Conducting a Thorough Cyber Assessment at Your Dealership


As they weather the storm of in­flation and a possible reces­sion, many Canadian dealer­ships are hesitant to focus their discretionary spending on any initia­tives not directly aligned with sell­ing vehicles. Dealership owners and managers must strike a diffi­cult balance between focusing more resources on sales, while still in­vesting in other departments less closely linked to sales, such as IT.

But how much is enough? Almost all small and medium-sized businesses, including deal­erships, will be a target for cyber crime at some point. Cyber security is almost as necessary to protect the whole enterprise as insurance against events like flooding or hail.

The key is to be cost-efficient as you in­vest in cyber security. And getting an assess­ment is always the first step when it comes to purchasing or integrating cyber security into your dealership.

What information needs protecting

Ask yourself: which pieces of data and in­formation are the most important to protect? These are your dealership’s “crown jewels.” If these data are accessed or exposed in a breach, it would bring significant financial and / or reputational harm to your dealership.


It’s natural, as a dealership owner, for you to assume you should just protect everything. But no dealership has the bandwidth or re­sources to protect all types of data equally. Cost-efficient cyber security means focusing on the crown jewels.

At the top of the list is your clients’ finan­cial data, especially personally identifiable data that includes names and birth dates. The worst-case scenario you want to avoid is cli­ents’ credit card numbers and insurance in­formation being breached, published, or sold on the black market. Also among your top pri­orities is protecting employee passwords and physical devices.

Although they may seem important on the surface, data regarding product pric­es, employee compensation, inventory and parts suppliers, and emails probably will not cause substantial harm to your dealership if breached. There are easier paths to recovery with these being hacked than with the crown jewels.

What are your greatest vulnerabilities

The next step in an assessment is to figure out where your dealership is most exposed — not only which types of cyber attacks are most frequent, but which are the most likely to be successful.


Not all forms of cyber attacks require so­phisticated code that breaks firewalls. A com­mon example we see in dealerships is fraud.

For example, an attacker fakes an identity as one of your regular suppliers or contractors, then alters the payment information to redi­rect funds. This type of attack puts you in dou­ble jeopardy — unknowingly sending money to a fraudster while becoming delinquent to your true vendor or supplier.

While this example may not be as frequent as an ordinary email phishing attempt, it can still be more dangerous if it has a higher suc­cess rate.

Third Parties

Third parties you do business with, includ­ing insurers, can be another large source of ex­posure to cyber crime. Your crown jewels of­ten get transferred between your dealership and your vendors; and any data that are mis­placed or downloaded incorrectly could leave your dealership exposed to a breach. And this phenomenon goes both ways; you can be the source of a breach to your vendors just as they can to you.

In your assessment, ensure you’re taking precautions to secure­ly share data with third parties.

Internal staff

Your staff can also be a source of a cyber breach. Your assessment should include a re­view of the internal cyber awareness training you require from employees. There’s more on this in the next section.

How you’re protecting yourself

The purpose of your assessment is to look at the tools, systems, and processes you’re al­ready using to protect yourself, and then de­termine the gaps between where you are and where you need to be.


Dealership owners understand the impor­tance of insurance better than almost anyone. Your dealership probably has insurance to pro­tect against floods, hail, theft, and other com­mon threats. But does your policy include pro­visions for cyber security?

Not all policies cover cyber threats. Dur­ing your assessment is the perfect time to re­view your policy and look for cyber coverage.

Cyber awareness training

The most cost-efficient cyber security in­vestment you can make is training. Make sure your staff, at all levels, understand these fun­damentals:

  • Knowing how to create and use strong passwords
  • Recognizing email phish attempts
  • Securing company hardware including phones and computers
  • Not downloading company data onto personal devices
  • Using secure wi-fi
  • Detecting and preventing different types of fraud

It’s very uncommon for a breach at a deal­ership to come from rogue employees; but an employee who is untrained or careless can cer­tainly expose your dealership to cyber threats. Thus, a little training makes a big difference.

Incident response plan

Does your dealership have a cyber incident response plan? Your assessment is the perfect time to review your current plan or create one.

A crisis response plan can be the difference between minor incidents and worst-case sce­narios. It should provide a step-by-step guide for how to react to a cyber incident: how to shut down devices, contact external counsel, and keep damage to a minimum.


Good technology is important, but hav­ing it in the right hands is even more crucial.

During your assessment, ensure you have the right cyber security tools for your dealer­ship’s needs. You don’t always need the most expensive or sophisticated technology; you can save money by having the appropriate software for your situation, and the right staff and processes behind it.

To learn more, contact:

Chris Law, Partner, MNP Digital – PH: 604.817.4852 Email:

Chris Schaufele, National Leader, Dealerships – PH: 604.542.6768 Email:

Article Written By Chris Law

CHRIS LAW is a member of MNP’s Digital Services team in Vancouver. A passionate information technology and cyber security leader, Chris develops pragmatic, innovative and proven solutions for a wide range of clients in fields that include higher education, health authorities, municipalities, transportation and retail.

With an extensive technical background and more than 25 years of IT and cyber security experience, Chris brings a keen understanding of company IT infrastructure, and demonstrated excellence in identifying risk and emerging issues to his role. An adept communicator, he is an effective team leader and liaison between boards, stakeholders and various levels of management.

Chris’s areas of expertise include IT and cyber governance; strategic cyber roadmap planning; cyber risk, risk analysis and mitigation; change management and disruptive technology; network design and data centre architecture; incident response; high net worth cyber program; private cyber solutions and product integration. Chris is a sought-after speaker, cyber education instructor and lecturer. Chris earned a Bachelor of Science (BSc.) in computer science from the University of British Columbia in 1996.


About Author

Leave A Reply

1 × two =