Although most auto dealerships have robust security systems and processes in place to protect their inventory of cars and parts (and money), many auto dealerships are inept in their cybersecurity. Generally, the absence of cybersecurity is from a lack of knowledge of the threat and ramifications of a cyber-attack. Many General Managers feel their dealerships are too small to be targeted by a hacker or they think if they ignore it long enough, the problem will never arise.
Unfortunately, 2016 saw 71% of SMB suffered a cyber-attack, which was up from just 29% a year prior! (Solar Winds survey) Secondly, the cost of a cyber-attack can run $20,000 to millions of dollars.
Because auto dealerships do not understand the risks of a cyber-attack, they unintentionally increase their exposure by making three preventable mistakes.
Top 3 Auto Dealership Cybersecurity Mistakes
- Unsecure Wi-Fi – Nearly every auto dealership today offers free Wi-Fi to customers, whether waiting for their vehicle to be serviced or trying to entertain kids while purchasing a new vehicle. Providing Wi-Fi to customers is great for customer service and we’re not suggesting you shut it off. Instead, move all non-employee access to a secondary connection, which includes employees’ personal devices. Your primary Wi-Fi for company-owned devices should be hidden and require a password to connect.
The secondary connection makes your dealership more resilient in case your primary line is out, because many DMS (Dealer Management Software) systems are cloud-based these days and you still need to run credit cards, which requires a real-time transaction. You can also use your secondary internet to push backups offsite more frequently to reduce your potential data loss if something happens to your server. (For more info about data recovery, read How Much Does Data Recovery Cost?)
- Unsecure Workstations – Just like your Wi-Fi, every company workstation, mobile device, and server should require a login. If you’re a BYOD company and employees can access your DMS from their smartphones, require them to use a passcode. It makes your data significantly more secure and it is free to implement. Our best practice is to require users to log into the DMS each time they log into a workstation (meaning their username and password is not stored on the device).
You can further secure your data by encrypting your hard drives and using Two-Factor Authentication for your logins.
- Spam Email & Websites – Many salespeople at auto dealerships surf the web when they are bored and sometimes they go to unsafe websites. We suggest all auto dealerships employ some type of web filtering, not just because some websites are inappropriate for work, but many adult websites are full of computer viruses that can lock up your entire network.
You can further fortify your network by adding Advanced Threat Detection (ATD) to your email for just $2-3 a month per user. ATD scans all email attachments and links to make sure they are safe, and if they are not safe then the email never hits your user’s inbox, meaning the user has no chance to inadvertently open a virus or click a malicious link.
Another thing you can do is train your team about malicious emails including phishing emails that prompt users to click links, reply with sensitive information, or impersonate the CEO to get employees to wire money. A great way to train employees is to utilize phishing email simulations that report who responded to the emails and still need further training to increase their understanding and awareness. The reporting also shows you how well your training efforts are working.
Additionally, old equipment can provide hackers an easy entry point into your network because old computers and servers cannot be updated and their security risks remain exposed. For example, many recent attacks have specifically targeted Windows XP computers. Furthermore, old computers are also slow which impacts your company’s productivity, they are more prone to unexpectedly fail, harder to repair with less access to parts, and they’re out of warranty so you get a surprise bill anytime something fails. We suggest having a strong Life Cycle Management program at auto dealerships to ensure all equipment is running at optimal levels, protected by a warranty, and less likely to fail.
Because auto dealerships take credit cards (and deal with a lot of finances), they need to be PCI compliant. PCI was established to ensure merchants are protecting credit card users’ sensitive information, so many of our cybersecurity recommendations also help your auto dealership become PCI compliant. If you’re not PCI compliant, your credit card processor can charge an extra percentage for every transaction and penalize the dealership. While some penalties are currently only $20 a month and less than 1% per transaction, that is expected to change very soon and cost upwards of $500,000!
A good IT firm can help you secure your network, put in best practices to fortify your network to minimize your risk of a cyber-attack, and to become PCI compliant.