Car dealerships that hold personal and financial data of hundreds of thousands of customers are highly vulnerable to various forms of cyber threats because of the lack of processes in place to secure customer data or to respond to cyber security incidents.
Earlier this year, the 2018 Dealership Cybersecurity Study carried out by automotive technology solutions provider CDK Global found that as many of 85 percent of car dealerships globally were victims of cyber security incidents in the past two years even though two-thirds of them were confident about their organisations' cyber resilience.
Even though 70 percent of car dealerships said that they invested in cyber security solutions, the survey found that a majority of dealerships had various loopholes in their cyber security protocols and practices that exposed them to various forms of cyber threats.
According to the study, while 73 percent of dealerships did not utilize Security Information Event Management (SIEM), 66 percent did not conduct a formal risk assessment to identify internal and external cyber risks, 65 percent did not conduct regular tests for security systems and processes, and 63 percent did not have a formal process to respond to security incidents or data breaches.
On the other hand, while all car dealerships invested in firewalls, 86.5 percent of them invested in antivirus solutions, 75.7 percent invested in email scanning and filtering solutions, and 70.3 percent invested in automated patching of their systems and applications.
Car dealerships lack 360-degree cyber security protection due to over-reliance on perimeter security
The high proportion of investments made in firewalls and antivirus solutions indicates an over-reliance in perimeter security solutions to keep IT systems secure. The lack of investment in SIEM platforms, not carrying out regular tests of security systems, or not keeping network activity logs to monitor unauthorised access could allow hackers to infiltrate networs and exfiltrate data without being detected.
Writing for Wards Auto, Christopher Arkin, senior director-investigations and compliance at security firm Guidepost Solutions, said that suffering a cyber attack can jeopardize a car dealership's reputation and can drive away customers considering that 84 percent of customers told a survey that they would not buy another car from a dealership that experienced a data security breach.
He added that in order to prevent cyber security incidents from occurring, car dealerships must conduct periodic security awareness training for all personnel, perform a comprehensive Threat Vulnerability Risk Assessment (TVRA) to identify and quantify cyber threats, develop a management playbook to cover reported incidents and how to properly address them, and create a prioritized list of risks (based on the TVRA approach) and associate those risks with adequate risk-mitigation controls.
He added that if car dealerships intend to out-source cyber security to cyber security companies, they should consider firms with automotive-industry expertise and should hire only those firms that focus on cyber security assessments and planning rather than those who push their customers to buy more cyber security products.