Assisted Crime: Is Your Lack of Cyber Security Putting Your Customers at Risk?  

The European cybersecurity landscape is increasingly threatened by supply chain cyber incidents, particularly in critical infrastructure and manufacturing. Businesses which are ill-prepared for this threat, or which fail to implement relevant cybersecurity measures, may end up presenting a route into their own or their customers’ operating systems. The results could be catastrophic for the companies involved.    

The European Union Agency for Cybersecurity ENISA’s 2024 Foresight 2030 Threats update identifies software supply chain attacks as the top cyber security threat for EU organisations for the second consecutive year. The report emphasises vulnerabilities in third-party software dependencies, legacy operational technology systems, and increasingly interconnected supply chain networks.

They are not alone. On its website, the UK’s National Cyber Security Centre is equally clear of the risks, stating: ‘… supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain… Despite these risks, many companies lose sight of their supply chains. In fact, according to the 2023 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers. A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear.’

Media reports suggest the cost to businesses of supply chain cyberattacks is on track to exceed $80 billion by the end of next year.    

TAPA’s Cyber Security Standard aims to be part of the solution and was launched in the Europe, Middle East & Africa (EMEA) region in January.  

Panayiotis Laimos from the TAPA EMEA Standards & Training team and one of the Association’s Regional Leads, Filipe De Almeida, explained more about the new Cyber Security Standard and how it is designed to support member companies…   

When was CSS launched in the Americas and APAC and have there been any CSS certifications so far? 

In 2021, TAPA introduced its Cyber Security Standard (CSS) in the Americas and Asia-Pacific regions to address supply chain cyber risks. However, market adoption remained limited. One reason for this might be the dependencies on existing FSR and TSR cybersecurity provisions and certification pre-requisites. The CSS was designed to complement existing security certifications, not replace them, which may have hindered organisations from pursuing standalone certification.

Are there different levels of CSS certification?

In contrast with the other TAPA global Standards, CSS does not offer 3 levels of certification, but just a single one. As businesses increasingly transition to digital platforms, protecting IT infrastructure against illegal penetration attacks has become paramount for organisational security. Moreover, it is crucial to understand that in any context where TAPA CSS requirements are referenced, local legislative frameworks maintain precedence, ensuring that regional legal considerations are always given primary importance in security protocol implementation.

Is the Standard independently audited and is there a self-cert level too? 

The 2025 Cyber Security Standard (CSS) distinguishes itself from the other global TAPA Standards through a certification process that categorically excludes self-certification. Every certification audit must be conducted exclusively by TAPA-approved Independent Audit Body Authorised Auditors (IAB AA), who are specifically trained to ensure comprehensive and rigorous assessment of security requirements. 

Who has been involved in the creation and development of this Standard?

In response to a survey conducted among its membership base, TAPA initiated a collaborative revision process in the second half of 2024. Representatives from the Americas, APAC, and EMEA regions came together to collectively update and refine the CSS Standard, ensuring its relevance and effectiveness across diverse geographical and operational contexts. 

This collaborative effort was further enriched by the TAPA EMEA CSS sub-group, which provided invaluable insights, thoughtful perspectives, and strategic recommendations throughout the update process. The sub-group’s deep expertise and thorough understanding of regional cybersecurity challenges played a crucial role in shaping a more robust and adaptable Standard that could address the complex and dynamic digital threat landscape facing modern supply chain organisations.

Please outline the areas the Standard covers?

The TAPA CSS provides a comprehensive digital protection framework that transforms cybersecurity from a reactive to a proactive strategy. The Standard covers security policy development, establishing clear guidelines for digital protection and data management. It also addresses network security through robust remote access and authentication mechanisms, while mandating security awareness training to empower employees as digital asset guardians. 

Technical safeguards include device security, cryptographic controls, vulnerability management, and intrusion detection systems. The framework also ensures operational resilience by managing environmental controls, third-party services, cloud security, and business continuity planning.

The multifaceted approach of the Standard enables Logistics Service Providers (LSPs) to effectively navigate the complex digital risk landscape, integrating cybersecurity as a strategic business enabler.

Which types of companies will benefit most from the CSS? 

The updated CSS offers a practical cybersecurity solution for small and medium-sized transportation and logistics enterprises. Unlike complex frameworks like ISO 27000 or NIST, the CSS provides an accessible alternative to digital risk management.

Recognising that smaller carriers face significant cyber threats with limited resources, the Standard offers a targeted approach to cyber defence. The CSS 2025 certification helps organisations identify and mitigate cyber risks while serving as a competitive differentiator by demonstrating a commitment to cybersecurity through an independently audited certificate.

Often the way into big company systems for cyber attackers is via less cyber aware SME service providers. Are these smaller/medium-sized types of companies the real targets for CSS certifications? 

Small and medium contractors have become critical vulnerabilities in cybersecurity, serving as strategic entry points for sophisticated cyber attacks. Threat actors exploit these organisations’ less-defended networks to infiltrate larger, more secure systems through interconnected digital ecosystems. 

By targeting weaker network segments in supply chain and logistics networks, cybercriminals can bypass advanced security measures. A single unprotected network can potentially compromise entire interconnected systems, making small contractors unwitting conduits for large-scale cyber intrusions. These attacks leverage the asymmetric nature of cybersecurity preparedness, where smaller organisations lack advanced security resources and comprehensive threat monitoring.

How likely is it that small/medium-sized companies have someone in-house responsible for cyber security?  

Smaller and medium logistics service providers usually approach cybersecurity through two primary methods: developing internal IT resources or procuring external services. External partnerships offer specialised expertise, while internal teams can leverage their professional development programmes, for example attending the TAPA CSS Authorised Auditors’ course. The key is creating a culture of continuous learning and adaptive protection. Cybersecurity is no longer optional but a fundamental component of operational integrity and growth, requiring ongoing commitment and strategic investment.

Given the pace with which cyber criminals adapt to cyber security regimes in order to find a way through, how challenging is it for CSS to stay relevant if it is only updated every 3 years like the other TAPA Standards?

The 3-year update cycle for the TAPA Cyber Security Standard poses challenges in the rapidly evolving cyber threat landscape. Cyber criminals innovate faster than the Standard can be revised, potentially leaving security vulnerabilities exposed. While this cycle is shorter than ISO/IEC 27001’s 5-7-year updates and the NIST Cyber Security framework that demonstrated more dynamic updating, with significant revisions in 2018 and a major update in February 2024, it still struggles to keep pace with emerging technologies, novel malware, and sophisticated attack techniques. Nevertheless, the 3-year Standards’ revision cycle is not written in stone within TAPA; should the members or the market require shorter revision periods, we shall be ready to address this demand.

Do you think there is much appetite within the Association’s global membership for TAPA to offer a cyber security standard?     

TAPA EMEA’s recent survey among its members revealed significant insights into cybersecurity standard adoption in the region. 

From the answers received, members widely recognise the major benefits of adopting a cybersecurity standard, but the actual implementation remains mixed. Specifically, the acceptance and certification rates were evenly split, with approximately 50% of participants currently responding positively. 

Looking forward, the survey uncovered a promising trend in members’intentions. Nearly two-thirds of responses expressed a desire to pursue certification, while one out of six are currently certified by an existing cybersecurity standard (probably the “big” ones). This gap between intention and current implementation suggests both an opportunity and a challenge for TAPA EMEA in supporting its members’ cybersecurity maturation.

Presumably, like most forms of crime prevention, cybersecurity only becomes relevant for most companies after they suffer an attack. How difficult is it going to be to change this mindset?

Shifting the cybersecurity paradigm from reactive to proactive represents a challenge rooted in deep-seated organisational behaviours and economic short-termism. Most companies view cybersecurity as a cost centre rather than a strategic investment, preferring to allocate resources reactively after experiencing financial losses, reputational damage, or operational disruption from a cyber attack. Changing this mindset requires a fundamental cultural transformation that demands executive leadership commitment, comprehensive risk education, demonstrable financial modeling of potential breach impacts, and a strategic approach that positions cybersecurity as an integral business resilience strategy rather than a peripheral technical expense. 

TAPA has prepared a comprehensive training programme for Authorised Auditors that in addition to the requirements’ explanation and intent, provides also guidance on application as well as a lot of information related to Cyber Security topics included in the Standard.

TAPA EMEA has a lot of big, global members who rely on smaller-sized partners to help deliver their end-to-end supply chains. What can these big companies be doing to encourage their smaller service providers to adopt CSS?

Enforcement often drives cybersecurity adoption. Smaller logistics service providers seeking to maintain or expand partnerships with larger companies will eventually need to integrate their information systems with “big” corporate IT infrastructures. This necessity makes cybersecurity compliance unavoidable. Certification will streamline the compliance process by reducing verification costs and time. Independent audit bodies shall audit LSPs, issue relevant certificates, and thereby facilitate smoother onboarding and continued cooperation between smaller LSPs and their big enterprise customers.

Even if a company is not thinking about CSS certification, presumably just reading the Standard will be helpful and thought-provoking?

As already mentioned, TAPA has developed a comprehensive and in parallel “educational” Authorised Auditors training programme designed to enhance cybersecurity awareness across its membership. While the programme is particularly valuable and necessary for those pursuing immediate certification, we strongly recommend that all members, including those without imminent certification plans, enroll their IT security personnel in this online training. 

The programme offers an in-depth exploration of current cyber security threats, essential definitions, examples, real incidents, case studies, and emerging trends. By participating, IT security professionals can gain crucial insights into the evolving cybersecurity landscape, regardless of their organisation’s current certification status. This proactive approach ensures that members stay informed about potential risks and best practices, ultimately strengthening their overall security posture. 

As always, the training is offered for free with the use of an existing voucher.

What training support is TAPA EMEA providing for CSS? Where can members find all the information they need on CSS?

The TAPA CSS Authorised Auditors’ course was launched in January 2025, with an initial plan to conduct three virtual training sessions throughout the first quarter. The full online training programme is scheduled for deployment in April 2025. Complementing the training initiative, TAPA has updated the CSS Glossary to support members’ understanding of technical terminology. All relevant information, including course details, training schedules, and the updated glossary, is accessible at https://tapaemea.org/standards-trainings/cyber-security-standard-css/. 

In conclusion…

By updating and adopting a Standard that is both technically rigorous and financially achievable, TAPA is addressing a critical gap in the cybersecurity landscape. The CSS 2025 empowers smaller entities to proactively protect their digital assets, enhance their operational resilience, and build trust with stakeholders, without the prohibitive complexity and cost associated with more comprehensive international standards. In this dynamic technological landscape, knowledge remains the most powerful security tool. 

Organisations that embrace strategic thinking and adaptive technological approaches will be best positioned to navigate the complex world of modern cybersecurity in the imminent future.