There is a long list of companies that have put all the technical controls in place, held annual cybersecurity awareness training for their teams, and paid for advanced Security Information and Event Management (SIEM) systems or other sophisticated security tools, yet have still been victims of ransomware or cyber-enabled cargo crimes.

Why are these numbers so high? One possible answer is that the focus has historically been on technical controls and robust defenses, rather than on the security gap created when cybersecurity is separate from the business culture.

A culture of cybersecurity awareness looks very different from a robust cybersecurity program isolated from the rest of the business and seen as an occasional roadblock to deploying new tools quickly, or as another required training that no one really wants to sit through. A culture of cybersecurity awareness looks like an empowered security-conscious workforce, always on the lookout for potential security issues and ready and willing to raise their hand and say: “Something doesn’t look right, we should pause and dig deeper.”

When someone in dispatch books a truck on a load with a rate that looks too good to be true, when accounting receives a call requesting a change to payment details, when the back office processes a payment request over email, or even when a driver scans a QR code at a fuel pump, these are all moments where freight can get stolen or malware can take hold. These moments are rarely governed by a firewall rule or sophisticated technical safeguards. More often, they are governed by whether a person has the instinct to pause.

In any organization, culture starts at the top. The attitude and approach leadership takes toward security will pervade the organization. If leadership is disengaged from cybersecurity awareness training, does not reward employees for security-related actions, and is not regularly involved in tabletop exercises with their security teams, the rest of the organization will follow suit. Conversely, if leadership places cybersecurity high on its priority list, sets an example by engaging in regular cybersecurity awareness training, and not only participates in but also plays a key role in tabletops and incident response training, the entire organization will begin to align more fully with this prioritization.

How does this help close the security gaps in an organization and prevent ransomware, extortion, or cargo crime? Our teams are our frontline defenders. Many of the most devastating modern cyberattacks start with a direct conversation with a single employee. This can be over email, chat, phone call, or even in person. An employee with a security mindset will be exponentially harder to trick into falling for a social engineering scheme than one who is simply required to check a box once a year and then has no further interaction with their security team for the next 12 months.

Security teams must not overlook the value of engagement with their leadership team and peers across other areas of the organization. Security cannot operate successfully in a vacuum; it must be embedded in the fabric of the organization itself. Leadership teams must also not overlook the value of engaging with the organization on cybersecurity. Being out in front, visibly championing cybersecurity awareness and incident-response preparedness, is a significant (and free) force multiplier for the organization’s security posture. When leadership is highly engaged, teams feel empowered. They are not afraid of pushback when they take the time to investigate and stop a possible social engineering scheme in progress. They will not be afraid to raise their hand and say: “I clicked on a link, and I don’t think it was legitimate.” Quite the opposite happens: They are confident in calling out potential threats, even when they stem from mistakes; they are on the lookout for social engineering schemes; and they have the training, resources, and tools to address them.

This shift also affects what fleets should measure. Training completion rates tell you who clicked through a module, not who has the skill to catch a fraudulent broker. Track the signals that reflect key behaviors instead; how many suspicious emails, phone calls, or rate confirmations your teams report, and how quickly. Track whether near misses are reported at all. A rising number of reports does not necessarily mean an increase in the threat level; it is evidence that your team is paying attention and trusts their leadership enough to speak up.

In this age of AI-enabled social engineering attacks and unprecedented levels of both cyber-enabled cargo crime and extortion, every organization needs the best defenses it can put in place. This includes technical controls, a well-designed security program with robust processes and well-rehearsed playbooks, and an engaged cyber-savvy workforce ensuring that social engineering attacks fail before they escalate.

A culture of security is not a line item on the budget; it can’t be purchased from a vendor, and it can’t be created without direct support from the very top of the organization. It is the accumulated habits of a workforce that treats protecting the fleet from cyberattacks and cargo thefts as part of moving freight safely, just as it already treats cargo securement or the safety program. This quarter, put cybersecurity into one operational process your teams already have, whether that’s a safety meeting, a dispatch workflow, or an onboarding checklist. As leaders in the organization, take the first visible step. Build a strong security culture before you need it.