As technology continues to evolve, so do the threats that come with it. Car dealerships, once primarily concerned with physical security, now face significant risks in the digital realm. Hackers are increasingly targeting auto dealers, exploiting vulnerabilities in their IT systems and customer databases.
With sensitive personal and financial information at stake, the need for robust cybersecurity measures has never been more urgent. This article explores why cybersecurity is crucial for car dealerships, highlighting the rising tide of cyberattacks and the critical steps these businesses must take to protect themselves and their customers.
Hackers are Increasingly Targeting Auto Dealers
In excerpts from an article by Security Intelligence, they wrote, “Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.
The study also found that dealerships experienced an average of 16 days of downtime after a ransomware attack, with an average payout of $228,125. However, the biggest impact of attacks on dealerships is likely the impact on customer loyalty. Some 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data.
With 36% of data breaches at dealerships related to phishing, it’s not surprising that dealerships rated phishing as their top concern. Other top threats included ransomware, lack of employee awareness, theft of business data, PC viruses or malware, and stolen or weak passwords.
Increased vulnerabilities at dealerships
Attacks related to phishing schemes are typically related to user error. According to the National Automobile Dealers Association Workforce Study, the annual turnover rate across all dealership positions is 24%. While this rate has gone down in recent years, dealerships still see relatively high employee turnover. This makes training and compliance a continuing challenge.
Dealerships typically also have unsecured wireless networks for customers to use while at the dealership. While this is a nice perk for customers, especially those waiting for their cars to be serviced, hackers can more easily gain access to customer data through unsecured networks. By moving to guest networks and providing passwords, dealerships can provide more protection and decrease risk.
The CDK Global study found that almost 60% of dealerships plan to increase their IT infrastructure investments. Top investments included antivirus and malware protection tools, which saw a 31% increase from 2021. According to the report, dealers are also updating cybersecurity measures to protect them from top threats such as phishing and ransomware. Other planned investments reported by dealerships include securing endpoint devices, investing in cybersecurity insurance, and continuing staff training.
Dealerships must comply with the Safeguards rule
In addition to the increased threats, many dealerships are focusing on cybersecurity to comply with the FTC Safeguards Rule. As a non-bank financial institution, auto dealerships specifically fall under the Safeguards Rule, which requires businesses to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
To meet the requirements, dealerships must:
- Designate a qualified individual to oversee their information security program
- Develop a written risk assessment
- Limit and monitor those who can access sensitive customer information
- Encrypt all sensitive information
- Train security personnel
- Develop an incident response plan
- Periodically assess the security practices of service providers
- Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.
Complying with the requirements requires careful planning and time for implementation. By beginning today, your dealership will be ready to meet the new regulations and reduce its vulnerability.”
Auto dealerships are facing increased cyberattacks and new regulations, making cybersecurity a top priority. Key concerns include phishing and ransomware, exacerbated by high employee turnover and unsecured networks. To combat these threats and comply with the FTC Safeguards Rule, dealerships are investing in IT infrastructure and security measures. This proactive approach is essential for protecting customer data and maintaining trust.
Why do Dealerships Need to Invest in Cyber Security
In excerpts from an article by ACV, they wrote, “The vehicle market has become increasingly high-tech with each passing decade. Consumers would be disappointed to find new vehicles that don’t have basic infotainment features, such as Bluetooth connectivity for cell phones, self-driving features, and computerized troubleshooting.
While additional features are wonderful, the increased connectivity means an increased susceptibility to security breaches. Similarly, the technology used at dealerships for storing and utilizing customer information is also vulnerable because it could be useful to a malicious actor.
Why Are Dealerships a Target of Cybersecurity Threats?
There are several reasons that dealerships could be a target of a cyber-attack. The first consideration is what there is to gain. Dealership systems are capable of storing a lot of personal customer information. This can include identifying information such as addresses, names, and phone numbers. It may also contain financial records or payment information. Aggregated data can be very valuable on its own, but a hacker may also use the information to access customer accounts at financial institutions.
Another cybersecurity threat is known as a ransomware attack. In one of these, users are locked out of their own system, or access to information has been removed. The perpetrator then demands a payment to release the assets back to, in this case, the dealership. If this seems unlikely, it’s even happened at a police station.
Aside from the reward for a cybercriminal, the other motivator is increased vulnerabilities at car dealerships. This could be due to outdated systems, lack of anti-virus software, or user error. The last is often the easiest way for malicious actors to get in. Lack of individual passwords for employees to access systems, poorly chosen passwords that are easy to guess, or information that can be accessed without any security measures at all. Lack of training about how to secure systems and the high turnover rate of dealership employees make it more likely for this door to be open to threats.
Some employees may also be more vulnerable to phishing attacks. Phishing attacks are when a malicious actor utilizes digital communication, such as emails or text messages, that include links to hazardous files. These are made to look like legitimate communications using templates such as promotional emails, account updates, or invoices.
A user who believes their content is legitimate may click on an included link that leads to a virus or other malware, opening a door to the network. They may also respond to the communication with financial or other compromising information, thinking they are sending it to a valid source.
Another threat to security, specifically at dealerships, is Wi-Fi networks that are not password protected. Unprotected Wi-Fi networks are an easy point of entry for hackers, especially if the dealership systems are utilizing the same Wi-Fi.
What Is at Risk?
What are the real potential losses of a cybersecurity attack? For starters, financial loss. This may come in the form of an outside actor accessing the dealership’s banking or transaction information, which can lead to a loss of access to customer data needed to process transactions and follow up with consumers.
If consumer information is stolen, customers are less likely to trust you as a dealership, knowing that their personal information isn’t stored safely there. This could have a direct impact on reputation and, therefore, long-term sales.
Depending on the size of the dealership and inventory, loss of information could be detrimental to knowing what is and isn’t in stock, vehicle repair information, and more. The operational costs of recreating this information can add up quickly.
How Can a Dealership Protect Itself?
There is no shortage of ways to guard against a cyberattack. These are merely a few foundational items to consider:
- Don’t leave the proverbial front door open: Make sure all computer systems require password protection, and that employees know how to create and protect effective passwords. This is the simplest step to implement, much like remembering to lock the door when leaving the house.
- Consider multi-factor authentication when accessing key systems and sensitive data: This introduces a second step for verifying a user, such as a code sent to a personal phone number.
- Educate your team: Make sure employees are professionally trained in how to identify security threats, such as avoiding phishing scams.
- Implement a data backup system: Ransomware attacks hold information hostage, and a malicious actor may try and destroy the stored information. Back-up vital information in case it is lost to minimize informational and financial losses.
- Consult with a professional to develop a response plan if an attack does occur: How will you cut off access to the system? Who will you reach out to for help? How will you keep the business running?
As dealerships become more dependent on advanced technology, it’s important for owners to make sure their training and processes are up to date. Investing in security and education empowers teams to provide exceptional customer service and the assurance that all data is well-protected.”
Car dealerships face increasing cybersecurity threats due to their high-tech systems and valuable customer data. Personal and financial information stored in dealership systems make them attractive targets.
Ransomware attacks and phishing scams are common, often exploiting outdated systems and user errors. Unprotected Wi-Fi networks also pose significant risks. Cyberattacks can result in financial loss, damage to reputation, and operational disruptions.
Dealerships must implement password protections, multi-factor authentication, employee training, data backups, and response plans to safeguard their data and maintain customer trust.
Why Building A Culture Of Data Security Is Important For Dealerships
In excerpts from an article by Kelser, they wrote, “If you manage or own an auto dealership, you understand the need for data security. In addition to safeguarding your own sensitive information and that of your customers, there are regulatory obligations such as the Federal Trade Commission’s (FTC’s) Safeguards Rule to consider as well.
While tools can help, the best way to protect your data is to build a culture of data security.
In this article, we’ll explore how to build a culture of data security that will not only protect important data but also keep you in compliance with the Safeguards Rule. We’ll explain what’s involved and dive deep into four key elements of successful data security cultures.
The truth is that simply implementing tools does no good without a culture that is actively engaged in monitoring and implementing information security enhancements regularly. Everyone has a role to play.
So, what’s the best way to establish and maintain a culture that keeps IT compliance and cybersecurity top of mind, while engraining the idea that overall information security is the goal? I get asked this question a lot, and I’ve identified several key characteristics that set organizations with strong IT security cultures apart from the rest of the pack.
I’ll identify and explain four characteristics of organizations that have institutionalized strong information security cultures. You can use these characteristics to implement or strengthen your organization’s culture of data security.
What Is An Information Security Culture?
An information security culture is one in which every employee understands their role in keeping information safe. This culture includes policies, procedures, and training that inform users about compliance and cybersecurity.
Most importantly, it focuses on developing a culture in which everyone acts to protect your company’s data from any unauthorized access (not just electronic access).
Why Is An Information Security Culture Important?
Organizations have all kinds of sensitive information ranging from the recipe for their secret sauce to government-regulated design and manufacturing specifications.
No matter whether the information is important to the organization’s product or to international security, information that would be damaging if it were released publicly must be protected.
An information security culture ensures that every employee understands and embraces their role in protecting sensitive information.
4 Key Elements Of An Information Security Culture
Many elements combine to create and foster a strong information security culture. Here are four that are key to success:
1. Policies & Procedures For Auto Dealerships
Develop and implement a comprehensive data security policy and procedures that support it. Ensure that you balance the need for compliance and security with user productivity.
Here are some characteristics of successful cybersecurity policies and procedures:
- Balanced
- Effective cybersecurity policies and procedures are powerful enough to block unauthorized network intruders but permissive enough to let your employees and business partners use the information they need in a streamlined way.
- Understandable
- They should be easy to understand so that every single employee in the company, no matter their title or function, fully understands what threats are being addressed and how to play their part.
- Evolutionary
- The tools and procedures you had in place to protect data last year may no longer be enough to mitigate emerging threats. Your policies and procedures need to be revisited regularly (every 6-12 months) to ensure that they reflect the latest threats. Review, adjust, and get approval before implementing updates. Maintain copies of past cybersecurity policies and procedures so that you can revise them without repeating past mistakes. In addition, call together your technology team to address new issues as they arise.
- Automated
- We are all human, and we all make mistakes. The more you automate, the less room there is for employees, vendors, suppliers, and distributors to make mistakes.
- Standardized
- All team members should adhere to the same rules when handling company or customer data. Every entrance into your system and infrastructure can potentially expose your data. Your policy should include consequences for not following policies and procedures, which should be enforced equally across the board.
- Multidisciplinary
- Your policies and procedures must address the needs of all stakeholders, giving them an equal voice and relying on input from people who know how their departments work. Be sure your policies and procedures apply equally well across the organization and don’t inhibit efficiency.
- Flexible
- While the policies and procedures are standardized, exceptions will occur. Offer a standardized exception process that is documented, accountable, and well-organized.
- Actionable
- Even the most comprehensive cybersecurity policy might not be enough. Vulnerabilities may be discovered, sensitive data might be exposed, and quarantining certain elements of your network may be necessary to keep your business safe.
- Include decisive, responsive, and reliable solutions to various possible threats and incidents.
2. Training & Education For Dealership Employees
Help foster a security culture through ongoing training and education. This training should be conducted regularly to ensure that all employees know how to recognize and report emerging and existing threats.
3. Security Audits For Auto Dealerships
Regular vulnerability scans and penetration tests help identify vulnerabilities in your infrastructure so that you can address them and strengthen your overall security.
Vulnerability Scan
A vulnerability scan (or “vulscan”) is an automated tool used to identify everything that is running on your network(s) and find weaknesses in devices, servers, networks, and applications. This scan is performed at a high level often without login credentials just to see what open information can be accessed.
Vulnerability scan software is commercially available, or you can hire a professional IT team to perform the scan for your organization.
Penetration Test
Penetration tests are not usually automated and are basically authorized cyber attacks.
They involve an IT professional who pokes around your network to see what vulnerabilities exist and what the consequences would be if those vulnerabilities were exploited by someone with malicious intent from inside or outside of your
4. Monitoring & Updates For Auto Dealerships
It’s important to proactively monitor your infrastructure for unauthorized access. There are automated tools that can monitor your environment and track unusual activity, giving you the opportunity to act quickly to minimize the impact of unauthorized access.
It’s equally important to install software and system updates as soon as possible.
What’s The Bottom Line?
As with any other major organization-wide initiative, the success of an information safety culture at your auto dealership is directly tied to buy-in at all levels of the organization.
When people understand the importance of the issue, the role they play, and the impact their daily actions can have, they are more likely to embrace an information security culture.
Once you make the case by identifying and quantifying the risks and rewards associated with action and inaction, people will be more likely to support information security initiatives, making it easier to engage in the overall culture.
And with the adoption of a security culture, you can mitigate the impact of emerging cybersecurity threats on your dealership.
Whether you have the resources available internally or need to partner with an external technology expert, make sure that you have the policies and procedures in place to comply with the FTC Safeguards Rule and protect your dealership and your customer data.”
The Adaptive Office Summary
Building a data security culture in car dealerships is essential for protecting sensitive information and complying with regulations like the FTC Safeguards Rule, which Canada is sure to follow. A strong security culture involves comprehensive policies and procedures, regular training and education for employees, and proactive security audits and monitoring.
Key elements include balanced and understandable policies, regular updates, and automated processes to minimize human error. Effective security cultures require buy-in at all organizational levels, ensuring that every employee understands their role in maintaining data security and the impact of their actions on the dealership’s cybersecurity posture.
The evolving landscape of cybersecurity threats makes it imperative for car dealerships to prioritize and invest in robust cybersecurity measures. The increasing frequency and sophistication of cyberattacks, such as phishing and ransomware, highlight the vulnerabilities within dealership IT systems and underscore the critical need to protect sensitive customer data.
With significant financial, operational, and reputational risks at stake, dealerships must adopt a proactive approach that includes securing IT infrastructure, implementing multi-factor authentication, conducting regular employee training, and developing comprehensive response plans.
Moreover, compliance with regulations like the FTC Safeguards Rule necessitates a structured and ongoing commitment to cybersecurity. By fostering a culture of data security, dealerships can ensure that every employee understands their role in safeguarding information, thereby reducing the risk of breaches and maintaining customer trust.
Investing in cybersecurity is not just a technical necessity but a strategic imperative that protects both the dealership and its customers, ultimately supporting the business’s long-term success and resilience.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca