It’s a very helpless feeling because you know that when a container sits for too long, it’s going to start accumulating what’s called the merge or per diem, which is a cost that is going to happen whether you like it or not. If you haven’t picked up the container or delivered that container, you have to pay for that out of pocket.
Not only are you not getting new business coming in and keeping the revenue stream growing, but you can’t get containers returned. That means your costs just keep compounding on a global scale. I have no visibility into what the total exposure was financially, but I’m assuming it’s in the hundreds of thousands, not millions or close to millions. When you look at it on a complete global scale, there were some regions that were less impacted than others. The company had a somewhat fractured infrastructure when it came to the IT systems.
It was a global IT system, so it would communicate on the same operational platform, if you will. When it came to cybersecurity, that was very much decentralized to each country. Some countries came back online. The servers were rebuilt quickly in some regions than others. That was, if I remember correctly, 3,500 to 4,000 individuals globally, a sizable organization. I don’t think they have done enough over time to get ahead of it. They were trying to manage as best as they could because, again, do you invest millions of dollars into this in case something may happen? Looking hindsight, they’re like, “Have we just spent that money or done a little bit more here and there?” Hindsight is 20/20.
That’s always the case. For us, a lot of times when that scare happens, that’s some of our best customers, unfortunately. They then appreciate that preparedness. Even if it’s not necessarily a full breach or something, just having that sinking feeling in the stomach that you’ve been compromised or violated in that way hurts.
You can’t communicate with your customers, so your competitors are swooping in. They’re taking some business away. It takes a long time to recover from that because a lot of the companies that my previous employer was working with were blue-chip, Fortune 500, and Fortune 100 companies that have extreme security measures when it comes to compliance as well. Not just financial, ethical, and all that fun stuff, but certainly also when it comes to soft security, more of them are now beginning to implement that into their master service agreements or global contracts, if you will. It wasn’t at the time. We’re talking 2019, if I’m correct, or 2020 thereabout, so just shortly before COVID. Something like that was an eye-opener to many people. There’s no doubt about that.
It is interesting because we’re seeing more of that in the contracts, with third-party vendor management questions. Do you have a cybersecurity program? How do you deal with that? Especially if you’re dealing with the data of your customers, I guess you’re dealing with certain parts of it. Those guarantees that a lot of companies are just signing an MSA or a contract without reading it and understanding that they may be on the hook to create some of these things.
Especially when you then also have to link with those customers, like through SAP. They can place bookings and orders right into your system and vice versa. There’s an open link between the organizations. If you had a breach of trust, essentially, they may not be so inclined to open up the floodgates again until you’ve proven that things are hunky-dory. That also took a long time to rebuild some of that trust because you had that breach. It’s happened to some of the largest shipping lines in the world as well. We were a much smaller player than that. It can happen to anybody. It does take a long time to rebuild that trust. Some of those contracts may never have been recovered.
Looking Back To Sten’s Career Journey
It’s always easier to keep a customer than it is to gain a new one. The important thing to know is that when you’re playing that cyber risk game, there is the option of possibly losing those customers because of a lack of preparedness or a lack of understanding of that. Tell me a little bit about who you are. You’re Danish. You’ve been in the United States. Tell us a little more.
As mentioned, I came over many years ago and became a citizen back in 2021. My wife considered me a flight risk until I became a citizen. I’m kidding. This is my home now. I moved from Denmark to the UK and then from the UK to the US. We had a very quick transition from 1999 to the UK and then, within a year and a half already to the US. It was a big culture shock coming to Texas, a whole place that I’d never been to in the States before. Over the years, having been in logistics and transportation, I’ve had the good fortune of traveling to most states. There are four or five I’m still missing to check off my list.
I’ve seen a lot of the country. Over the years, I’ve also started working with the Danish American Chamber of Commerce. I was one of the founders here in Houston for the Danish American Chamber of Commerce to help build working relationships between American companies that want to invest in Denmark and vice versa. Danish companies want to invest in the US, which resulted in a Danish consulate being opened in Houston. There’s a lot of activity now with delegations going both ways. Houston is more than just oil and gas. There’s also life sciences. There’s the aerospace industry, which my wife works in, being NASA is right here in Houston.
I’ve had the good fortune of being exposed to many things in the many years that I’ve been here that I would not have had the opportunity to do if I hadn’t come and stayed in Denmark. Don’t get me wrong. I love my home country. Don’t get me wrong. I’d like to have a small place there when I retire someday and use that as a traveling point all over Europe. I am sitting in my home office with three dogs behind me. They’re being nice and calm right now. I’m doing that right now. I can tell you that. That, in a nutshell, is pretty much who I am.
I’ve got one under my chair as well, not three, but I get it. Tell me, what are you working on that you’re most excited about?
Having joined ASF in January, the liquid division within ASF is something relatively new. It’s myself and a partner that’s essentially kicking that off the ground, which means I’m reaching out to contacts throughout my network, some that I haven’t spoken to in a long time. It’s fun to be able to build something from scratch. Having come from a small entrepreneurial organization in the early days of my career, and I started when I was twelve, to having that company being absorbed by a large organization and then eventually absorbed by one of the largest freight forwarding companies in the world with some 500,000 employees, it’s very refreshing to come back to a small organization with three offices in the US and a handful in Asia and build something from scratch.
Culture Of Cybersecurity: It is refreshing to come back to three offices in the US and a handful in Asia, then build something from scratch by pulling out the best things we know about customer service.
We’re taking some of the things that we’ve learned over the years and essentially pulling out what we think are the best parts, which are customer service. The bigger you get, the further you get from your customers. You start adding more layers because more people and stakeholders on both sides want to have a piece of the pie and feel like they have control of that customer. I don’t like to use that word, per se.
Coming full circle, starting something from scratch, it’s invigorating and something that is hugely exciting. I feel there’s a vacuum in the market because there are a lot of players in my industry that are very large. Don’t get me wrong. You have a lot of small players. What I do is a niche market, being in the liquid side. That’s encouraging to hear that customers are accepting of that and interested in what you do.
Despite all the disruptions that are going on with the Red Sea and Panama Canal, sometimes, I know people may not be aware of these situations. You just get stuff in your stores. With the Panama Canal, there’s low water, which means ships can’t go through. With the Red Sea, you have to sail south of South Africa, which prolongs transit and all that fun stuff. You throw on top all the tariffs and whatnot. It’s very exciting to be in logistics.
All About The ASF Liquid Logistics Division
You and I talked about this a little bit before. When you’re talking liquid logistics, you mentioned some of the things that you have shipped or have done. I’m sure the audience would also like to understand that.
Liquid is anything you can put in a steel tank, a drum, an IBC tote, or a flexi bag, which is one of the things we do quite a bit of. That’s a big old water bag you put inside a standard 20-foot container that you see driving on the road on the vessels. We will load a liquid product at the origin. We do this globally, not just in the US domestically. Let’s say I’m in Houston. There are a lot of petrochemicals here. We move a lot of base oils, as it’s called, that can then go into other products. One of which is a lubricant for your car. We do ship lubricants for your car as well, Mobil 1, stuff like that. It is very similar to countries in Latin America, where they put them in cars. That is cyclical.
In the spring, there are a lot of actions because the lubricants have to go to Latin America before the winter rush. When it’s winter down there, it’s summer here, and vice versa. You get to learn about different markets and different commodities. We move anything from orange juice to wine to the base oils. We move vegetable oils, canola oils, and palm oils. Pretty much anything that’s liquid that can go inside a container, we move it. We need to have a little bit of an understanding of many different markets because we diversify as much as we can. Sometimes, as I just mentioned, there are ebbs and flows, and a lot of it is also very seasonal.
If I wanted to open a pizza shop and have New York water delivered, you’re the guy.
I can do that too. We can move that from Fiji and Hawaii. A very quick anecdote, I have moved water from Scotland from a spring in a big bag, a 6,000-gallon bag, in a container to Japan. They use that water to make ice cubes for their scotch. No joke.
When I was in San Diego, many different pizza companies were doing New York pizza. They say that the water in New York is what makes it different.
Same with bagels. You can’t get a good bagel in Texas. Trust me. I know that one.
You just have to figure out how to connect to that water supply there and just start shipping it all over. Tell me more. You talked about the company. Is there anything else we should know about ASF?
Yes, it’s more than just liquids. We also do a lot of imports from Asia. As I mentioned early on, we have some offices over there, four in China and one in Vietnam. Furniture imports, something we do a lot of in the Carolinas. I have been doing it for many years. One of our owners was a lumber trader early on in his career, and we still move a lot of lumber on a mobile and places like that. A general freight forwarder, anything that can go in a container, we move. We do air freight as well.
We move yachts from the US to the Caribbean and to the Mediterranean and places like that because it can be expensive to sail. You can be having issues where you have to have a crew, but sometimes, it may make a little bit more sense to put the vessel on a vessel, big one and ship it to the Mediterranean or back, for that matter. People who have a lot of money tend to do that stuff.
Advice For Younger Self And Reducing Cybersecurity Risks
Especially during hurricane season, you want it out of the Caribbean. Insurance doesn’t cover you there. You’ve got to move it out. As a sailor, there are some things that you need to know about insurance and the reasons. Let me ask you this. If you go back in time and give your younger self some advice, what would that be?
Life and your career are a marathon. It’s not a sprint. Patience is something that will pay off at the end of the day. Maybe also having been, I’m not going to say hot-tempered, but enthusiastic to dial that down a wee bit in some situations because you still have to pay your dues. I’m also ex-military from Denmark, so I know rank and file and all that good stuff. It took me a long time when I got into private work, that you still have to pay your dues. That’s a key one for myself. Just don’t worry. It’ll come. Keep doing what you’re doing. At the end of the day, your results speak a lot louder than anything else.
Keep working at it. It generally doesn’t come quickly. It’s the little changes along the way that make the big action.
Don’t compromise on your integrity. If you have a high barometer for integrity and you want to maintain that, which is also in my industry, at least, you’re only as good as your word and your results. For me, that’s something that’s been proven over and over again. If you have high integrity, you can leave a company. Don’t slam doors. Don’t burn bridges. I’ve come back to the same organization three times, and I just left it for the fourth time. No joke. It was for various reasons, and sometimes, for bigger and better opportunities and whatnot. That one is also very high on my list with the integrity. Don’t compromise on that.
Here’s the last question I’ve got for you. What advice would you give to our audience about cybersecurity or even life? It is your choice.
It’s pretty obvious from the conversation. If it lasted this long, having gone through a pretty traumatic experience, as it was, and very costly for an organization, you have to take it seriously. Educate yourself. Talk to several different people within the industry to learn a little about how other people are doing it in your same industry. Those are your competitors for your customers and your vendors. How are they doing it?
If you have colleagues overseas, how are they doing it? What are they dealing with? How have they overcome some of these situations? Don’t sweep it under the rug because if you do, and it comes up and hits you, it’s going to be very costly and painful. Just being alert and aware about it and educating yourself is key. That’s the first step. You don’t have to commit to anything today, but you’ve got to start educating yourself 100%.
Get In Touch With Sten
Sten, how can people find you? How would you like them to reach out to you?
I have a LinkedIn, but I know you guys will also be sharing my contact details. They’ll get my email address. Anyone is more than welcome to contact me. It doesn’t have to be for work, or they want to ship something, but if they want to learn about the cyber incident that I’ve gone through. I will also say that if you deal with international trade, you will be sending or receiving payments from international companies.
Unfortunately, there have also been customers and vendors who have been caught in that, where they thought they sent someone some money. They didn’t because just one digit was different. They went to a different account, and that money was gone. I know the FBI gets involved, but that’s not always a saving grace. There are many layers to this, especially if you are in international trade. I’ll be happy to share my experiences.
That even happens locally. So many times, we get your requests for “change my account” or “do this.” It’s always interesting. Sten, thank you for all your insight. I appreciate your time. This has been great. For our audience, thanks for tuning in. I hope you learned something. Take some of this to heart and understand that it does happen. Sten, I think you’re one of the first ones to have that closeness with a cyber incident. I appreciate your viewpoint on that. This has been another awesome episode of Navigating Cyber Risk with your host, John Riley, and Sten. Sten, it has been great. See you next time, everybody.
Thank you, guys. I appreciate it.
Important Links
About Sten Svendsen
My dedication to new business development and supply chain management is reflected in the innovative solutions and strategic initiatives that I’ve championed, always with an eye on maximizing operational efficiencies and client satisfaction. Serving as a Board Member at DACCSW, we foster trade between Denmark and the US, leveraging my expertise in trade facilitation.
