Dealer Insights - September-October 2015 - Is Your Dealership Vulnerable to Cybercrime?
Cybercrime has become an ever-growing threat to U.S. businesses, with recent news headlines trumpeting a long list of major corporations that have been victimized by high-profile attacks.
Dealerships aren't immune to the risk of cybercrime — in fact, you're a prime target. Why? Because your network holds a vast amount of personal data, thanks to the growing use of e-contracting, paperless deal jackets and customer relationship management software. All of this and more make it critical to take steps that will help protect your dealership and its customers from the potentially devastating effects of a cyberattack.
Looking for a sweet spot
Unfortunately, many dealers think that hackers are more focused on the networks of large Fortune 500 companies than those of smaller businesses. But this isn't the case. Many of today's cybercrimes originate from highly sophisticated overseas criminals looking specifically for small to midsize U.S. businesses in the cybercrime "sweet spot." These are companies — including dealerships — big enough to have significant bank accounts, but often not sophisticated enough to deploy the most current network defenses.
In other cases, the cyberattacks aren't targeted at any specific size of company or industry. Instead, they're random attempts (phishing emails, for example) to get employees to click on attachments or links that will download malware or compromise sensitive customer and corporate data in some other way.
Although the hacking of customers' credit card information gets most of the headlines, there has been a marked increase in the theft of sensitive and confidential noncard data. This includes employees' internal network and online banking login credentials; confidential corporate communications; and various other types of records with sensitive customer information, such as Social Security, bank account and driver's license numbers.
For instance, cyberthieves may launch Man-in-the-Browser (also known as MitB) attacks that infect a dealership's computers with malware used to capture employees' online banking login credentials. The thieves then use this information to steal money from the dealership's bank accounts.
Pinpointing your vulnerability
For any type of organization, the first step in guarding against a cyberattack is to figure out where the operation is the most vulnerable. For dealerships, the greatest vulnerability typically lies in your customers' sensitive personal information.
Next, determine the biggest specific threats to your dealership and what you can do to minimize them. For example, "phishing" scams remain one of the most commonly used ways cybercriminals attack businesses, including dealerships.
In a typical phishing expedition, cyberthieves will send emails supposedly from a bank to employees stating that the dealership's bank accounts have been compromised or frozen because of fraudulent activity. Then they instruct employees to provide sensitive account information such as user names and passwords so they can supposedly resolve the problem. Once they have access to a dealership's bank accounts, thieves can initiate unauthorized wire transfers to easily steal the money therein.
You can go a long way toward reducing the threat of cybercrime at your dealership by educating employees about phishing and other similar threats. For instance, make sure your staff knows to never reply to suspicious emails with sensitive account information, nor should they ever click on links within these emails.
Taking the right steps
The National Institute of Standards and Technology offers some guidelines for defending your dealership against cybercrime and responding if attacked. For example, it recommends that you protect your most critical pieces of infrastructure first, respond appropriately to any detected cyberattack, and recover and restore any capabilities that have been impaired by a cyberattack as quickly as possible.
Here are a few additional steps you can take to help prevent a cyberattack:
- Make sure employees are using strong passwords and that they change them regularly.
- Enhance the security of your wireless network by providing a separate Wi-Fi network for customers.
- Implement and enforce strict policies on the downloading of software and use of flash drives by employees.
- Control and monitor employees' Internet usage.
In addition to these safeguards, make sure to use antivirus and antimalware software on all of your computers, and keep the software up to date.
Going on the offensive
In the current environment, dealerships can't afford to take cybersecurity lightly. Go on the offensive by discussing network security with a qualified technology consultant and strengthen your defenses now — before a hacker finds a way in.
Sidebar: The challenge of compliance
The cybercrime issue has a regulatory component. Dealerships are considered financial institutions by the Federal Trade Commission, which means they're governed by the Gramm-Leach-Bliley Act. This law contains certain preventive measures dealerships should implement to protect their customers' personal information from theft by cybercriminals. These measures are detailed in A Dealer Guide to Safeguarding Customer Information, produced by the National Automobile Dealers Association (NADA). Contact NADA for further information.
"Dealerships face very specific issues from a regulatory and compliance perspective when it comes to safeguarding the personal information they collect and store from customers," said a NADA spokesman. "Even among financial institutions, dealerships have a uniquely difficult task due to the nature of their business."
Dealer Insights - September/October 2015