A logistics operator in the GCC ran a business that never really stopped: vehicles moving, orders flowing, a warehouse and back office that depended on a handful of systems staying up. Their concern was the one most operations-heavy businesses share. A piece of ransomware arriving through an ordinary phishing email, on an ordinary Tuesday, could freeze the systems the whole operation runs on, and they were not confident they could recover quickly if it did. They were not imagining a sophisticated adversary; they were worried about the common case, which is exactly the right thing to worry about.
They had been pitched alarming products before and had sensibly ignored them. What they wanted was a calm, honest assessment of where they were genuinely exposed, and a short list of changes that would matter, sized to a team that has a business to run and no appetite for security theatre.
The challenges we had to solve
- Backups existed but had never been restored in a real test, which means nobody actually knew whether they would work when it counted, the most common cause of a slow recovery.
- Systems were poorly separated, so a single infected machine could spread to far more than it should before anyone noticed.
- Sign-in relied on passwords alone, leaving a stolen credential as an open door, when phishing is the route most ransomware takes in.
- Staff were busy and non-technical, so any measure that got in the way of doing the job would simply be worked around.
How we approached it
We started with the thing that decides how a ransomware incident ends: backups. We made sure they were complete, kept where ransomware could not simply encrypt them too, and, most importantly, actually restored in a test so the operator knew recovery was real rather than assumed. Then we made it harder for one bad click to become a company-wide outage, by separating the systems that did not need to talk to each other so that an infection cannot spread freely across the whole estate.
On the way in, we added multi-factor authentication so a stolen password is no longer enough on its own, kept patching current on the systems that face the most risk, and gave staff brief, practical guidance on spotting the kind of email that actually shows up, rather than a frightening lecture. We deliberately stopped at what was proportionate; a logistics operator does not need a bank’s defences, and pretending otherwise would have bought friction instead of safety. The resilience is theirs to maintain, and our job was to focus it on the few things that genuinely change the outcome of a bad day.
Where it stands
The operator now has backups it has actually seen restored, systems that limit how far a problem can spread, and a sign-in that a stolen password alone cannot defeat. The measures are ones staff can live with, so they are still in place rather than quietly disabled. A ransomware email would still be an unwelcome event, but a survivable one, which is the honest goal for a business of this kind.