Auto dealerships collect, store, and process a ton of personal information, from names, phone numbers, and addresses to sensitive financial information used for loans and purchasing cars. However, dealerships, like many other businesses, often lack security savvy and IT maturity. Read this article to learn about common cyber risks you might face as a dealership and how you can mitigate these risks.
Auto dealerships are prime targets for cyber attacks. It was reported last year that 3.1 million pieces of Toyota and Lexus customer data were breached after an attack on dealerships in Japan. Auto dealerships are faced with a myriad of cyber risks and must be prepared, especially since a survey by Total Dealer Compliance found that 80% of consumers would not purchase a car at a dealership that experienced a data breach.
Social engineering attacks rely on manipulation in order to access sensitive data and/or systems. Forms of social engineering include phishing and business email compromises (BECs). Phishing is a huge problem across industries. In a phishing attack, the attacker might send an email from an address that looks almost like the real one. For example, an “I” might be switched with a “1”. The email could contain a malicious attachment or a link to a website that installs malware.
BEC attacks are on the rise, especially for luxury dealerships. In a BEC attack, perhaps the hacker has already gained access to a trusted email account. They might then use that email account to request a fraudulent wire transfer or direct a dealer’s accountant to a fake bank website, where they steal login information.
Ransomware is now the top form of cybercrime, and auto dealerships should beware. During a ransomware attack, hackers hold your data and/or systems for ransom, claiming that if you pay them x amount, probably in bitcoin, you’ll get access to your data again.
Last year, one of the largest car dealerships in South Florida experienced a ransomware attack, which prevented them from servicing vehicles and selling cars and parts. While the owner refused to pay the ransom, he still ended up spending nearly $300K on new computers for his employees.
Not every dealership has dedicated IT staff or staff knowledgeable about cybersecurity. Even with a cyber savvy employee in place, everyone else on the team still needs to be trained. There are a variety of free training resources around the web to help you get started, but it’s important to implement an ongoing training program to create a culture of security, to help ensure awareness as threats evolve, and to train any new employees. The human risk is a vulnerability for every business, and by empowering your team with knowledge, you can reduce that risk.
Keep Your IT Infrastructure Up-to-Date
Are the computers at your dealership still running Windows 7 or older OS versions? Do you have automatic updates set up for your software? According to Total Dealer Compliance, over 70% of dealerships are not up-to-date on their antivirus software. It’s important to update both your software and hardware on a regular basis and whenever security patches are made available. Hackers can take advantage of known vulnerabilities to breach your systems and steal data.
More and more businesses are realizing the importance of having a comprehensive cyber insurance policy in place in order to protect themselves from the financial impact of a security incident. Having cyber liability coverage is the ultimate safety net and can help dealers recover from a data breach.
Restrict Access to Dealership Wi-Fi
The Wi-Fi network your dealership management system is hooked up to should not be public. If you do plan to offer free Wi-Fi to your customers, make sure it’s a separate network than the one you use for actual business activities.
Encrypt and Backup Data
Should your dealership experience a ransomware attack, having encrypted and backed up data is key. Your data should be backed up offsite and on a separate server. If your data gets compromised or your hardware malfunctions, you will still be able to access your business’s critical data and can avoid paying a ransom.
Implement an Incident Response Plan
63% of respondents in a recent survey of dealerships said they don’t have a formal process in place when it comes to responding to security incidents or breaches. Having an incident response/disaster recovery plan will help you be prepared, and you and your team will have clear steps to follow to ensure nothing gets missed as you navigate an incident.
Due to the sensitive data collected, processed, and stored in dealership management systems and the lack of cybersecurity maturity, auto dealers are a target for hackers. Social engineering and ransomware are common threats that dealerships need to be aware of, but a combination of training, regular software and hardware updates, network restrictions, data encryption and backup, and planning should help mitigate those risks. Finally, if a security incident does occur, having a cyber insurance policy in place will help relieve the financial burden on your dealership so that your business can move forward and continue to thrive.