Trucking and Logistics IT in Salinas: What Owner-Operators and Small Fleets Should Have in Place

Most of the small carriers I work with on the Central Coast didn't set out to build an IT stack. They bought a truck, then another, then a TMS because the broker said they had to, then an ELD because FMCSA said they had to, then a QuickBooks file because the accountant said they had to. A decade later they have eight pieces of software, a yard office Wi-Fi router from 2016, and a dispatcher who is also the IT person on Tuesdays.

This post is the version of the conversation I have over coffee with a Salinas Valley fleet owner who has somewhere between one and thirty trucks. The framing I use, and the one I'll use here, is six layers. You will recognize the layers because you are already running most of them. The question is whether you are running them well enough to survive an audit, a ransomware attempt, a rate-confirmation spoof, or a 12-hour PG&E shutoff during harvest.

Why trucking IT is different from generic SMB IT

An accountant's office in Salinas has six people, six laptops, and a printer. The whole environment fits in one room. A five-truck reefer operation hauling strawberries from Watsonville to the Port of Oakland has six office endpoints, five trucks that are themselves devices on a network, four to ten drivers signing in from cellular networks, a TMS in the cloud, an ELD vendor in another cloud, a customs broker portal, a fuel-card portal, a broker load board, a Samsara or Motive dashboard, and a paper folder full of BOLs that someone scans at the end of the day. The accountant has one regulator (the state). The reefer hauler has FMCSA, CBP if they cross the border, the state ag inspection, the cold-chain customer's quality department, and the cyber insurance underwriter.

Concretely, trucking IT differs from generic SMB IT in five ways:

• Drivers are mobile. Endpoints live offline, on different cellular networks, in motel parking lots, and in the cab. Generic office network controls do not reach them.
• Vehicles are devices. The ELD, the dashcam, and the reefer telemetry box are all networked. They have firmware, credentials, and uptime requirements.
• ELD uptime is regulated. If your ELD is down for more than 8 days the FMCSA expects a documented reason. That is an uptime SLA dressed up as a regulation.
• Cold chain has zero margin for tech failure. A 90-minute temperature excursion on a reefer load of berries can total the load. A telemetry outage that hides the excursion makes it worse.
• C-TPAT has real IT requirements. CBP's Minimum Security Criteria include a dedicated cybersecurity section. It is not optional for certified carriers. See the C-TPAT compliance page for the full criteria.

The six IT layers a Salinas trucking operation needs

Layer 1: Connectivity for the office and the cab

The yard office needs a real firewall (not a consumer router from Costco), business-class internet with a documented SLA, segregated Wi-Fi for office staff and guests, and a cellular failover for when the wired link drops. The 101 corridor between Salinas and Gilroy gets fiber cuts more often than people realize, and a single ISP is a single point of failure for dispatch. We typically run a primary fiber connection and an LTE or 5G failover on a different carrier.

The cab is its own connectivity problem. Drivers running between Salinas, the Port of Oakland, and the Port of Long Beach hit dead zones in the Pacheco Pass tunnels, the Grapevine, and the I-580 Altamont. The realistic answer is a dual-SIM cellular setup in the cab (Verizon plus AT&T or T-Mobile) for the ELD and the dispatch tablet, not a personal phone hotspot. For multi-driver sleeper trucks, a small cab Wi-Fi router gives the team driver a usable connection without burning through a personal data plan.

Yards and ports add another wrinkle. If your drivers wait at Oakland or LA-Long Beach for hours on appointment, your TMS needs to be reachable from a cellular tablet, not just from the yard-office desktop. That is a TMS architecture question and a connectivity question at the same time.

Layer 2: ELDs and telematics

FMCSA requires an electronic logging device for most interstate commercial drivers. The device has to be on the FMCSA's registered ELD list. We do not resell ELD hardware, but we do help carriers pick the right vendor for their operation and integrate it with the rest of their IT. The platforms we see most often on the Central Coast:

• Samsara — full telematics suite, strong fleet-management features, good API. Common at 10-50 truck operations.
• Motive (formerly KeepTruckin) — popular with owner-operators and small fleets, decent driver app, competitive pricing.
• Geotab — strong telematics and reporting, often selected by fleets that want analytics depth.
• Omnitracs — legacy carrier favorite, more common at larger operations.

Whatever you pick, the ELD has to handle four things reliably: HOS logs, DVIRs, IFTA mileage reporting, and an audit-ready export that survives a real FMCSA review. The IT-side concern is that the data persists, the driver accounts are named (not shared), and the back office can pull the records on demand. A "free" ELD that is not on the FMCSA registered list is not a savings; it is a citation waiting to happen.

Telematics also pays for itself outside the regulatory question. Fuel-burn data, idle-time monitoring, harsh-event reporting, and route adherence all live in the same platform. For Salinas Valley produce haulers, the reefer-temperature telemetry is the difference between proving the load stayed in spec and arguing about it with the receiver.

Layer 3: Dispatch, TMS, and accounting that actually integrate

The TMS choice for an SMB carrier is more constrained than people expect. The big-fleet platforms (McLeod LoadMaster, TMW, Aljex) are overkill for under 20 trucks. The realistic SMB options:

• Truckstop.com TMS — load board integrated, decent for small fleets and brokers.
• ITS Dispatch — small-carrier favorite, paired well with QuickBooks.
• AscendTMS — free tier that actually works for tiny fleets, paid tiers for growth.
• McLeod LoadMaster — the standard at 25-100 truck operations that want to scale.
• Axon, ProTransport, Tailwind — viable mid-tier options depending on accounting integration needs.

The integration question matters more than the brand. Your TMS needs to talk to QuickBooks or Sage for invoicing and AP, talk to the ELD vendor's API for HOS and IFTA, and ideally talk to the broker portals (DAT, Truckstop, RMIS) for load tendering and rate confirmations. Carriers that run all three as silos end up with a dispatcher who does double-entry data work for two hours a day and a billing cycle that takes a week longer than it should.

Layer 4: C-TPAT and DOT IT requirements

If you are C-TPAT certified, or if you contract with a C-TPAT-validated importer (most produce shippers crossing the U.S. border are), the IT side of the certification applies to you. CBP's Minimum Security Criteria include a dedicated cybersecurity section. In practical terms, the IT controls you need to be able to show a validator are:

• Documented cybersecurity policy. One written document covering access control, password policy, acceptable use, and incident response. Not a slideshow; a signed PDF.
• Named user accounts. Every person who touches dispatch, TMS, ELD, or driver records gets their own account. No shared logins, no "office1" account that everyone uses.
• MFA on every account. Dispatch, accounting, broker portal, ELD vendor, email.
• Audit logs retained. Sign-in records, access changes, and configuration changes preserved for a reasonable retention period (typically 12 months for SMB carriers).
• Training records. Annual security awareness training for staff, with sign-off documented.
• Incident response plan. Written, even if it is one page. Who calls whom, what gets shut down, who notifies CBP, who notifies the cyber insurer.
• Retention for DVIRs, HOS, and customs records. The data has to survive a server failure or a ransomware hit. Independent backup is non-negotiable.

The full C-TPAT IT alignment is covered on our C-TPAT compliance page. A DoD-cleared engineering background brings the audit discipline this part of the program actually needs, because the same documentation rigor that passes a federal contracting audit passes a CBP validation.

DOT and FMCSA add their own retention windows: HOS records for six months, DVIRs for three, driver qualification files for length of employment plus three years, drug and alcohol testing records for one to five years depending on the result. None of that is hard IT work; all of it is easy to get wrong if you do not have a backup story.

Layer 5: Cybersecurity for trucking specifically

Drivers and dispatchers are spear-phishing targets in a way that office workers in other industries are not. The freight world has its own fraud patterns, and they are hitting Central Coast carriers right now. We will cover those in more detail in the next section. At the control level, the trucking cybersecurity stack we run for SMB carriers is:

• MFA on every cloud account. Microsoft 365, QuickBooks Online, the TMS, the ELD vendor portal, the fuel-card portal, the broker load boards, the bank. Without exception.
• EDR on every office endpoint. Microsoft Defender for Business at the M365 Business Premium tier, or SentinelOne / Huntress / CrowdStrike at the next tier up.
• Monitored email security. Defender for Office 365 or a third-party email security gateway. BOL spoofing arrives by email.
• Mobile device management. Intune on the office endpoints, the ELD vendor's MDM (or Intune work profile) on driver tablets and phones.
• Identity hardening. Conditional Access policies that block legacy auth, geo-restrict admin sign-in, and require compliant devices. See the identity hardening post.
• 24/7 MDR coverage. A monitored detection layer with a real responder on the other end. The 22-second attacker handoff post covers why this is the 2026 baseline.
• Documented offboarding. When a driver or dispatcher leaves, their accounts get disabled the same day. The single most common audit finding at small carriers is an active account belonging to someone who left six months ago.

Layer 6: Backup and continuity

The records that have to survive a bad day: dispatch data, ELD audit trail, accounting, customer contracts, BOLs and PODs, driver qualification files, IFTA filings, and the customs paperwork if you cross borders. Independent backup of Microsoft 365 (Outlook, OneDrive, SharePoint), independent backup of QuickBooks Online, and a documented export schedule for the TMS and ELD vendors. The vendors back up their platform for their own resilience, not for your accidental deletion or your compromised admin account.

Continuity also means PG&E. The Central Coast sits under the Public Safety Power Shutoff program, and the 101 corridor has lost power for 12 to 72 hours in several recent fire seasons. A trucking operation that goes dark when the yard office loses power loses dispatch, loses the office printer, loses the door buzzer, and loses the security cameras. The fix is some combination of a small UPS for the network gear, a documented runbook for failing over to a hotspot or a home office, and a generator if the yard is in a high-PSPS-risk area. The PSPS continuity plan post covers the playbook in detail.

The backup and continuity layer also covers backup and disaster recovery as a managed service: tested restores, immutable copies, and a written RTO and RPO that the cyber insurance underwriter will accept.

The fraud patterns hitting Central Coast carriers right now

This is the section that catches the most owners by surprise. The freight world has its own cybercrime ecosystem, separate from generic ransomware, and it is targeting small carriers because small carriers are easier to spoof and slower to detect. Four patterns we see often in 2026:

Rate confirmation spoofing

An attacker registers a domain that looks like a known broker (one letter off, or a different TLD), emails a dispatcher with a "rate confirmation" for a load that does not exist, gets the dispatcher to accept the load, and then either reroutes the load to a different consignee or harvests the carrier's MC number, insurance, and W-9 for use in freight identity theft (see below). The fix is a process change as much as a technical control: rate cons get verified out-of-band against the broker's known phone number before any driver is dispatched.

Fuel-card cloning and skimming

Fuel-card skimmers at I-5 and 99 truck stops have gotten harder to spot. The attacker captures the card data at the pump, then uses it on a cloned card before the driver finishes the shift. The fix is a combination: fuel cards with per-transaction limits, card-present detection at the fleet card vendor, real-time SMS or email notifications to dispatch on every transaction, and a process where the dispatcher reviews fuel-card activity at the start of each shift.

Freight identity theft

Bad actors pose as a legitimate carrier (often a small one with thin online presence), respond to a load posting on DAT or Truckstop with the legitimate carrier's MC number and insurance, pick up the load with a paid driver, and disappear with the cargo. The legitimate carrier is unaware until the broker calls asking where the load is. The IT side of the defense is to make sure your MC number, insurance certificate, W-9, and broker portal credentials are not floating around in unprotected inboxes or shared with brokers who do not have a secure intake process. The process side is monitoring DAT and Truckstop for loads being booked under your MC that you did not book.

Ransomware on TMS or dispatch

Two patterns. One: an attacker compromises a dispatcher's Microsoft 365 account through a phishing campaign, sits in the mailbox watching the dispatch workflow for a few days, then uses the stolen credentials to attempt lateral movement into the TMS or onto the yard-office network. Two: a vulnerability in an on-premise TMS server or an unpatched VPN appliance lets an attacker straight into the dispatch environment, where they encrypt the database and demand payment. The 2026 ransomware-how-it-gets-in post walks the attack chain for SMBs.

The defense for both is the same: MFA on every account, EDR everywhere, monitored email security, patched systems, and 24/7 MDR coverage that catches the lateral movement before it becomes encryption.

Office IT for a Salinas trucking yard

The yard office is where most of the dollars end up. The baseline we recommend for a 5-15 person Salinas trucking back office:

• Microsoft 365 Business Premium per user. Includes Outlook, the Office apps, OneDrive, SharePoint, Teams, Defender for Business (EDR), Intune (MDM), and Entra ID P1 (identity hardening). At roughly $22 per user per month it is the most leveraged dollar in the stack.
• Business-class internet with documented SLA and an LTE or 5G failover on a different carrier.
• Real firewall (Fortinet, Sophos, Palo Alto, or a managed Meraki). Not a Linksys.
• VoIP for dispatch. A cloud-hosted phone system that can ring through to mobile when the office is empty. The dispatcher's number cannot be a personal cell.
• Cabled to the desk, wireless for the laptop. Yard offices in metal buildings have lousy Wi-Fi. Run cable to the dispatcher and the accounting desk; reserve wireless for laptops and tablets.
• Ruggedized devices where it matters. The yard supervisor's tablet should not be a consumer iPad in a plastic case. Panasonic Toughbook, Zebra rugged tablet, or equivalent.
• UPS on the network closet and a documented power-loss runbook.

The full program lives on the managed IT services page. The cybersecurity layer is covered on the cybersecurity page.

Driver-facing tools that actually work

The driver-facing side gets less attention than it deserves because the office staff are the ones complaining loudest. A few things we've seen work for small Central Coast carriers:

• Pick the ELD vendor on the back-office integration, not the driver UX. The ELD is going to be the driver's least favorite piece of software no matter what. The real value is in how well it talks to your TMS and accounting.
• Dual-camera dashcams are now table stakes. Inward-facing plus road-facing. Insurers price them in. The footage settles roughly 80 percent of accident disputes in the carrier's favor, in our experience.
• Driver tablets beat phones for ELD use, but only marginally. The hidden cost of a tablet is breakage. A ruggedized 8-inch Android tablet from Samsung or Zebra runs three to five times longer in service than a consumer iPad.
• Cab Wi-Fi for sleeper drivers is a retention tool. A team-driver rig that gives the off-duty driver a usable connection for video calls home is a rig that keeps its drivers.
• Personal phones with a managed work profile are a reasonable compromise for solo owner-operators. Just make sure the company apps are in the work profile and the offboarding wipe is configured.

C-TPAT IT alignment

For carriers that are C-TPAT certified or working toward it, the IT controls map cleanly to a small set of repeatable practices. Documented access control with named accounts, MFA on every account that touches supply-chain data, audit logs retained for at least 12 months, written cybersecurity policy that has been signed and dated, annual security awareness training with sign-off, an incident response plan that is one page minimum and has actually been tested, and protection of the IT systems that handle customs data (ACE filings, manifest data, BOLs).

The C-TPAT validator is going to ask for documentation. Most small carriers have the controls in place but cannot show the documentation, and that is what causes the finding. The C-TPAT compliance page walks the criteria item by item. The pragmatic version: get the controls implemented, then spend an afternoon writing down what you do. The afternoon of writing is what passes the validation.

What we are not recommending

The patterns we see at small carriers that we steer clients away from:

• Running dispatch on a single owner's laptop with no backup. When (not if) the laptop dies or gets ransomwared, the operation stops. We have seen this end a small carrier.
• Shared logins across drivers or dispatchers. No audit trail, no offboarding control, no MFA story, automatic C-TPAT finding.
• "Free" ELD providers that are not on the FMCSA registered list. The savings disappear the first time you get cited for a non-compliant device.
• Putting BOL or manifest data in a personal Gmail. Personal Gmail does not meet C-TPAT criteria, does not have a business-grade audit trail, and is not covered by any cyber insurance policy I have read.
• Letting the dispatcher's personal cell be the dispatch number. When the dispatcher leaves, the customers do too.
• Skipping cyber insurance because "we're too small." Premiums for a 5-truck operation are usually under $300 per month. The deductibles on a real claim are six figures.
• Believing the TMS vendor's "we back you up" answer. The vendor backs up their platform, not your individual records.

A realistic budget for a 5-truck Salinas operation

Numbers for a representative 5-truck Salinas carrier with 4 office users (owner, dispatcher, AP, and a part-time safety person), running Microsoft 365 Business Premium, Samsara for ELD and telematics, and a mid-tier TMS. Monthly, all-in:

• Microsoft 365 Business Premium: 4 users x $22 = $88
• MDR / managed security: 4 users x $25 = $100
• Samsara or equivalent ELD/telematics: 5 trucks x $30-$45 = $150-$225
• TMS: $150-$400 depending on platform
• Managed IT (helpdesk, patching, backup, identity hardening): 4 users x $150-$200 = $600-$800
• Cab cellular (dual-SIM where needed): 5 trucks x $50 = $250
• Office internet + failover: $200-$350

Total monthly IT spend lands roughly between $1,500 and $2,500 per month at 5 trucks, before equipment. That is real money, but it is also the number that keeps dispatch running, keeps drivers in compliance, keeps C-TPAT certification intact, and survives a ransomware attempt without paying the ransom. The cost scales close to linearly to 20-30 trucks, with the per-user managed IT line being the biggest mover.

For comparison: a single ransomware event at a small carrier (incident response, recovery, lost revenue, customer notifications, and possible ransom) typically lands between $80,000 and $250,000 in our recent IR work. The IT budget pays for itself in a single avoided incident.

Where this fits

This post sits alongside several other pieces in the Ghosxt industry cluster:

• The trucking and logistics IT service page, which covers the full Ghosxt program for fleet operators.
• The C-TPAT compliance page, for carriers in or pursuing CBP certification.
• The cybersecurity service page, for the underlying security stack.
• The managed IT services page, for the helpdesk and platform layer.
• The backup and disaster recovery service page, for the continuity layer.
• The 2026 ransomware post, for the attacker side of the cybersecurity layer.
• The 22-second attacker handoff post, for why MDR is now the baseline.
• The PSPS continuity plan, for fire-season power loss.
• The identity hardening post, for the MFA and Conditional Access baseline.

FAQs about trucking IT for SMB carriers

We are FMCSA registered with 3 trucks. Do we really need MDR?

Yes, and the math is more favorable at 3 trucks than at 30. A small carrier's TMS, dispatch inbox, and fuel-card portal are the same target surface a 200-truck fleet presents, just with fewer people watching. A single ransomware event or a single successful rate-confirmation spoof can cost more than five years of MDR coverage. Per-user MDR pricing for a 3-truck operation with 4 office users runs in the low hundreds of dollars per month. The breach economics do not scale down to match.

Our drivers' phones are personal. Is that a risk?

It is a risk, and it is one of the most common gaps we find at small Central Coast carriers. A driver's personal phone signed into the dispatcher's email, the TMS app, and the ELD vendor app has the same attack surface as a company-owned device, but none of the controls. If you do not want to issue company phones, the realistic middle ground is to require the company apps live in a managed work profile (Microsoft Intune or the ELD vendor's MDM), require MFA on every sign-in, and have a documented offboarding step that revokes access the day a driver leaves.

Is the office firewall enough cybersecurity for a small trucking operation?

No, and it has not been for several years. The firewall protects the yard office. It does not see your drivers' tablets at a truck stop, your dispatcher's laptop at home, your QuickBooks Online account, your TMS in the cloud, or your Microsoft 365 mailboxes. Modern trucking IT is identity-first: MFA on every account, endpoint detection on every device, and monitored email security on every mailbox. The firewall is one of about ten controls, not the control.

What does C-TPAT actually require from IT?

CBP's Minimum Security Criteria include a dedicated cybersecurity section. In practical terms, that means a written cybersecurity policy, documented access controls with named user accounts (no shared logins), MFA, regular password rotation, monitored networks, an incident response plan that has been written down and not just discussed, security awareness training records for staff, and protection of IT systems used in the supply chain. CBP validators ask to see the documentation. We cover the full list on the C-TPAT compliance page.

Our TMS vendor says they back us up. Do we still need a backup vendor?

Yes. SaaS vendors back up their infrastructure for their own resilience, not yours. If a dispatcher deletes a load by mistake on Tuesday and you discover it on Friday, most TMS vendors cannot restore that single record. If your tenant gets compromised and an attacker deletes records, the vendor will restore the platform, not your individual data. Independent third-party backup of Microsoft 365, QuickBooks, and the TMS export is a separate control. It is also one of the cheapest controls in the stack.

We hire drivers seasonally. How should driver accounts be managed?

Named accounts per driver, never shared logins, and a documented offboarding checklist that runs the day the driver's last shift ends. The checklist disables the Microsoft 365 account, revokes the ELD app sign-in, wipes the company profile from the driver's phone if applicable, and rotates any shared passwords the driver knew. The single most common audit finding at small Central Coast carriers is a former driver whose ELD or TMS account is still active six months after separation. C-TPAT validators look for this specifically.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.