As they weather the storm of inflation and a possible recession, many Canadian dealerships are hesitant to focus their discretionary spending on any initiatives not directly aligned with selling vehicles. Dealership owners and managers must strike a difficult balance between focusing more resources on sales, while still investing in other departments less closely linked to sales, such as IT.
But how much is enough? Almost all small and medium-sized businesses, including dealerships, will be a target for cyber crime at some point. Cyber security is almost as necessary to protect the whole enterprise as insurance against events like flooding or hail.
The key is to be cost-efficient as you invest in cyber security. And getting an assessment is always the first step when it comes to purchasing or integrating cyber security into your dealership.
What information needs protecting
Ask yourself: which pieces of data and information are the most important to protect? These are your dealership’s “crown jewels.” If these data are accessed or exposed in a breach, it would bring significant financial and / or reputational harm to your dealership.
It’s natural, as a dealership owner, for you to assume you should just protect everything. But no dealership has the bandwidth or resources to protect all types of data equally. Cost-efficient cyber security means focusing on the crown jewels.
At the top of the list is your clients’ financial data, especially personally identifiable data that includes names and birth dates. The worst-case scenario you want to avoid is clients’ credit card numbers and insurance information being breached, published, or sold on the black market. Also among your top priorities is protecting employee passwords and physical devices.
Although they may seem important on the surface, data regarding product prices, employee compensation, inventory and parts suppliers, and emails probably will not cause substantial harm to your dealership if breached. There are easier paths to recovery with these being hacked than with the crown jewels.
What are your greatest vulnerabilities
The next step in an assessment is to figure out where your dealership is most exposed — not only which types of cyber attacks are most frequent, but which are the most likely to be successful.
Fraud
Not all forms of cyber attacks require sophisticated code that breaks firewalls. A common example we see in dealerships is fraud.
For example, an attacker fakes an identity as one of your regular suppliers or contractors, then alters the payment information to redirect funds. This type of attack puts you in double jeopardy — unknowingly sending money to a fraudster while becoming delinquent to your true vendor or supplier.
While this example may not be as frequent as an ordinary email phishing attempt, it can still be more dangerous if it has a higher success rate.
Third Parties
Third parties you do business with, including insurers, can be another large source of exposure to cyber crime. Your crown jewels often get transferred between your dealership and your vendors; and any data that are misplaced or downloaded incorrectly could leave your dealership exposed to a breach. And this phenomenon goes both ways; you can be the source of a breach to your vendors just as they can to you.
In your assessment, ensure you’re taking precautions to securely share data with third parties.
Internal staff
Your staff can also be a source of a cyber breach. Your assessment should include a review of the internal cyber awareness training you require from employees. There’s more on this in the next section.
How you’re protecting yourself
The purpose of your assessment is to look at the tools, systems, and processes you’re already using to protect yourself, and then determine the gaps between where you are and where you need to be.
Insurance
Dealership owners understand the importance of insurance better than almost anyone. Your dealership probably has insurance to protect against floods, hail, theft, and other common threats. But does your policy include provisions for cyber security?
Not all policies cover cyber threats. During your assessment is the perfect time to review your policy and look for cyber coverage.
Cyber awareness training
The most cost-efficient cyber security investment you can make is training. Make sure your staff, at all levels, understand these fundamentals:
- Knowing how to create and use strong passwords
- Recognizing email phish attempts
- Securing company hardware including phones and computers
- Not downloading company data onto personal devices
- Using secure wi-fi
- Detecting and preventing different types of fraud
It’s very uncommon for a breach at a dealership to come from rogue employees; but an employee who is untrained or careless can certainly expose your dealership to cyber threats. Thus, a little training makes a big difference.
Incident response plan
Does your dealership have a cyber incident response plan? Your assessment is the perfect time to review your current plan or create one.
A crisis response plan can be the difference between minor incidents and worst-case scenarios. It should provide a step-by-step guide for how to react to a cyber incident: how to shut down devices, contact external counsel, and keep damage to a minimum.
Technology
Good technology is important, but having it in the right hands is even more crucial.
During your assessment, ensure you have the right cyber security tools for your dealership’s needs. You don’t always need the most expensive or sophisticated technology; you can save money by having the appropriate software for your situation, and the right staff and processes behind it.
To learn more, contact:
Chris Law, Partner, MNP Digital – PH: 604.817.4852 Email: chris.law@mnp.ca
Chris Schaufele, National Leader, Dealerships – PH: 604.542.6768 Email: Chris.Schaufele@mnp.ca
Article Written By Chris Law
CHRIS LAW is a member of MNP’s Digital Services team in Vancouver. A passionate information technology and cyber security leader, Chris develops pragmatic, innovative and proven solutions for a wide range of clients in fields that include higher education, health authorities, municipalities, transportation and retail.
With an extensive technical background and more than 25 years of IT and cyber security experience, Chris brings a keen understanding of company IT infrastructure, and demonstrated excellence in identifying risk and emerging issues to his role. An adept communicator, he is an effective team leader and liaison between boards, stakeholders and various levels of management.
Chris’s areas of expertise include IT and cyber governance; strategic cyber roadmap planning; cyber risk, risk analysis and mitigation; change management and disruptive technology; network design and data centre architecture; incident response; high net worth cyber program; private cyber solutions and product integration. Chris is a sought-after speaker, cyber education instructor and lecturer. Chris earned a Bachelor of Science (BSc.) in computer science from the University of British Columbia in 1996.
