Automotive Cybersecurity: Don’t Bank on Untrained “Drivers”
Would you send your newly licensed 16-year-old out to drive on the interstate without spending months teaching them safety skills and the rules of the road? I hope not! Even if their car had all of the latest safety technology – front and side airbags, auto-locking seatbelts, crash-warning sensors – and a low-deductible insurance policy, you still wouldn’t take the risk.
In other words, technology without training is completely useless. And the same is true of cybersecurity, whether you are running a local car dealership or a national automotive chain. And that matters because in the past two years, 85% of auto dealerships have reported being a victim of cybercrime. Let’s go back a step.
National Auto Dealers Association Highlights Hacking Among Auto Dealers
I recently spoke for the National Automobile Dealers Association (NADA). NADA is an American trade organization composed of nearly 16,500 franchised new car and truck dealerships. Each year, the folks at NADA gather business leaders to discuss the latest in industry innovation and shop thousands of new products and services from the industry’s top vendors and suppliers. In addition to showcasing exceptionally cool new concept cars, auto dealers are keenly aware of the rapid increase of cyberattacks targeting their privacy, profits and reputation.
This year, the NADA Show 2022 took place in the Las Vegas Convention Center. In addition to a keynote interview with Michael Strahan, the conference also featured a Distinguished Speaker Series, which had a fantastic roster of keynote speakers that included Col. Nicole Malachowski, Lt. Cdr. Jesse Iwuji, and myself. I was invited to chat about pressing automotive cybersecurity threats and solutions as they specifically relate to car dealers and the automotive industry.
Think about it – even corporate auto dealers like Toyota and Lexus aren’t immune to cyber threats. After 3.1 million pieces of consumer data were compromised in an automotive industry cyber attack that targeted Australia, Japan, Thailand and Vietnam, it was only going to be a matter of time before auto dealerships and manufacturers in the U.S. came under fire. And the industry is under attack for a very good reason.
Auto dealers handle a treasure trove of valuable customer data. And when you are as busy as dealers are with product supply chain issues, labor shortages and general entrepreneurship duties, cybersecurity can become just another item on a very long checklist. So let me give you a quick recap of the small business cybersecurity checklist I detailed during my presentation, The Art of Human Hacking: Social Engineering Self-Defense for Auto Dealers.
Automotive Cybersecurity Trending Cyber Attacks
Why are car dealerships coming under so much cyber fire? The COVID-19 pandemic accelerated a playing field that was already taking shape – the remote workforce. As the marketplace was forced into working remotely, many elements of a traditional dealership — like sensitive customer and financial data — were moved into the cloud so they could be accessed from outside the dealership. Cloud operations can be convenient, scalable and profitable. But they also open up backdoors into the dealership if cybersecurity isn’t built in from the beginning.
In essence, the auto industry has moved from a fortress model (where data is secured behind a centralized network protected by a moat, or perimeter security, like firewalls and VPN), to a widely distributed computing kingdom where data is accessed from the dealership itself as well as homes, remote offices, cafes, airports, hotels and conferences. That means that traditional defenses like anti-virus, firewalls and virtual private networks are no longer sufficient.
A second threat is the advent of supply chain attacks, where the cyber criminals hijack legitimate software that the dealer trusts and uses it to infect the entire network. SolarWinds, Casey and Loj4j are examples of this malicious attack vector. This is particularly damaging because there is no warning that the enemy has crossed the gate and is living in your systems.
But probably the most effective and pervasive form of attack is ransomware. Ransomware uses encryption to lock down every connected computer on your network, and then charges you a ransom to recover your data. When you don’t pay the ransom, the ransomware gangs leak your data and report you to the press and regulatory agencies to trigger expensive and reputation-damaging publicity.
The average cost to a dealer to regain their data is trending quickly upward. Though the average ransom payment is just over $150,000, a recent attack on Arrigo Automotive Group in West Palm Beach, Florida cost the dealerships approximately $500,000 in remediation. And that doesn’t account for reputation damage or lost revenue due to fleeing customers.
To make matters worse, the average downtime associated with an auto dealers cyber attack is 21 days long — three weeks’ worth of lost revenue as the icing on the bitter cyberattack cake. And since the Federal Trade Commission revealed there were 38,561 reported cases of identity theft related to auto loans and leases in 2019, it’s no surprise that over 80% of customers would choose to take their business elsewhere, leaving the compromised auto dealer behind.
Why Car Dealer Data is so Attractive to Hackers
- Unfortunately, but rightly so, cybercriminals view unprepared auto dealers as poorly protected financial institutions. Because of the costs involved in purchasing an automobile, dealers collect data just like a bank does, from consumer identity and credit details to loan payment and banking information, not to mention demographics, online behaviors and more. But unlike a bank, the automotive industry is not government regulated, removing one powerful incentive for dealerships to implement safeguards.
- Dealerships have a multitude of hacker entry points. Think about the variety of third-party partners and digital marketplaces with which dealers do business. Then consider the varied operating systems and software packages that finance, admin, sales and service utilize on a daily basis. Don’t forget the free guest WiFi access, the number of customers who have access to associates’ desks and the multiple locations they potentially service. Every one of those nodes is an entry point for a cybercriminal.
- And most importantly, nearly half of American dealerships don’t have adequate automotive cybersecurity solutions, or even basic small business cybersecurity solutions, to defend these entry points. Only 49% of dealerships claim to have adequate protection against cyberattacks, while another 73% have yet to undergo automotive cybersecurity testing to fine-tune their incident response plans.
Auto Dealers and Small Business Cybersecurity Checklist
If auto dealers want to prevent an auto dealer cyber attack, the answer is not to simply build a technological fortress around their sensitive data. While advanced technology can certainly deter hackers, 91% of cyber attacks rely on social engineering — when a cybercriminal uses techniques such as phishing emails to gain access into an organization.
In other words, hackers always go after the humans first, because poorly trained employees and executives tend to be the weakest link in the cybersecurity chain. But they don’t have to be.
As auto dealerships of all sizes continue to navigate an evolving cybersecurity landscape, staff and employees must be treated as integral part of cyber defenses. To refuse to do so isn’t just costly, it’s like putting an inexperienced driver behind the wheel of a potentially harmful machine. If you own or operate an auto dealership business and are unsure if your organization is doing everything it can to fulfill the framework for automotive cybersecurity best practices, take a look at this small business cybersecurity checklist I recently shared with the attendees of the NADA Show 2022:
- Does your dealership currently have cybersecurity defenses in place? Defenses include end-point protection, zero trust architecture, two-factor authentication, password managers, default deny firewalls and many other layered techniques.
- Does your dealership have around-the-clock security monitoring to detect cyber threats? It is not enough to have the equipment, you also need to attend to the alerts when they arise.
- Does your dealership understand the specific cyber risks impacting your industry, including but not limited to: malware, ransomware, supply chain attacks, brute force hacking, phishing, social engineering attacks and credential theft?
- Has your dealership contracted with an external security vendor to conduct a risk assessment in the past 12 months?
- Does your dealership periodically assess third-party partners and marketplaces to understand the risks they can pose to your business?
- Does your dealership have established policies and procedures in place to protect your business information and systems?
- Do you have a robust data backup and recovery response plan in case ransomware locks up your network?
- Has your dealership conducted an incident response test in the past 12 months to ensure all procedures are accurate and effective?
- Do your dealership employees know what to do in the event of a cyberattack or a loss of service?
- Do you provide regular, engaging Security Awareness Training for your employees, executes and 3rd-party partners?
If you answered no to any of these questions, you are well advised to resolve those issues before they take down your business like they did mine. Make a call today to a cybersecurity expert you trust deeply who will help you build a framework to your dealership needs and then educate your people to become your strongest cybersecurity defense instead of your weakest, most exploitable link.
The Best Framework for Automotive Cybersecurity Best Practices
In today’s digital age, cybersecurity for automotive dealerships is just as mission-critical as it is for large banking institutions. It’s important to treat your customer data just like customers treat the precious cargo they transport in the cars you provide. The framework that I shared at NADA 2022 is called the Blockbuster Cybersecurity Framework. It includes 9 components with corresponding questions that help you analyze, organize and communicate the cybersecurity changes you need to make.
If you are unclear of how best to deploy a non-technical framework for moving forward, or need to improve your Security Awareness Training, consider bringing me in as a board advisor or keynote speaker who will energize and illuminate your cyber efforts and your people. Once I share my two-year battle with cybercrime and how I almost went to jail for taking my eye off the ball, your team will be motivated to make the necessary changes. Send me an inquiry today to learn more.
And no matter what, don’t send your employees out on the road without training them how to be a proactive, knowledgeable part of the solution.