You generate a wealth of data that you entrust to suppliers. But do you really know where it travels, where it’s stored, and who has access to it? In a context where telematics, onboard cameras, and connected platforms are proliferating, these questions are becoming increasingly important for carriers.

To demystify the issues surrounding data security, integrity, and governance, Transport Routier spoke with Jean Loup Le Roux, a cybersecurity expert and consultant, as well as a partner at Magna, a firm that has been offering cybersecurity services worldwide since 2014.

According to Le Roux, the risks are not limited to cyberattacks: they also concern data control, its sharing with third parties, and, in some cases, issues that can even affect national security.

TR: Why should carriers be more concerned about the data generated by their vehicles and systems?

Jean Loup Le Roux: Because today, virtually all technologies used in transport are connected. Whether it’s telemetry, electronic logging devices, on-board cameras or fleet management platforms, these solutions rely on constant data exchange.

What many people don’t realize is that a single provider can conceal several others. Behind a telematics solution, there are often different providers of cloud services, telecommunications, hosting, or data analytics.

Think of it like Russian nesting dolls. The transport company believes it’s dealing with a single supplier, but when you open the first doll, you discover a second, then a third, then a fourth. In some cases, dozens of companies are involved behind the scenes in processing or transporting the data.

Each intermediary can potentially have access to some of the information. The company generally knows the supplier with whom it has signed a contract, but it does not always have complete visibility on all the actors involved in this solution.

Data today has significant commercial value. When control of this data is lost, it becomes difficult to know who is accessing it and for what purpose.

TR: What are the main risks?

JLLR: The first risk is the loss of control over data. Once it circulates through different suppliers and subcontractors, it can be shared, aggregated or resold to other organizations.

We often talk about cyberattacks, but there is also a competitive risk. Data is a strategic asset. When it falls into the wrong hands, it can provide valuable insights into a company’s operations.

In some cases, we can even speak of national security issues. Foreign actors might have an interest in understanding what types of goods travel on certain routes or how certain supply chains operate. Logistics information has real strategic value.

Many modern technologies function like black boxes. They perfectly accomplish what they promise to do, but it is often difficult to understand what is happening in the background.

TR: How can a carrier know what is really happening to its data?

JLLR: That’s precisely one of the main challenges. Many modern technologies function like black boxes. They perfectly accomplish what they promise to do, but it’s often difficult to understand what’s happening in the background.

Let’s take the example of a connected camera. It detects events, sends alerts, and provides reports. But where is the analysis performed? Where are the images stored? Who can access them? In some cases, the client simply doesn’t have this visibility.

TR: Is there a simple way to protect oneself?

JLLR: There is no magic bullet or single certification that eliminates all risks. Cybersecurity relies on a set of complementary measures.

It is necessary to examine the supplier’s reputation, contractual clauses, technical measures implemented, and independent verification mechanisms that confirm that commitments are actually being met.

If a company claims to have a simple answer to a complex problem, be wary.

TR: What questions should carriers ask their suppliers?

JLLR: First, we need to ask where the data is stored and who has access to it.

It is also necessary to know if the data can be shared with third parties, how it is protected, and what technical measures are used to prevent unauthorized access.

For example, is data from different clients separated or grouped in the same environments? Is encryption used? What monitoring mechanisms are in place? How frequently are the systems updated?

A reputable supplier should be able to answer these types of questions clearly.

TR: Are certifications a good indicator?

JLLR: Yes, but only if you fully understand what they cover. Certification generally demonstrates that an independent body has verified certain practices or controls. That’s a positive thing.

However, it’s always important to consider the exact scope of this certification. Does it cover only a product? A specific service? Or the entire organization?

This is an extremely important detail. A certification can be perfectly valid while only covering a small part of the ecosystem where the data circulates.

TR: What signs should raise suspicions?

JLLR: Simplistic answers. When a supplier claims that everything is resolved thanks to a single certification or a single security measure, it is generally a warning sign.

Cybersecurity is a complex field that requires multiple layers of protection. The most mature organizations are usually able to explain their practices, demonstrate their processes, and provide concrete evidence of their commitments.

TR: We often hear about China when discussing cybersecurity. Are these concerns justified?

JLLR: While all Chinese companies are potentially problematic (ultimately, they are accountable to the Chinese Communist Party), this doesn’t preclude some of their developed products from being extremely successful. Not all Chinese companies are problematic, and many develop extremely successful products.

That said, it’s important to understand that China’s intelligence-gathering strategy relies heavily on acquiring large amounts of data. Even seemingly insignificant information can become extremely valuable when combined with other datasets.

The issue is therefore not simply whether a product is made in China. Rather, it is about understanding where the data is processed, where it is stored, and what safeguards exist to prevent it from being used for purposes other than those intended.

TR: What advice would you give to transport companies in closing?

JLLR: I would tell them to ask questions. Carriers don’t need to become cybersecurity experts, but they do need to understand that their data has value. They need to ask their suppliers for clear explanations and written guarantees regarding the storage, processing, and sharing of this data.

It’s also important not to rely solely on ready-made answers. When the stakes are high, a simple discussion with a recognized cybersecurity specialist can often be enough to identify the right questions to ask.