Cybersecurity and Your Dealership
Mar 14, 2017
Cybersecurity and Your Dealership
Cybersecurity is a well-known risk to your dealership. The fact that someone can enter into your IT systems or any other connected devices (i.e. security cameras, DMS, HVAC systems, diagnostic equipment, etc.) and access your digital marketplace and disrupt your operations or collect information is not a new idea.
Well-known companies like Target, Yahoo and State and Federal governments have been victims of cyber-attacks. While retail automotive has not yet hit mainstream media headlines for cybersecurity attacks, your dealership contains a wealth of information that makes it a solid target for those trying to attack daily operations or collect sensitive customer data through a cyber attack.
Any organization that stores information digitally or uses some form of electronic equipment as simple as a smart phone is prone to a cyber attack. What makes an attractive target is the nature of the information and how easily it can be acquired. Below are some examples of such information that dealerships would collect:
- Automobile dealerships receive personal data about their customers at the time of their purchase. It is common practice to collect and update data periodically. This information includes Social Security numbers, annual income details, make, model and license plate information, etc.
- In this day and age, dealerships obtain credit card information or bank account numbers of the customers who make electronic payments.
Risk to Operations
- Much of the software used by dealerships is cloud-based. The software contains important business intelligence on vehicle sales and service, prospects and current customer information, etc. which could expose those people and companies should an unwanted party get their hands on it.
- Ransomware attacks can prevent access to a company’s information systems. Imagine being in the middle of a transaction and suddenly the systems are being controlled by a remote computer. Unless a required sum of money is paid, access to systems will not be granted.
- With the evolution of autonomous vehicles, the thought that a hacker can intrude and gain control and start navigating is a very unsettling thought.
What can be done?
Cybersecurity is an ongoing risk and needs to be managed. There are a number of measures that retail automotive can take to mitigate this risk:
- Educate and train your employees and customers. Just as sound business practices exist, reinforce how you store data and how to keep it secure through complex passwords to your systems.
- Just as you have fire drills, conduct a “cyber drill”. Have ethical hackers conduct phishing email tests and see which of your customers and employees fall prey. Then use the results of the tests to educate your personnel.
- Conduct external penetration tests of your systems and devices.
- Perform a risk-based analysis of your IT systems and identify all critical information. Determine the extent of security and testing required for each of these systems so that there is more focus on the most vulnerable systems.
- Have a written action plan to address an attack in progress or post-attack in place with roles and responsibilities of management, similar to your disaster recovery and business succession plans. Dealerships not only need to invest in resuming their operations and controlling damage to their reputations, they may also have legal costs of any lawsuits that may follow. Talk to your insurers and learn exactly what risk-based scenarios (i.e. events) are covered.
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.