Skip to content

How a Strong Cybersecurity Posture Can Positively Impact Your Dealership

Cybersecurity incidents and ransomware attacks are continuing to rise among U.S. businesses, and automotive dealerships are prime targets. Personal information, credit applications, and financing details are a few examples of the treasure trove of customer data obtained by dealers and stored within their dealer management systems. And this is not lost on cybercriminals.

The impact of a cybersecurity incident could have an enormous impact on a dealership. According to a recent study by CDK Global, Inc., a leading automotive retail technology company, 84% of consumers surveyed said they would not go back to the same dealer to buy another vehicle after their data had been compromised. The study also shows that nearly 50% of dealers surveyed intend to increase investments in cybersecurity in 2022, which is in contrast with 24% in 2020. An increase in investment provides a step in right direction, but knowing where to start is not always obvious. First, it’s important to understand what can be controlled and what cannot.

What if employees fall victim to a phishing attack or other data-compromising situation? Alternatively, what if employees lose their tablet or laptop, putting the device’s data at risk? There may be a natural inclination to think that bad things won’t happen to your business. However, in today’s environment, dealers should move forward with the mentality that it is not if it happens, but when it happens. While a dealer cannot control external aspects of cybersecurity, there are numerous opportunities to enhance their security and their readiness for when an incident does occur.

Dealers cannot control what their employees do, but they can prepare those employees for what an incident may look like and what the consequences would be. A common misconception is that investing in cybersecurity technology alone is sufficient to guard against an attack, but employee training and awareness is critical. Annual cybersecurity training modules can be inexpensive and are readily available. Because consumers are more informed than ever about data security, dealers can show consumers that they are taking data protection seriously by displaying cybersecurity credentials where consumers can see them.

With ransomware cases on the rise, data storage practices are more important than ever. Ransomware attackers target the backups of information. If a dealer’s backups are online and connected to the network, then they are at risk of being compromised in a ransomware attack. The primary way to protect your organization in a situation like this is to have offline backups that are not accessible from the network at all. Offline backups could be a cloud backup solution, DVDs, disk drives, or external hard drives.

While it is imperative for dealers to back up their data, those backups are not valuable if they cannot be used properly to recover from an incident. An increasing number of dealers are regularly backing up their data; however, many do not test their incident response plan, which is an internal document that shows how the organization defines an incident and what steps need to be taken in the event of an incident. Developing an incident response plan and testing it requires internal time and resources, but it is an inexpensive and critical step in an organization’s security posture.

Dealers work closely with third-party vendors, and in some cases, those vendors have direct access to a dealer’s network. The more network access points there are, the higher the inherent risk. Imagine if an attacker was able to access loan information stored by a vendor. Hypothetically, the attacker could mail notices of a change to the loan, asking consumers to send payments to a new account. The communication may look like it came from the loan holder, and the dealer would be unaware of the change until it’s too late. Due to risks like this, dealers have a responsibility to their organization and their customers to ensure that vendors working with the dealer are vetted properly. Third-party due diligence can be handled through questionnaires sent to the vendor or through assurance reports like System and Organization Controls (SOC) reports. These reports act as a seal of approval, confirming the organization’s internal controls are well designed and operating effectively.

Another way dealers can enhance their security position is by ensuring that access to data is appropriately restricted. Employee turnover and position changes occur relatively often in all businesses, and therefore, access requirements are constantly changing. Due to this, reviewing who has access to sensitive data and systems is serious and involves minimal time investment. Included in access reviews is the idea of segregation of duties. This concept disperses critical functions of key processes between more than one person or department in order to reduce the risk of fraud or error.

Implementing password requirements is another relatively simple internal control that can substantially mitigate risk in the event of an incident. The use of weak passwords for network or application authentication could lead to unauthorized access or malicious attack. Requiring passwords to be a certain length and complexity is an easy step to mitigate the risk. Cybersecurity insurance providers (among other technical security controls) are now commonly requiring the implementation of multi-factor authentication (MFA) on all email, remote access (including remote desktop protocol connections), privileged and administrative accounts, and backup solutions.

Consumers are more cautious than ever when it comes to how their data is stored and shared. Dealers must strengthen their cybersecurity posture in order to meet consumers’ expectations and to ensure the protection of the company’s information. There are numerous ways to improve a dealer’s security environment, and many don’t involve third parties or large amounts of time or monetary investment. Increasing technology to reduce cybersecurity risk is a positive step, but internal security controls are needed in order to ensure success in overall security risk mitigation.

If you would like to discuss ways to improve the current IT controls and cybersecurity risk posture at your dealership, contact your KSM advisor or complete this form.

Bobby Brown Manager, IT Risk Advisory Services

We're Looking for
Remarkable People

At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.

Explore a Career Full of Possibilities