SAN FRANCISCO – Authorized vendors by agreement routinely tap into auto dealer computer systems for legitimate business reasons. Those range from providing Internet leads to running customer-relationship management systems.
But if one of those plugged-in vendors gets hacked, dealer data by association could become part of the stolen goods.
“It’s a major area of concern for dealers,” says Brad Miller, associate director-legal & regulatory affairs for the National Automobile Dealers Assn., which is holding its annual convention here.
“Service providers can be a source of breaches,” he says during a panel discussion entitled “Protecting Your Customers’ Data” at the American Financial Services Assn.’s vehicle finance conference held in conjunction with the NADA event.
“It’s a big dealer issue because dealers rely on service providers,” Miller says. “The way it works is that you are exposing this data to all sorts of people.”
NADA works with its members to help them avoid becoming hacking victims whether directly or indirectly through a vendor suffering a security breach.
The trade association has created a template contract for dealer vendors to sign, binding them to extract and use only information they need from a dealership management system, and for stated purposes.
That in part is intended to prevent vendors from selling such information to third-party businesses, a practice that heightens the risk of a store DMS breach.
Doing regular data audits is another way to fight and detect digital information rip-offs, Miller says.
Some attacks are easier to fend off, says Tony Buffamonte, a security adviser at KPMG. "The average garden-variety breach can be avoided or mitigated. That takes out of the picture a sectiion of attackers; those that are very specific."
But virtually no system is failsafe, Miller says. “It’s discouraging to have to say that no matter what you do, you can’t be guaranteed of stopping everything.”
Boulton Fernando, Toyota Financial Services’ chief security officer, agrees.
“There is no 100% security, but you can make it as difficult as possible to breach your system” he says.
He analogously adds: “If there are two laptops on a table, and one is locked and the other isn’t, chances are the unlocked one will be stolen.
“You don’t have to be the fastest person to run away from the bad guy. You need to be faster than the other guy running away from the bad guy.”
Miller tells of a company that spent $250 million on cyber security, and still became a victim. “It’s not always a case of throwing money at a problem,” he says.
When Fernando speaks with Toyota Financial decision makers about security issues, he tries to keep it simple.
“Avoid technical jargon,” he advises. “Tell a story. Use analogies, like bullet-proof glass at a bank. I don’t go in and say, ‘Here’s the ROI on security.’”