Most dealership IT professionals agree it is not a matter of if but when the next dealership will fall victim to a cyber attack involving malware, social engineering, or other schemes.
Based on a CDK Global 2018 dealership cybersecurity study, 85% of IT-related employees say their dealership was the target of a cyber attack within the last two years, despite 67% of respondents being confident in cybersecurity efforts prior to the attack.
Seven of 10 respondents said their dealerships invest in cyber-security measures. But more than 60% acknowledged their dealerships haven’t conducted a formal risk assessment to identify foreseeable internal and external cybersecurity risks, don’t conduct regular tests for security systems and processes or don’t have a formal process to respond to security incidents.
Dealerships have been victims of cyber attacks that can access sensitive information, such as dealership bank account numbers, routing numbers, login credentials and customer credit card numbers, addresses, social security numbers, and credit scores.
Here are some recent incidents:
- An email-attachment virus was downloaded on a finance and insurance manager’s computer. The virus effectively logged the computer’s internet history and keystrokes. The cyber attackers used the information to obtain hundreds of customer credit reports, costing the dealership more than $150,000.
- A controller received an email from someone impersonating a dealership employee, requesting a $30,000 wire transfer. After exchanging a few emails, the controller initiated the transfer, sending the cyber attackers $30,000. The dealership was unable to unwind the transfer.
- An accountant visited what he thought was the dealership’s bank website. The accountant was prompted to enter log in information and account numbers, among other information, which the accountant did. The cyber attacker used the information to initiate a $400,000 wire transfer. Luckily, the bank stopped the transfer from being completed.
In addition to potential legal actions, a cyber attack can jeopardize reputations and drive away customers.
Based on a Total Dealer Compliance survey of 200 dealerships in five states, nearly 84% of consumers said they would not buy another car from a dealership that experienced a data security breach.
Below are steps dealerships can take to combat cyber attacks:
- Conduct periodic security-awareness training for all personnel. Employees are critical to cyber defense. Educating them will strengthen their ability to detect and prevent future cyber attacks.
- Perform a comprehensive Threat Vulnerability Risk Assessment (TVRA). This process identifies, quantifies and documents the probability of various types of potential disruptive threats related to a specific dealership location.
- Develop a management playbook to cover reported incidents and how to properly address them. This should include procedures for communicating a breach to affected parties.
- Create a prioritized list of risks (based on the TVRA approach) and associate those risks with adequate risk-mitigation controls (e.g., technology, services, or additional procedures). Depending on the dealership’s current security posture, these controls may need to be developed or enhanced. Identifying top-level risks now can serve as a catalyst for additional controls or defenses in the future.
- Reassess your risk environment periodically through the TVRA process. This will put closure on previously identified risks, ensuring that they have been mitigated to an acceptable level, and determine whether new risks have evolved since the prior TVRA. (Wards Industry Voices contributor Christopher Arkin, below)
An objective cybersecurity company can be critical to a dealership’s cybersecurity plan. When vetting potential firms, dealerships should:
- Chose a firm that does not sell cybersecurity products. These firms may push dealerships to purchase tools that may not be ideal for the dealership’s specific security issues or environment. They tend to focus on products and not on cybersecurity assessments and planning.
- Consider a firm with automotive-industry expertise.
- Review the backgrounds of the project team that will be working with the dealership. Ensure their credentials and experience include providing overall cybersecurity assessments, plan development and implementation and specific cybersecurity consulting.
The cybersecurity plan dealerships ultimately implement will only be as good as the employees using the systems. All dealership personnel should receive specific cybersecurity training.
Christopher Arkin is senior director-investigations and compliance at security firm Guidepost Solutions.