Cyber Attacks: 9 Takeaways to Keep Your Dealership Safe

Cyber Attacks: 9 Takeaways to Keep Your Dealership Safe

,

Think you’re safe from cyber attacks? Think again. During our recent webinar, How to be Cyber Secure, panelist Mary Harrington admitted that even she has gotten close to falling for phishing scams—i.e. messages that attempt to obtain sensitive information from the viewer through deception. Here’s what Mary told our audience:

“I actually had one hit me today. It looked really official, except for the fact that they spelled ‘Georgia’ with two o’s, so I knew it was nothing I needed to worry about.” 


Mary’s brush with a cybercriminal stands out for a couple reasons. For one, it proves that everyone—including a cybersecurity expert, on the very day she’s presenting about the topic—needs to remain vigilant when communicating online. Second, Mary’s story illustrates that despite the apparent sophistication of an attack, the smallest details betray its true nature. Although we think of hackers as tech wizards, most attacks still occur via email—and often fall apart because of a brainless typo.

Of course, it takes more than an aptitude for spelling to keep your organization’s data secure. Over the course of an hour, Mary and fellow cybersecurity expert Jeff Ziplow shared tons of insight about what makes dealerships prime targets for cyber attacks, how attackers target dealerships, how the consequences can affect those dealerships’ employees and customers, and what each of us needs to do to fight against this escalating threat.

If you missed the webinar, or if you’d like to review what we discussed, here are 9 takeaways and pieces of advice from our presenters:

1. Most dealerships have experienced a cyber attack.

Based on the results of a poll we conducted at the outset of the webinar, dealerships are prime targets for hackers. Roughly 60% of our audience reported that they had experienced a cyber attack.

“If we included in phishing and spear phishing attacks, I suspect the numbers would be much higher,” Jeff added. “Everyone’s being attacked in some way, shape, or form right now.”

2. You may not know you’re under attack until it’s too late.

Because phishing attempts look like ordinary business transactions, explained Jeff, we need to train ourselves to question every finance-related message we send and receive:

“There’s a dialogue that actually goes back and forth between the attacker or hacker and someone within the dealership of processing a wire transfer. 
We had a situation within our office: there were 5 or 6 emails that were going back and forth, back and forth. And at the end of the day, it didn’t sound right. The wording in the email didn’t make sense. Certainly, we caught it, but this was a time it was caught. There are many instances where wire transfers are not caught at all.”

He underscored what’s at stake when Finance and Insurance staff take emails for granted:

“There have been a couple situations where an F&I manager clicked an email attachment and didn’t know or realize they had actually downloaded what’s known as a keylogger. This keylogger tracked all the manager’s keystrokes, packaged up this information, and sent it out to the person who initiated this attack. Ultimately, the hacker was able to get enough information to extract credit report information or credit information from 200 customers. It cost the dealer more than $150,000—and that’s just from this one incident.”

3. Online and off, your dealership may be inadvertently exposing sensitive data to those who know where to look.

Jeff told our audience that it’s important to secure not only electronic forms of sensitive information, but hard copies as well. First, however, he said it’s important to “understand what information you really have”:

“You have customer data, which includes names, addresses, emails. That typically includes a driver’s license, Social Security number, credit card—all associated with a customer. You also have personnel data, so W-2 information, employee Social Security numbers. And then, we have the business’s or the dealership’s financial data: banking information, ACH information. All of this does need to be protected, and I don’t believe that everyone fully appreciates how we’re protecting it.

“I was in a dealership the other day. An employee was doing an application for a credit card. And they were filling out the form and they handed back the copy that belongs to the customer and the customer said, ‘Oh, I don’t need this. You can just get rid of it for me.’ Well, what this guy did was take form and put it in an unsecured trash bin. And so, anyone who wants to do any type of dumpster diving may be able to get that information.”

4. Hackers are frequently after more than a quick buck.

“Attackers are not always after just money,” said Mary. “Sometimes, they’re after information. We’ve heard stories or HR folks being hit. The owner of the dealership purportedly sends a message to the HR folks saying, ‘Hey, we need all of our W-2s to be sent to an audit at our accounting firm.’ Well, they’ve been hacked, and so off you go with the entire staff’s W-2 forms. 

5. Attacks have grown more sophisticated—and targeted.

“Think about how much information you have about your principals, your executives, and even your teammates online,” said Mary. “Think about LinkedIn. These bad actors will infiltrate LinkedIn profiles, match it up to a Google search on a name, and then go to the dealership’s website, look at pictures, email addresses, contact information—all of those sources together. 
I challenge everyone to do a Google search on yourself to find out how much really pops up, because that’s exactly what folks are doing to make spear phishing that much more believable, that much more real.”

She shared a story about an attacker disguising themselves as a member of a local athletic booster organization in which a principal executive was involved:

“They were reaching out on behalf of XYZ organization. They’ve done their homework. And that’s where we are all vulnerable. It’s easy to dismiss some of these things, but know that it’s just like check fraud, where they’re still going to go to the path of least resistance. It’s not always in the highest IT levels that they’re going to hit us; it’s in those very rudimentary areas where we are oversharing as a society.”

6. Don’t assume that your vendors have their vulnerabilities under control.

Jeff commented on the fact that many dealerships take advantage of software as a service and use dealer management and CRM systems in the cloud. These dealerships, he told us, “have a tendency to make the assumptions that “well, we’re using a vendor in the cloud and we really don’t have to worry about it—it’s their problem.’”

“I think you need to worry about it,” he said. “I think you need to understand if that cloud vendor is secure, and I think you also need to ask yourself some questions: If there is or if they do have a breach, who’s responsible? Is it you, the organization or the dealership that’s using their system, or is it the service provider themselves? Who’s going to be paying the fines? Who’s going to be paying for the identity theft protection, assuming that you have to pay for it? Who’s going to report it to state and federal authorities that require it? And I do believe those are questions that we should be asking those vendors who are supporting our key systems.”

7. Organizational culture plays a major role in data protection.

One key point in any good cybersecurity strategy is communication. Starting with your dealership’s tone from the top—down through mid-level and operation-level employees—every member of your organization needs to take cybersecurity seriously.

“Many dealerships have long-standing, very closely held cultures,” said Mary. “And if there’s not a culture in which you can ask questions, or where the entry-level folks at the front of the dealership don’t feel like they can raise their hand as you go up the executive chain, that’s where you really find you’ve got the most challenges. This is a shared responsibility. Every single individual you employ at the dealership is a possible target, and if they have any kind of online access whatsoever, they can be hacked and they can be tricked into clicking on a link.”

She added: “It really gets back to employees not knowing, not recognizing, and not being comfortable, necessarily, questioning when something doesn’t seem right.”

8. Small steps are (much) better than no steps at all.

Mary acknowledged that although many dealerships have limited resources, “to the extent that you have any discretionary ability to beef up those security strategies, I think your return on that investment would be incredible.”

“Think about any internet-connected device,” she said. “Be very vigilant about any of your financial dealings, and limit any machines that have financial implications in your organization to an intranet, or only allow certain sites to be accessed by those machine.”

9. The best approach is a multi-layered approach.

“One of the things I recommend to many of our clients is having multiple layers,” said Jeff. “If you have antivirus on desktop computers, maybe you have a different type of antivirus software on your servers and then, going one step further, maybe you having a different type of antivirus software on your firewall.

Mary agreed about the power of a multi-layered approach:

“It’s just a game that we’re all playing. With antivirus as an example, for every type of solution that’s out there, it seems like the bad actors stay one step ahead. So, varying that coverage is really important. It all gets back to having that formal strategy—something that you have to answer to—and formally documenting the strategy.”

Learn More About Improving Your Dealership’s Cybersecurity Policies and Training

When it comes to cybersecurity, policies and training set the expectations within your employee population. We’re not talking about watching a 5-minute video during onboarding and then never thinking of it again. To protect their most valuable data, dealerships need to pay close attention to their cybersecurity programs, communicate expectations to employees, and implement their strategies in day-to-day activities.

To improve your cybersecurity program today—and to see how Compli can empower your dealership’s cybersecurity communication and policies—download our Cyber Security Initiative Rollout Plan.

Toby Graham

Toby manages the marketing communications team here at Compli. She's on a quest to help people tell clear, fun stories that their audience can relate to. She's a HUGE sugar junkie...and usually starts wandering the halls looking for cookies around 3pm daily.

→ Toby Graham

Related Posts




Phone: 866.356.1735
Support: 877.522.4276
Menu
Customer Login

Send this to friend