I’m often asked how many dealerships have experienced a data breach, hack, or cyberattack. The answer is, “no one knows for sure.” Because, understandably, most dealers that have experienced this type of attack don’t want to talk about it publicly.
Just because auto dealers are prime targets for cybercriminals, doesn’t mean your dealership has to become their next victim.
But whenever I’m speaking somewhere, multiple dealers reach out to me afterwards to tell me their stories about how they have, in fact, experienced a breach or cyber theft. Just recently, I heard about a dealership employee who was scammed into wiring $75,000 to a cybercriminal’s bank account.
My belief is that cyberattacks are happening fairly frequently, and auto dealerships are prime targets because they have exactly what cybercriminals are looking for, and because their information technology (IT) systems and policies tend to be outdated, or not a top priority.
What Do Cybercriminals Want?
Like most criminals, cybercriminals are motivated by money, and go about getting it in one of several ways.
One way is to steal your customer data and sell it on the dark web. Auto dealerships have vast amounts of customer data contained in their technology systems, including credit applications, credit scores, bank account information, and social security numbers.
Another common way to steal money is wire fraud. This is most often perpetrated by a sophisticated phishing scheme, where a cybercriminal poses as a senior executive and sends someone in the accounting office a “spoofed” email containing a wire request. To the accounting person, the email and request appear to be legitimate, so they wire the money.
Cyber criminals can also gain access to a dealership’s bank accounts by installing a type of malware that tracks the keystrokes of computer users. If a user has access to your dealership’s bank account, the cybercriminal simply waits until they login and captures the login credentials. Once they have this information, the cybercriminal transfers money out of your account. Fortunately, this type of theft is becoming less common with the increasing usage of two-factor authentication to verify all bank logins.
Outdated IT Systems and Policies
As a whole, auto dealers tend to lag behind other industries when it comes to investing in their IT systems, making them more vulnerable to attacks. According to Total Dealer Compliance, only 30% of dealers employ a network engineer with computer security certifications or training, and more than 70% of dealers are not up to date on their anti-virus software.
Many dealerships also use outdated software, such as the Windows 10 operating system. This makes them incredibly vulnerable to cyberattacks, since Microsoft is no longer issuing security patches for Windows 10, making it easy for hackers to gain access to your network.
Since 91% of all data breaches start with a phishing attack, it’s essential for dealers to train their employees on how to identify and avoid phishing emails. Enrolling employees into an automated security awareness training program is by far the most effective way to prevent a data breach.
It’s also critical that every dealership has a set of written policies and standards regarding its IT operations. These include:
- Incident Response Plan: If a data breach or cyberattack occurs, do you know how to respond? This plan details the steps that should be taken, the people that need to be involved, and what should be communicated to whom.
- Acceptable Use Policy: This set of rules establishes guidelines for how the IT environment may be used.
- Minimum Access Policy: This defines the minimum-security requirements for devices and user access to the network, including rules for password complexity, authentication standards, and specifics around patching and anti-virus software.
- Data Classification Standards: A list of data and assets that are sensitive and critical to the organization (such as customers’ personal and private information, financial data and any trade secrets), where this data resides, how it should be handled, and who requires access.
Additionally, every dealership should purchase some type of cyber liability or data breach insurance, which offers financial protection in the event of a successful breach or attack.
Just because auto dealers are prime targets for cybercriminals, doesn’t mean your dealership has to become their next victim. Take the necessary steps today to protect your customer data, your bank accounts, and your reputation.
Erik Nachbahr is president and founder at Helion Technologies.