From physical threats to cyberthreats, dealerships are facing more risk on all sides. We look at what you can do to help reduce your risk.
Not a single player in the automotive industry, from OEMs to dealers, suppliers, and consumers, has been left untouched when it comes to physical and/or cyber security issues.
Towards the end of July, the Motor Vehicle Retailers of Ontario (MVRO) sent out an urgent notice to its members highlighting the importance of protecting dealership valuables after at least three stores in York Region, Ontario, were broken into.
“Thieves are finding new ways to target our dealer members and we need them to remain ever vigilant to protect their businesses,” said Executive Director Todd Bourgon at the time, in an interview with Canadian auto dealer.
Other dealerships in Mississauga, the Greater Toronto Area, and Brampton were also targeted around the same period. Vehicles and point-of-sale equipment were stolen. Bourgon said the thieves hacked into the POS system, stole money through chargebacks, and gained access to the cash register and keys.
Québec tops all other provinces when it comes to vehicle theft, with special attention given to Montréal. But Toronto is moving up the ranks, as a number of thieves from the French-speaking province now operate out of Ontario.
Data from Équité Association, a not-for-profit organization that supports Canadian property and casualty (P&C) insurers, shows that auto theft is up 48.3 per cent in Ontario, 50 per cent in Québec, 18.3 per cent in Alberta (following years of decline), and 34.5 per cent in Atlantic Canada — all year-over-year.
“Criminals are now taking advantage of the outdated standards,” said Bryan Gast, VP of Investigative Services for Équité Association, in a statement.
A 2023 survey conducted on behalf of the CAA Insurance Company found that a growing number of consumers in Ontario (47 per cent) are “very concerned” about the situation. That figure jumps to 57 per cent when considering respondents living in Toronto and within the GTA.
Some companies have released products to help improve physical security, such as Tag Tracking, an anti-jamming technology supplier. They have an anti-theft system that was designed and manufactured in Canada, and is described by the company as having an estimated deterrent effect of 99.82 per cent. The system is independent of the vehicle’s battery, which makes it more difficult to dismantle.
But physical security is only part of the problem, as cyber threats and attacks are also on the rise — and consumers are taking notice.
TransUnion Canada’s Consumer Pulse study for the second quarter of 2023 found that 80 per cent of respondents have concerns about cyber security, including credit card fraud (51 per cent) and identity theft (49 per cent). In fact, 48 per cent of consumers were targeted by a fraud scheme within a three month period, and 6 per cent fell victim to the same thing.
The most popular fraud schemes that target consumers, based on the report, are vishing — fraudulent phone calls — (46 per cent, up 3 per cent), phishing — fraudulent emails (45 per cent, down 1 per cent), and smishing — fraudulent text messages — (41 per cent). Identity theft (14 per cent) is up 4 per cent.
Most attacks stem from an actual person and relate to emails and other similar types of online communications. “It’s always or almost always how companies get screwed,” said Étienne Parent, Business Development Manager at MicroAge Québec, which offers cyber security services.
“The hackers remain on the client’s network infrastructure for many months. We’re talking about six, eight, 10 months, where the hackers stay inside the company digging, seeing what they are capable of doing, if they can delete the backups or infect the system.”
Once they do this, Parent said the hackers will launch a procedure to encrypt the data. “At this point, it’s a bit like the end. If we realize it at the right time, perfect. If we don’t realize it at the right time, well…”
This is where a number of solutions come in, such as bringing forth a much older backup, turning to insurance or, as some companies will do, paying the ransom in hopes of getting their data back. However, Parent said the latter option is never a certainty, since the company is negotiating with thieves.
Overall, cyber attacks are expensive, time consuming, and result in loss of confidence on the part of the company’s clients and employees. Hackers are also more advanced and modern in their approach now, including in their messaging, which is more in-line with what you would expect from the business or person they are mimicking.
“We always have to keep in mind that every email we open is potentially infected or an attack,” said Parent, adding that within the next 10 years he believes it is almost certain that all businesses in Québec will be attacked at least once. “It’s now a career to be a hacker,” he said.
People need to be on guard. Research released this year from NordPass found that employees of the world’s biggest companies from 31 countries use very poor passwords. They discovered this when exposing 10 of the most commonly used passwords in the automotive sector. Passwords such as 12345 and “password” made the top of the list.
Others used a variation of their company’s email domain.com: an abbreviation of the company’s name, part of the name, or the name combined with other words or symbols. And although NordPass has no data representing auto retailers specifically, they do assume the passwords of dealership employees would not be much different from the ones they presented for the auto sector.
“Same as regular internet users, people working in the automotive industry tend to choose easily-memorable passwords, namely number combinations (e.g., ‘123456’), keyboard sequences (e.g., ‘qwerty’), names (e.g., ‘Tiffany’), and similar,” said Emilija Gaivenytė, PR Manager at NordPass, in response to an email inquiry from Canadian auto dealer. “Based on the research, represented company names or their variations often end up in passwords people use to secure work accounts.”
The issue is not without solutions: creating a more complicated password does not take long, and dealerships can consider a security risk assessment. For example, the New Car Dealers Association of BC (NCDA) said it worked with HUB Insurance to offer a complimentary cyber scan to dealer members in British Columbia. That assessment is an external vulnerability scan, according to Rachel LeGear, Account Manager for Transportation, HUB International Insurance Brokers.
“They effectively ‘see what a hacker would see,’” said LeGear in response to an email inquiry from Canadian auto dealer. “Coalition passively collects external data on your organization’s Internet facing IT infrastructure.” She added that they do not perform active collection of information, including penetration testing against the organization’s networks, without explicit permission.
The NCDA also created a Cybersecurity Toolkit this year: a resource developed for its members in partnership with HUB International and with support from Clyde & Co (Cyber Risk). It contains a set of guidelines to help members manage cyber security strategically, since risk cannot be fully removed.
“The importance of having a plan in place to protect a dealership’s people, property, and profitability is vital and cannot be underestimated,” said the association’s president, Blair Qualey.
Last year, the average ransom payment reached $298,755, according to HUB and Coalition Insurance data.