How your dealership can execute a successful cyber assessment

In today’s uncertain economic climate, many Canadian dealerships are focusing almost all their discretionary spending on initiatives directly aligned with increasing sales. These days, running a dealership means striking a balance between heavily investing in moving more product while continuing to invest in other departments less closely linked to sales, such as IT. 

But how much investment is enough? One of the ever-present threats facing all small and medium-sized businesses — including dealerships — is cyber crime. In fact, your dealership being targeted by cyber criminals is a matter of when, not if. Investing in cyber security is analogous to property insurance against hail or flooding: it’s necessary to protect the whole enterprise. 

One of the most significant cyber attacks happened in June 2024, targeting CDK Global, a technology solutions provider for the automotive industry, and impacting more than 15,000 car dealerships. The learnings from this event underscore the importance of maintaining a robust cyber security posture.

This incident demonstrated how vulnerabilities in dealership management systems can lead to significant operational disruptions and data breaches. By staying vigilant and proactive in their cyber security efforts, dealerships can better protect sensitive information, ensure business continuity, and safeguard their reputation.    

Dealerships can become a prime target for cyber criminals due to a few factors:

• Dealerships sit on a treasure chest of data
• The IT and cyber security environment at dealerships are usually among the less mature environments compared to other industries and sectors
• Employees and staff haven’t been trained on cyber risks in most dealerships
• The dealership sector is far less regulated around IT and cyber security requirements compared to other industries

As a dealership leader, your balancing act requires you to invest in cyber security in a cost-efficient way. And getting the most out of your cyber security spending always starts with a current-state assessment.

What information needs protecting?

The first thing to look at in a cyber security assessment is which pieces of data and information are the most important to protect. These are the crown jewels — data that, if compromised, would bring significant financial and/or reputational harm to your dealership.

Many well-intentioned dealership owners assume they should protect everything. But putting the most stringent safeguards equally around all your data is too expensive and time-consuming to be feasible. Cost-efficient cyber security requires you to focus on the crown jewels.

Your clients’ financial data, especially personal identifiable information (PII) that includes names and birthdates, tops the list. Credit card numbers and insurance information being breached, published, or sold on the black market is a worst-case scenario to avoid.

Next up for top priorities is protecting employee passwords and devices. An adaptive approach to data and system protection is essential, because the impact of breaches can vary. For instance, while data regarding product prices, employee compensation, emails, inventory, and parts suppliers is crucial, the risks associated with breaches of this type of data are different. 

What are your greatest vulnerabilities?

The next step in an assessment is to look at where your dealership is most exposed — not only which types of attacks are most frequent, but which are most likely to be successful. 

Fraud

A common fraud example we see in dealerships involves an attacker faking an identity as one of your regular suppliers or contractors, then altering the payment information to redirect funds. Victims of this type of attack end up in double jeopardy — losing funds to a fraudster and becoming delinquent to their true vendor or supplier.

While this example may not be as common as an ordinary email phishing attempt, if it has a higher success rate, it can be more dangerous.

Third parties

Another large area of exposure to cyber crime is through the third parties you do business with, like your financial institutions, suppliers, or marketing agencies. Sensitive information gets passed between your dealership and your vendors; one mistake can result in your data being misplaced or downloaded incorrectly, leaving your dealership open to a breach. At the same time, a weak cyber stance at your dealership can potentially compromise your vendors’ data.

In your assessment, ensure you’re taking precautions to share data securely with third parties.

Internal staff

Your staff can be a potential source of a cyber breach. Regularly training employees on recognizing phishing attempts, safe internet practices, and the importance of strong passwords will reduce the risk of human error.

Your assessment should include a review of the internal cyber awareness training your employees go through. We will discuss this more in the next section.

Public

They’re your greatest asset and likely one of your greatest threats. Dealerships are built to be open and welcoming to the public. However, some members of the public may wish to disrupt operations, be disenchanted with the brand, or may be curious. Often, appropriate network and physical segregation of key operational technology systems within the physical dealership networks are considered only after an incident.

Dealerships need to ensure that publicly accessible network jacks, public Wi-Fi systems, and office Wi-Fi networks, systems and applications should be segmented from each other. 

Reputation and social media

Brand reputation refers to how a brand is perceived by the public, including customers, vested parties, and the general market. It encompasses the overall sentiment and opinions people have about a brand based on their experiences, interactions, and the brand's actions and communications. Google reviews of the dealership, disgruntled customers, and competitors are always looking for the upper hand.

As threats become more targeted and sophisticated, it’s imperative to prepare and monitor for events and alerts and integrate them into your security plan.

How you’re protecting and preparing yourself

During your assessment, review the tools, systems, and processes you’re already using to protect yourself. Is there a gap between where you are and where you need to be? Additionally, dealerships need to ensure their service providers — if IT is handled by third-parties, managed service providers, or contractors — are aware of modern threats and have the capacity and skills for implementing security safeguards. 

Insurance

As a dealership owner, you understand the importance of insurance better than almost anyone. The typical business insurance plan would protect your dealership from floods, hail, theft, and other common threats. But does it include provisions for cyber security?

Some dealerships are insured against cyber threats, others aren’t. If you haven’t recently looked at your policy for cyber coverage, your assessment presents the perfect time to do so.

Cyber awareness training

The most cost-efficient cyber security investment you can make is simply making sure your staff, at all levels, know the following fundamentals:

• Understand what constitutes a strong password, and then use it
• Recognize email phishing attempts
• Secure your hardware, like company laptops and phones
• Not downloading company data onto personal devices
• Use secure Wi-Fi
• Detect and prevent various types of fraud

Rogue employees being the source of a breach at dealerships are rare; a breach is much more likely to result from untrained or careless employees. Therefore, a little training goes a very long way.

Incident response plan

Your assessment should include reviewing, or creating, a response plan.

If you are the victim of a cyber incident, a crisis response plan can be the difference between minimal damage and worst-case scenarios. Your plan should include a step-by-step outline on how to react to a cyber incident: how to shut down devices, contact external counsel, and keep damage to a minimum.

Technology

Good technology is important, but it’s more important to have it in the right hands.

Part of your assessment should be to make sure you have the right cyber security tools for your dealership. That doesn’t always mean the most expensive or sophisticated — you can save money by having the appropriate software for your needs, and the right staff and processes behind it. 

In many cases, a managed security service provider may be the answer to implementing the appropriate technology and having access to the right skills.