Car dealership cybersecurity ranges from tight to none at all, says Jim Foote, chief business security software officer for automotive information technology provider CDK.
“The larger dealerships are at less risk because they have security officers and IT departments,” he tells WardsAuto. Less diligent are smaller stores, places “where Bob in the parts department also is the IT guy.”
The auto industry hasn’t suffered a major Internet security breach – yet. The credit-card and retail industries have.
“My fear is that as those industries put tighter control on their data protection, the cyber criminals will start looking for the next easy target,” Foote says. Like dealers. “Cyber criminals are starting to target businesses with fewer than 250 employees.”
CDK sells anti-hack-attack products, but beyond that the company is on a mission to raise dealer awareness through a program called Security First.
“I’m not a salesman, and Security First is not a product,” Foote says. Instead it is an educational initiative that offers block-and-tackling tips to help dealers protect their data.
The average dealership’s customer data base contains about 50,000 names, along with all sorts of personal and financial information.
Security First urges dealers to create a security policy, share it with staffers and make sure everyone adheres to it.
Foote meets regularly with dealers individually and in groups to discuss precautions. “I’ll ask how many have security policies in place. In a room of 20, maybe five will raise their hands. The next question is how often those policies are reviewed with employees. Of those five, maybe one will raise a hand. The vast majority don’t have the basics.”
Even expensive security systems aren’t failsafe “unless people and processes support them,” Foote says.
For example, he recommends against allowing employees to take home sensitive customer information that’s contained on laptops, memory sticks or the like, he says.
Despite the best intentions of devoted staffers working at home after hours, that practice runs risks.
“Dealership information could be exposed on the Internet,” Foot says. “The No.1 concern of dealers I talk to is that a good employee unwittingly does something like that.”
He adds: “Having policies and procedures in place dramatically reduces the threat potential. If everyone knows it’s inappropriate to take home customer information, it turns everyone into human firewalls.”
He offers other basic tips:
- Change passwords regularly and have stronger passwords then, say, dealer1234.
- Click on anti-virus protection for PCs.
- Encrypt PCs.
- Scrub from systems the user names and passwords of former employees. “You get the keys from them when they leave, also get them out of the system,” Foote says.
Foote urges dealerships to be on the lookout for phishing emails in which cyber crooks pose as legitimate companies. He tells a cautionary tale about that.
“A person in accounting at a dealership got an email supposedly from Walmart about the delivery of a TV. She clicked a link. It infected her computer. When she later logged on to a bank account to pay the bills, they got her user name and password and started funneling the money out.”
The Security First program consists of online tutorials to CDK customers. “They are short and engaging,” Foote says. “We realize people have jobs.”
Among security products CDK sells is Dealer Data Exchange, software that allows dealers to track who is accessing their dealership management systems. Many third-party vendors contractually do that on a regular basis.
But if a cyber criminal hacks into a third-party’s information, they may end up gaining access to a dealer client’s data too because of the inter-connectivity.
“The average dealership has 10 to 15 third parties that get in and enrich their data or do something there,” Foote says.
“I do the ‘who-what-when-where-why’ with dealers. ‘Who was in your system? What were they doing? When they were they there? Why? And what did they take?’
“Asking that and tracking that provides a better eco-system for the flow of information. We’ve investigated a number of situations where data leaks out, and 100% of the time it comes back to a dealership employee giving access to a third party. We’re doing our job; our platforms are secure. But it’s not just about building a bigger moat or higher wall.”
Foote’s mother and father both were Los Angeles County sheriff deputies. He carries their spirit of doing the right thing, but doesn’t share their occupational hazards.
“I’ve always been a do-gooder. My job lets me be that without someone putting a gun in my face.”