IT AUDIT & SECURITY

Three Critical Cyber Security Steps for Auto Dealerships

Don Lander

Don Lander, Director of Advisory Services, OCD Tech

26 July 2022

Cybersecurity and automobile dealerships

Anyone working in the car dealership business knows that your employees are crucial to the success of your dealership. You also understand how important regular maintenance is for automobiles. Just as important, if not more important, is your Cyber Security strength.

Three critical Cyber Security steps that every automobile dealer should do are:

  1. Educate your employees about Cyber Security
  2. Maintenance of your technical infrastructure
  3. Regularly repeat steps one and two

Employees are arguably the most valuable asset of any automobile dealership. Without employees, you don’t have anyone to sell, finance, service automobiles or keep the operations running smoothly. Your employees have access to the customer’s personal information which is needed to perform the job effectively.

Any good dealership spends time training their employees how to perform their individual roles that make your dealership successful. How much of that time is spent on Cyber Security?

Your employees have the keys to the kingdom. Would you trust just anyone to have these keys? Imagine if an employee were to inadvertently give these keys to a bad actor. If a bad actor had access to your entire network, what could they do? Wire money to their account? Sell your clients personal information on the dark web? These are very real threats and happen all the time. You need to take steps to protect your kingdom.

Well, if you aren’t properly training your employees about Cyber Security, the risk of exposing your kingdom to nefarious actors greatly increases. Employee Cyber Security knowledge is critical to protecting the kingdom, and even basic training and awareness review helps considerably.

It starts with a Written Information Security Program (WISP), which is a document that outlines your Information Security process. A WISP will help you identify and resolve vulnerabilities that you might not have known existed. It is better that you find these issues yourself instead of a bad actor. In the state of Massachusetts, any company that handles customers personal information must have a WISP. Once implemented, all employees are required to review the company’s WISP document on an annual basis.

An annual review of the company’s WISP document is only a beginning. You should also conduct regular phishing campaigns. Phishing is an email sent by a bad actor trying to get your employees to reveal personal information or click on a link that will allow the bad actor access to your infrastructure. Once a bad actor has access to your infrastructure, they can shut your dealership down, send money to an offshore bank account or hold your business hostage for a ransom demand (via digital currency such as Bitcoin).

There are several low-cost phishing options available that will enforce the training from the WISP and learn how to recognize a phishing email. Some phishing email programs will provide feedback to the employee as well as the employer. Constant training and feedback are crucial for this step of your Cyber Security program.

Maintenance of your technical infrastructure is the second, and equally important step. Staying diligent with batch upgrades and software patches, as well as scanning your environment internally and externally are things that your technical support group should be doing on a regular basis. Requesting a third-party challenge of the infrastructure can confirm the strength of the network and identify any changes to be implanted.

If your response is “I have an IT person to handle Cyber Security,” you are doing yourself a huge disservice. Do you know exactly what your IT person does? Do they do regular patching? Change default password servers, routers, etc.? When was the last time you had an internal and external vulnerability scan of your network? Can people on your public Wi-Fi access customer information?

These are just a few things that a regular vulnerability scan of your network can find. In addition to a vulnerability scan, you should also consider penetration testing (aka pen test). A pen test is an exercise that attempts to gain access to your network. Pen testers at OCD Tech are more likely than not to gain access to your environment. Would you rather that a friendly OCD Tech employee gain access to your network (with follow up suggestions for closing the access) or would you rather not know until it is too late?

Cyber Security must be part of your business operations. It is as important as sales, finance, maintenance and office support operations. I would argue that Cyber Security is the most important piece of your operation functions.

We are living in the digital world now and you need to take steps to protect your kingdom just like you do physically with locking the doors and windows. The big difference between the physical and digital environment is the digital environment is constantly changing and getting more resilient. Take Cyber Security very seriously and protect your kingdom.

Find out more about how to keep your automobile dealership cyber safe with OCD Tech’s cybersecurity services for auto dealerships.