Proactively employing professional cyber security means you can focus on selling cars
The “digital ecosystem” for the auto industry is more complex than ever before, and this has improved productivity, convenience and accountability for most dealers and buyers. Investing in cloud and digital transformations is undoubtedly important to reduce costs, remain competitive, and improve the customer experience.
The catch is, new platforms and technologies almost invariably introduce new vulnerabilities and third-party risks. Left unchecked and unmitigated, these can provide a convenient entry point for cyber criminals to gain access to other systems and networks within your dealership.
“The biggest threat to the auto industry? Like for most organizations, it’s quite probably ransomware, ransomware, ransomware,” said David Masson, of Darktrace Cyber Security. “That’s because for threat actors, it’s the easiest attack to do. And it’s also because it’s the easiest to monetize.”
Greg Uland, Vice President, Brand Marketing for Reynolds and Reynolds, said to Canadian auto dealer, “It’s interesting right now because cybersecurity is one of those things that most businesses don’t think about proactively a lot. It’s something that gets thought about reactively when something happens to them, or happens to one of their friends.”
Today’s ransomware attacks are advanced, and don’t show up for standard virus checkers right away. “Now, the hacker’s tools land on that PC, they don’t do anything. They hide, they open a back door and then they scan the network,” said Brad Holton, founder of Proton IT, which was recently acquired by Reynolds and Reynolds. “They start looking for other devices. They start exfiltrating data, trying to figure out what kind of data’s here. They try to figure out where the keys of the kingdom are, all the passwords, all the data that’s valuable to the dealer. And then, once they really have a good understanding, they really own the environment. That’s when the attack happens.”
The effects can be catastrophic for a business. “The entire network comes to a complete stop, dealers can’t do anything,” said Holton. “I mean, they can’t do service work. They can’t sell cars, they can’t take trade-ins, they can’t fund deals. They can’t get loans. Everything comes to a screeching stop until you deal with the problem.”
So what can you do?
Recognize that your IT department and your Cyber Security are separate entities.
Day to day IT operations in a dealership are not that complicated. Keeping the internet running, buying and upgrading computers, and keeping the printers working are all aspects of a functional IT person. “That has got nothing to do with keeping the door shut,” said Holton. “Totally different mindset. To be able to really defend against what we’re seeing in daily attacks, you’ve gotta have a team that is trained on this. That is keeping up to date with what the latest attacks are.”
Treat professional cyber security as a business expense, just like your property security.
A professional cyber security company will set up simple things like a firewall, all the way to highly complex operations like “penetration testing”. Holton explains how old-school anti-virus software might not help against modern attacks. “Old-school antivirus would see what you’re trying to download, would compare it to a database and say, ‘You know, I think that’s a bad file because we’ve seen it before. So we’re going to block it.’ That’s traditional antivirus, and that’s really all it does,” said Holton.
“Hackers now, using these really automated toolkits, can generate brand new files every single time they do an attack. So when someone downloads a file, that file is modified a little bit to change the signature of the file. So, if you have old-school antivirus, it’s never seen that file before because it’s being generated on-the-fly.”
“So we do ongoing vulnerability scans, which is where we’re looking at all of the devices and the software at a dealership, to make sure that they have everything configured correctly and all the latest security patches are there. And then those are taken care of. But we also do penetration testing, which is a little more in depth. It’s simulating a full blown hacker experience and looking to see what are the methods that breach, what the exploits are and, and where the weaknesses are. And then you clean those up.”
“It is a highly technical skill to secure a business,” said Nikhil Kalani, the Chief Information Security Officer for Reynolds and Reynolds. “To get that technical skill requires a significant investment to hire and retain people with the right skills. And then for those people, they’ve got to see a large volume and variety of attacks to be good at this job. So frequent practice with incident handling is required to do the job well, because during an attack, you cannot hesitate.
“You know, you can send alerts to a cell phone while the operator is sleeping and hope it wakes up the operator,” said Kalani. “That’s really not 24-seven monitoring, in our book. To us, it is people sitting at a console around the clock, 365 days a year, truly monitoring.”
Get cyber liability insurance
As a general rule, in order to even qualify for cyber insurance, a business needs to prove that they are employing extensive security measures. “The insurance will possibly pay the ransom or it could pay the costs of losses,” said Holton. “So for instance, in the case of business interruption, insurance may cover the entire time that you’re down, or potentially all the lost revenue. It could cover all the consulting fees to bring in people like Proton, who can clean everything up and get it back to normal.”
But to get insured these days you have to prove that you are doing your best to proactively prevent an attack. In the past the insurance form would simply ask you how much money your business made, and insure that. Now, according to Holton, “it’s a seven-to-eight page document, asking what level of security do you have? How are you handling this? Who takes care of your firewall? Who’s the endpoint detection program who’s managing this? If you can’t fill it out, you’re probably not getting insurance.”
Virus check your incoming inventory
“Five years ago, the dealer wouldn’t even think about the data on the car,” said Holton. “Now, you know, one of the processes the dealer has to go through is to reset and clean out all the data that has been stored in a used vehicle.” Cars are now just extensions of our mobile devices, and hold onto that information, even after you sell the car. “
Here again, being proactive is key to repelling cyber attacks. “You don’t want the bad guys to find your vulnerabilities,” said Masson. “You want the good guys to find it and then tell you. So we’re probably looking at having to do penetration testing on used vehicles pretty soon, actually.”
Make sure your third-party software suppliers are accountable
Christopher Law is the Incident Management and Offensive Security Leader for MNP Digital. He said to Canadian auto dealer, “So what we are seeing is a lot of dealers are intertwined with many third party suppliers using a number of cloud services. As a result, we are seeing a lot more third party-originating attacks against car dealerships. It’s a larger attack landscape.”
So before you sign up with any internet-connected software provider, it’s important to make sure they are securing their information and networks on their end. “It’s not good enough just to trust these cloud services,” said Law, “You have to hold them to some sort of third party or sort of external assessment which shows they have tested their security systems before you connect with them.”
Third party IT companies, especially in rural areas can be vulnerable. “We’ve run into smaller dealerships that use a common IT service provider that says that they use security or cybersecurity and it gets them by, but until there is a potential incident, they are just trusting the IT service provider.”
Your employees are the first line of defence
The easiest first step in stopping cyber crime is training your whole dealership team on good cyber hygiene. Your people and your vendors are the first, and often most effective, line of defence. Training your team on basic security practices like how to create and protect secure passwords and how to identify and report phishing emails can reduce your threat by up to a third. Creating a cyber awareness program, updating internal policies and procedures, and ensuring staff are regularly updating their software can lower your risk even further.