OFFICIAL PUBLICATION OF THE NEW JERSEY COALITION OF AUTOMOTIVE RETAILERS

Pub. 22 2023 Issue 5

Cybersecurity: Do You Know How to Lock Up Your Dealership?

In today’s digital age, every business needs to utilize the latest technology to stay at the forefront of their industry. For auto dealerships, that need is just as prominent. Worldwide advances like artificial intelligence (AI), and other developments such as electronic titling and the need for dealerships to stay intertwined with technology keeps growing. As a result, dealerships MUST focus on cybersecurity. To mitigate the risk a cyber breach could pose to a dealership’s finances and reputation, dealerships must understand what exposures they have and what steps they can take to mitigate those risks. The first step any business must take is to analyze their risk in the same way they would analyze their physical security systems and the protections put in place. Dealers need to break down their cyber systems to find what needs to be protected.

Dealerships also need to understand what avenues of attack a cybercriminal may take (i.e., phishing emails, ransomware, bad actors, etc.). The results of cyber incidents can be devastating to any business, with dealerships requiring as much as 16 days (on average) to recover from ransomware attacks. With all these potential digital threats, protecting a dealership’s network may seem like a daunting task. However, with the appropriate steps, even the smallest vulnerability can be protected. Training for users, multi-factor authentication, and data encryption protocols are a few options to prevent potential cyber attacks. In the event of a successful attack, an incident response plan and a comprehensive cyber-insurance policy can also help get the dealership back on their feet.

In addition to what dealerships SHOULD do to protect themselves, there are also a few items they are REQUIRED to do to ensure compliance with regulations. The FTC Safeguards Rule, revised in 2022, has various requirements, including performing periodic risk assessments; regularly testing or monitoring effectiveness of safeguards; overseeing service providers; and evaluating and adjusting the dealership’s information security program in response to the results of testing and monitoring. These regulations provide an understandable starting point for dealerships to safeguard both their customers’ private information and their own secure data. By conducting regular system penetration testing and vulnerability scans, dealerships are given the opportunity to shore up their cyber defenses before an incident occurs.

Even with a comprehensive security plan in place and properly executed, dealers must realize that not all protective measures are foolproof. Because of how fast technology is evolving, safety precautions to protect against potential threats will always be lagging behind. No matter how much you train your team, someone can always have a bad day. Incidents can happen at any time, and because of this, it’s imperative that dealerships obtain a cybersecurity insurance plan with the appropriate limits. You can read more about insurance coverages in the article authored by Steven Robinson found on page 26.

On top of a sturdy cybersecurity insurance policy, dealerships should also put into place a cybersecurity strategic plan. A robust cybersecurity strategic plan allows the dealership to implement an easy-to-follow game plan for their staff and develop a culture that prioritizes cybersecurity. A well-developed plan should include security policies such as access control, data encryption, backup, and retention:

  • Access control can be handled in many ways, such as following the Principal of Least Privilege, multi-factor authentication, network segmentation, and even physical securities such as a locked door to your IT closet. Essentially, access controls should only allow an end user the minimum amount of access they need to perform their job.
  • Data encryption must be done while data is at rest, such as stored in a hard drive, and while in transit, like when emailing.
  • Data backups should be kept in three separate versions. The data that is being used, a physical backup, and an offsite backup.
  • Data retention should dictate how long data is held. Typically, data is held for seven years before being destroyed, however it’s important to research the appropriate retention requirements for specific documentation.

Training programs and phishing simulations should be conducted regularly as a part of a cybersecurity strategic plan. This allows a hardened front to what is widely considered the weakest link. Additionally, periodic vulnerability assessments should be a routine part of every plan. A white-collar hacker can provide dealerships with a way to expunge any inadequacies in their systems.

Most importantly, dealerships should develop a detailed incident response plan. This document should include the roles and responsibilities of all stakeholders in the event of a breach. This provides a pathway for anyone to get the business back on its feet after an incident.

Charles Pearson is NJ CAR’s Technical Coordinator. He can be reached at (609) 883-5056 x134 or via email at cpearson@njcar.org.