Cybersecurity for Car Dealers: Indifference Is Not a Strategy

With cyber-attacks on the rise, it is hard to go a day without hearing or reading about a massive breach or incident. What the news outlets don’t show you is the impact these cyber-attackers are having on the small to medium-sized businesses right here in our own community. Car dealerships are certainly not immune from these cyber-attacks. Because they typically have all the same sensitive data that you would expect to find at a bank, but typically with far less scrutiny and weaker security controls, car dealerships are excellent targets for attackers.

Banks and other financial institutions have long been regulated and are required to have regular IT audits, network security penetration tests and more. Car dealers on the other hand are not as closely regulated when it comes to information security matters. Car dealers, however, are required to comply with consumer information safeguards, such as the Gramm-Leach-Bliley Act (GLBA). This requires companies defined under the law as “financial institutions” to ensure the security, privacy and confidentiality of this type of information. Don’t think you are a “financial institution”? Consider this definition from the GLBA, “The Rule applies to all businesses, regardless of size, that are ‘significantly engaged’ in providing financial products or services.” Not complying with these rules can lead to major sanctions and fines.

It is incumbent upon car dealerships to have, among other practices, a written information security plan that describes their information security program to protect customer information. As part of this plan, car dealers also must:

• designate one or more employees to coordinate an information security program;
• identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
• design and implement a safeguards program, and regularly monitor and test it;
• select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
• evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Schneider Downs has worked with many car dealerships in assessing their information security posture through network security consulting and penetration tests. We often find common issues that allow us to use our ethical hacking methods to breach their protections. Here are a few of these common issues that we would suggest paying attention to at your organization:

• Inadequate passwords and password management. – We know, passwords are a pain. But the reality is, when it comes to security, passwords are often the only thing standing between your organization and a breach. We have had great success guessing and cracking passwords as part of our ethical hacking engagements that have led to compromises of the most sensitive systems (F&I, CRM, ERP, etc.).
• Using email to store and transmit sensitive documents. – We’ve come to learn that people are pack rats, and email allows them to become digital pack rats. Combine that truth with the common practice of sales and finance personnel who ask for customers to send them their social security card, W2, driver’s license, credit card, bank statements and more, all via email. At this point, the hacker doesn’t even need to hack into your network, all they need to do is breach an employee’s email.
• Highly susceptible to phishing. – Most organizations we’ve worked with have also been highly susceptible to various types of phishing attacks. Personnel training and technical controls to combat phishing emails have been inadequate in most cases. Usually, all it takes is one person to fall for a phishing attack, and then that point of access is used as a pivot point to launch a much wider breach.
• Lacking patch management discipline. – After an initial successful phishing attack occurs, attackers typically leverage stolen credentials and exploit vulnerabilities in systems due to missing patches. Patching systems takes regular discipline to stay on top of the latest news and updates from vendor sources, discipline that we’ve found to be lacking quite broadly at many dealerships.