During the financing and car purchasing processes, buyers trust their auto dealer with sensitive data and personal information. Buyers consider dealership cybersecurity when they go to make a purchase, and cybersecurity incidents affect their purchasing decisions.
According to the 2021 CDK State of Cybersecurity in the Dealership, 84% of consumers said they would not go back to buy another vehicle after the personal data they had shared with a dealership had been compromised.
With their reputations as risk, cybersecurity has become a top concern for dealers. The CDK report found that 85% of dealers say cybersecurity is very or extremely important relative to other operational areas, and 77% say it is more important than it was just a year ago. With dealerships prioritizing cybersecurity, those not proactively working to reduce risk and vulnerabilities may find their revenue lagging behind that of their competitors — especially if they become a victim of an attack.
When business leaders discuss cybersecurity at dealerships, they often focus on specialized technology to prevent cyber attacks. However, the greatest cybersecurity threat has always been human error, especially in the fast-paced, sales-focused environment of a dealership. As employees spend their days answering hundreds of customer emails, it’s easy to accidentally click a phishing email that launches a ransomware attack. Or, between helping customers, employees may mistakenly enter their credentials on a phony website, resulting in unauthorized access.
Here are five cybersecurity best practices for auto dealerships.
While many dealerships provide cybersecurity training to employees, the lessons learned often fade quickly. This is especially true with annual check-the-box trainings.
Businesses often assume the IT department holds full responsibility for preventing cybersecurity attacks. But when dealerships create a culture where everyone feels responsible, employees are more likely to regularly follow best practices and report suspicious activity right away.
This starts with dealership leaders making cybersecurity a top priority and clearly communicating that with employees. This way, cybersecurity becomes a core value and focus instead of "someone else’s job."
Look for ways to incorporate education for your employees focused on cybersecurity. Consider including a two-minute cybersecurity tip at weekly meetings. Share the impact a single incident can have on the dealership, such as the fact that the average dealership experiences 16 days of downtime after an attack. Dealerships can also test their employees by creating fake phishing emails and offering prizes to those who spot the suspicious messages.
Ransomware continues to be a top threat to auto dealerships. When a dealership has a complete backup of its data, they are in a better position to effectively manage and recover from a ransomware attack. Because they can quickly return to their backed-up data, the dealership doesn’t have to consider paying the cyber criminal to regain access to their data. Additionally, the dealership can use the backed-up data to return to business much quicker.
While the CDK report found that 65% of dealerships regularly back up their data, it also discovered that only 27% of dealerships actually test their cyber attack incident response plan. While having a recovery plan and a backup is vital, dealerships often discover issues when they test their response. For example, an employee may miss a step during the backup process or not set up the automated backup properly. If the response plan hasn’t been tested, it’s only when the dealership suffers an attack and goes to restore their data that they discover their data was not actually backed up.
Dealership employees often log in to multiple systems and apps to complete their jobs. They also use many devices to service customers and process paperwork, such as their laptop, phone and tablets. The result is that employees have many passwords, which makes it challenging to create strong passwords for each system and app. Even more concerning, many end up using the same password across all logins to make it easier to remember, which also makes it easier for attackers to gain unauthorized access.
Consider using a password manager at your dealership, which makes the password situation easier for employees to handle and harder for cyber criminals to get around. With a password manager, employees use a single password to log in to all systems. Because the password manager uses encryption and different strong passwords for each site, the technology makes it more difficult for someone else to gain access.
With the high volume of emails involved in everyday work, dealerships are at high risk for phishing schemes. The Black Kite Report Ransomware Risk: Automotive Manufacturing in 2021 found that 91% of automotive companies have more than 1,000 leaked credentials on the deep web, which makes it easy for cyber criminals to launch phishing campaigns against them.
To mitigate the risk of phishing attempts, share examples of common phishing emails with employees to help improve their ability to spot them. Include examples such as emails from companies they don’t work with, email addresses that do not match the company sending the email, and emails asking the recipient to complete an action, such as downloading a file or clicking a link. Create a checklist for employees to follow when they suspect they’ve received a phishing email. The checklist should include the name of the person at the dealership to alert and the instruction to not click any links or respond to the email.
Applications and devices often fix cybersecurity vulnerabilities with updates. However, cyber criminals know that many employees and organizations don’t apply those fixes in a timely manner. The Black Kite report noted that automotive companies neglect this area, with 71% of those companies surveyed having an 'F' rating in patch management and applying software updates. Additionally, employees who use personal devices for work often overlook applying updates to their phones and tablets, which creates additional vulnerabilities.
Start by creating a patch management program where your IT department follows a process and checklist to ensure all updates and patches are applied in a timely manner. Additionally, send out reminder communications to employees about major software updates when they’re released, to make sure they apply those updates to their personal devices.
Recovering from cyber attacks takes time and money away from your core missions: Serving your customers and generating revenue. By being proactive, your car dealership can reduce the risk of cyberattacks.