Automotive retailers operate a swathe of third-party software from the DMS to online finance calculators, after sales systems, part-exchange evaluation systems and CRM programmes. Service advisors and sales executives often have several windows open simultaneously with many providers now integrating with each other to share information and reduce double entry.
With so many systems operating, the risks and vulnerabilities are inevitably greater. Robust cybersecurity processes are essential if retailers are to protect themselves and their customers as well as stay on the right side of the law.
Research undertaken by CDK Global’s Dealership Cybersecurity Study 2018 found 85% of respondents in an IT related role said their dealership had experienced a cybersecurity incident in the past two years. This was despite 67% having confidence in their cybersecurity measures prior to the incident taking place.
The research identified that whilst 70% invest in cybersecurity, only 37% had a defined process to enable the fast identification of a security breach. The report found 73% did not utilise Security Information Event Management (SEIM), 66% had not undertaken a cybersecurity risk assessment, 65% did not undertake regular tests for security systems and processes, and 63% did not have a process in place to react to a cybersecurity breach.
The high cost of security breaches
Online security breaches are a key area where businesses can find themselves falling foul of General Data Protection Regulation (GDPR). Given that the UK regulator, the Information Commissioner’s Office (ICO), flexed its muscles recently fining British Airways and the US hotel group Marriott International hundreds of millions of pounds for data breaches, should act as a cautionary tale.
One way in which dealers can help bolster their cybersecurity measures is by gaining ISO27001 accreditation, the international standard for cybersecurity. The accreditation takes into account how organisations manage data protection, how information is processed, stored and how it is used including employee access and training. Whilst a company with ISO27001 in place is still at risk of data breaches, it does provide a crucial safety net and is recognised by the ICO.
So, where should dealers be concentrating their energies and resources? IT-related employees questioned for the CDK Global Report identified five key areas where cybersecurity was likely to be compromised – software virus that damages or disables computers; email phishing scams; human error; ransomeware incident; and electronic fraud.
Anti-virus and anti-malware protection
Whilst no one tool can guarantee systems won’t be hacked, anti-virus and anti-malware protection is a must. If you’re thinking you have that box ticked, housekeeping is essential so make sure all employees have the latest upgrades in place.
Change passwords regularly and don’t use the same password for multiple systems including personal accounts. Hackers rely on people using the same passwords repeatedly, so avoid falling into their traps.
We all get them and we all think we’re wise to them, but it only takes one mistaken click on a phishing email and your cyber security is breached. According to research undertaken by a US cyber protection company Cofense, more than nine out of 10 (91%) of all security breaches are a result of clicking on a phishing email – if in doubt, don’t open the email or attachments!
Training all employees on cyber security is imperative if breaches are to be avoided. Recognising and highlighting suspected phishing emails will drastically reduce the likelihood of an attack. However, rigorous processes also need to be in place to guard against fraudsters.
Fraudsters will ‘watch’ email traffic and send a spoof email to trick customers into paying money, such as a deposit on a car, into bogus accounts. Strict policies where employees make customers aware that bank account details will not be provided by email, for example, will help protect them against criminals.
The most important thing is to be hyper-aware and to have policies and procedures in place to prevent a cyber-attack.