When cyber thieves breached Volvo Car’s security in early December 2021 to steal research and development data, it raised concerns within the automotive industry. If hackers can breach a company the size of Volvo, which has a team of computer experts protecting its system, what does it mean for much smaller automotive dealers and partners?
The answer is businesses of all sizes are under increased threats from data theft and ransomware.
Ransomware activates when an employee clicks on an infected email attachment or visits a website that installs a small piece of code on the user’s computer. That software quickly encrypts all data on the machine, making it impossible to use without paying for an antidote code to decrypt the computer.
Many ransomware viruses are written to replicate themselves onto other computers, too, until it arrives at the real prize—a company’s central data center. That’s when an infection brings a firm to a grinding halt and increases the likelihood of a big payoff to cybercriminals.
“News media has unintentionally formed the archetype of a cybercriminal as being the boogeyman for big dogs, like huge corporations or public institutions. That leads people to adopt a false belief that they are not significant enough to be a cyberattack target,” says Oliver Noble, a NordLocker cybersecurity expert.
“Popular culture has done a disservice to the realities of cybercrime as well by portraying criminals as anti-heroes and vigilantes. Therefore, auto dealers, among other small to mid-size enterprises, are often oblivious to the widespread nature of cybercrime,” he adds.
In its 2021 State of Cybersecurity in the Dealership report, CDK Global noted the average payout to ransomware thieves was $12,762 in early 2019. However, in the first quarter of 2021, the average payout exploded to $220,298. An attack on Colonial Pipeline in May crippled the firm’s ability to track fuel distribution throughout America and to invoice customers. That company paid $4.4 million to restore its data.
Ransomware successfully attacks a business every 11 seconds. Thieves also try to gain access to login credentials through various phishing schemes and malware that entices people to enter usernames and passwords, thus giving hackers remote access to a system, says Anu Roberts, product marketing director at CDK Global.
“Network and Internet connectivity are the backbone of any dealership. These critical systems and pipelines must be secure for you to do business and to satisfy customers daily,” she explains.
“Some dealers believe security isn’t important because it doesn’t generate revenue. That is, at best, outdated thinking,” she adds. “While it may be true that cybersecurity isn’t a money maker, there are many successful dealers who would agree if their computer systems aren’t secure, then everything else will fall apart.”
Impact on Reputation
Automotive industry firms are the eighth most likely target of cybercriminals, Noble explains, adding that over 85% of auto dealers have already experienced some type of cybersecurity incident. That’s understandable considering dealerships store a wealth of valuable information.
“Dealers could be enticing to cyber racketeers because of the sensitive client information they handle on a day-to-day basis, such as driver’s licenses and credit scores,” says Noble. “In a systems breach, such data could be held as substantial leverage by the perpetrators, in turn making a ransom payout more likely.”
While a computer attack is certainly inconvenient for a business because of an average downtime of 16 days in a ransomware situation, Roberts says the biggest threat is to a dealer’s reputation.
“We learned 84% of consumers say they are unlikely to buy another vehicle from a dealer if their data has been compromised,” she explains.
Once hackers gain access to personal information, many times customers will need to change usernames and passwords and replace credit cards at a minimum. If data breach includes their email address or phone number, consumers may get bombarded with spam and text messages phishing for ways to access even more information.
If hackers steal a Social Security or driver’s license number, customers must contend with even greater inconvenience from threats of identity theft for years to come.
While many auto dealers acknowledge cybersecurity is a threat, less than half of them have any contingency plans in place to defend against an attack when it occurs, Roberts notes. However, 79% of surveyed dealers say security is much more important to their dealership than one year ago, and 51% of dealers say their dealership budget for cybersecurity will increase in the next 12 months.
Improving security doesn’t have to be a super-expensive budget item. The easiest and least expensive weapon against cybersecurity is to keep software systems updated and patched as soon as updates are released.
Patches work to correct known vulnerabilities in software, the same weaknesses being exploited by criminals. Contrary to popular belief, most hackers aren’t the smartest kids on the block. They are opportunists who exploit problems uncovered by others rather than researching new ways to hack a system.
The report noted that 63% of hackers look for unpatched devices and out-of-date software because of their known vulnerabilities.
Yet, simply backing up company data regularly—daily at a minimum—ensures that when an attack occurs, the system may be restored with the loss of a day’s productivity.
“There is not a one-size-fits-all approach to cybersecurity because companies have different computer systems operating multiple software programs,” says Roberts. “Auto dealers need a layered approach to take care of known problems, but also to put protections in place to defend against unknown issues.”
Since nearly 90% of cyberattacks begin as phishing expeditions targeted toward an employee, Roberts says training staff to identify suspicious emails and avoid clicking on fraudulent links to infected attachments is one of the first places to mount an offense against cyberattacks.
This involves training staff to look for clues that a message came from an untrusted source. In-person training or an online class can shows employees the methods used to entice people to click on links. It also shows how to determine if a website is secure and demonstrates how to detect links that look authentic but redirect people to fraudulent sites.
Noble offers several suggestions on what an effective cybersecurity program should include, such as:
- Encrypt sensitive files stored on the firm’s computer and in the cloud. There are easy-to-use file encryption tools that turn information into uncrackable codes that even skilled hackers can’t read without permission.
- Store files in an encrypted cloud rather than a dealership server. Most times, an end-to-end encrypted cloud is the ultimate security tool. It protects data from malware and provides a backup in case of data loss or if they infect a system with ransomware.
- Password security should not be underestimated. Use a password manager to generate unique and hard-to-crack passwords which are stored in a safe vault.
- Use multi-factor authentication where possible for an extra layer of protection.
- To protect an entire company network, use a virtual private network (VPN).
“Adopting a zero-trust network access (ZTNA) security model is your best bet,” says Noble. “ZTNA is based on the principle of ‘trust none, verify all.’ Instead of granting unlimited access to company resources, a zero-trust security approach provides access on a case-by-case basis, denying admission to access resources to anyone without the right credentials.”
Once staff is trained, set up a system to monitor computer networks and detect attacks before they can cause damage. Doing so may require the help of a trusted partner with expertise to monitor activity and respond immediately to threats, says Roberts.
“Security threats evolve every day. So, having a plan using a layered approach that is unique to your business’ equipment, software and needs, really helps mitigate small problems before they can become a disaster for a dealership,” she adds.
When an employee makes a mistake and accidentally triggers a cyberattack by clicking on a link or opening a file, having a healthy company culture provides an extra layer of protection. “A healthy company culture that promotes openness instead of secrecy will ensure a quick response if an attack happens,” Noble explains.
Employees need to feel comfortable picking up the phone as soon as they recognize their mistake. To delay reporting a problem gives hackers time to lock down a business’ computer network.
“The unfortunate reality of ransomware is that, for many companies, it is cheaper to pay the ransom rather than suffer mounting losses from a business standstill and dealing with the aftermath of a leak,” says Noble.
“It’s no longer if, but when, an attack will occur. Leaving your dealership’s computers accessible from your guest network is like an open invitation,” says Roberts. “It can feel overwhelming because there is no silver bullet that works against all threats.”