By Tom Tollerton, CISSP, CISA, QSA
Dealerships are not immune to the cybersecurity threats that continue to dominate news headlines. DHG’s cybersecurity work with dealers suggests that many groups are increasingly falling victim to cyber-attacks and inadvertent security lapses due to struggles with how to manage cybersecurity risk. The introduction of complex dealer management systems and supporting applications, as well as multiple third party vendors with access to sensitive customer data, continues to increase the risk of breaches of data confidentiality.
Failure to secure systems or address related regulatory requirements may lead to increasing regulatory scrutiny, impact to earnings and market value, and may damage your dealerships’ brand and reputation. We believe in the implementation of a holistic cybersecurity risk management program to help dealerships prevent cybersecurity incidents, and there are three key objectives dealer groups should address as they attempt to mitigate risk associated with a data breach.
1. Objective Assessment and Ongoing Management of Cybersecurity Risk
Effective security is a process, not a destination.
Cyber risk assessments should be conducted from multiple angles, include thoughtful review of all key business processes and systems, and follow industry standard guidance to ensure coverage is comprehensive and appropriate. For the most effective result, the party responsible for performing the assessment must:
- Have an objective perspective. An assessment by an entity outside of the dealer’s IT function is ideal. However, if IT management is tasked with performing a cyber risk assessment, a third party with dealership and cybersecurity experience is preferred. Consider implementing this as part of your dealerships’ annual internal audit process.
- Address people, processes and technology: Cyber risk is not exclusively a “technology problem.” Employees, contractors, vendors and even customers – and the processes they follow – can create vulnerability points that increase the likelihood of an incident. Simple education to all patrons can be a cost-effective tool in mitigating risk.
- Maintain the process: Ongoing assessments of risk is key. A risk management program that does not regularly seek to identify new risks, based upon industry and business environment change, will not be effective. The assessment should be revisited, at a minimum, annually.
2. Culture of Cybersecurity Awareness
People are the weakest link in the chain when trying to avoid a cyber incident.
Employees are the first layer of defense against most cyber-attacks, and many dealerships fail to educate their user base on current cyber threats or necessary secure IT practices. Responsibility for creating a culture of awareness is typically not designated as a high priority in dealerships; and employees are often compromised via sophisticated phishing attacks that results in malware infection, theft of sensitive customer information, or fraudulent wire transfer of funds.
Establishing a culture of cybersecurity awareness apprehends the importance of cybersecurity risk management across the dealer group. Culture, in any organization, is always driven from the top levels of ownership and management down to all employees. Critical aspects of cybersecurity culture include:
- Assignment of cybersecurity leadership. One employee (preferably a member of senior management) should be responsible for oversight of the cybersecurity program, including training and awareness.
- Cybersecurity policies and procedures. Requirements for how the dealer group secures its systems and data should be documented, and all employees must adhere to them. Violations should be subject to disciplinary procedures.
- Security awareness program. ALL employees should be made aware of current threats and attack vectors used by cyber criminals to damage the dealership. Training should be conducted annually and should also incorporate good security practices to prevent a compromise. Periodic reminders should be sent via email to keep security top-of-mind.
3. Incident Response Preparedness
The effectiveness of a dealership’s cybersecurity incident response program directly impacts the ability to minimize impact to business operations
While introducing new technology and processes to prevent a data breach is of utmost importance, a cybersecurity risk management program is not complete without a comprehensive and documented Incident Management Plan. This plan is designed to guide the dealership through a suspected security incident that may involve the compromise of confidential data and systems.
- Roles and Responsibilities. A critical component of an incident response plan is defining key tasks and responsibilities and assigning them to appropriate personnel. Management must know who will be counted upon to carry out key tasks, such as forensic investigation and legal response.
- Legal Obligations. Most states have data security and breach notification requirements that dealers must adhere to in the event of a cyber event that impacts the confidentiality of consumer information. Dealerships must track these requirements and keep the plan up-to-date with appropriate procedures and contact information.
- An effective incident response plan clearly outlines expectations for communicating an incident, both internally and externally.
Commonly overlooked cyber risks at dealerships:
- Mergers and acquisitions: As dealer groups merge, disparate IT systems with varying cybersecurity protections can introduce weak links into the IT environment. You’re only as secure as your weakest system. Cyber due diligence during the M&A process is critical.
- Shadow IT: Unauthorized use of personal devices on the corporate network is a common setup in service garages. Poorly configured personal devices, which may already be compromised with malware, often create a vulnerability point for attackers to exploit.
- Integration with third party vendors: Onboarding new service providers may require the vendor to connect directly to your IT network. Vendors who have been compromised and have access to your systems may impact your own data security.
Tom Tollerton is senior manager, cybersecurity at DHG LLP. He can be reached at 704-367-7061 or tom.tollerton@dhg.com.
DHG Dealerships serves more than 1,500 rooftops across all 50 states, representing dealerships of all sizes.