By Mark Spangler, Secuvant Advisory Board Member
Today’s cyber threat landscape is awash in everything from classic phishing scams to ransomware attacks, computer spoofing, and social engineering attacks.
Most Dealerships simply want to keep a step or two ahead of cybercriminals, yet those criminals come with plenty of skills, powerful knowledge, and creativity – and no scruples. Protecting Dealership data can be extremely challenging, especially if you’re trying to battle hackers without the right knowledge, skills, and tools to avoid, fight, and survive their attacks.
According to Security Magazine, a new and unforeseen dimension has developed in the threat landscape since COVID-19 entered the scene in early 2020, resulting in 40% of the American workforce performing duties remotely.
The pandemic not only left the world open to vulnerabilities while everyone was trying to stay calm, compliant, and safe from a mysterious human virus, but it created a new spark of awareness among executives coming to terms with the fact that the problem is bigger than originally realized.
Let’s explore the cyber threats your business might face before discussing the survival knowledge, skills and tools you need to fight them.
What Are the Most Common Cyber Threats Businesses Face Today?
Whether you’ve experienced them or not, you’ve probably heard of some of the most prevalent cyberattacks launched against organizations:
Ransomware Attacks. Over the past five years, ransomware attacks have become an all-too-common method used by hackers. Ransomware is malicious software, also known as malware, that hijacks your business’s files and prevents anyone in your company from gaining access to those files, systems, or networks. The hackers demand that you pay an extortion fee or ransom, usually through bitcoin, before they will restore access. Ransomware incidents cause a series of problems for your business, including major disruptions to operations and loss of critical data.
Phishing Incidents. A phishing scam is one where an employee receives an email that appears to be legitimate and from a legitimate source, such as another business or even a colleague. The email might request that the recipient update a piece of information by either replying directly to the email or following a link to another website.
Once the employee clicks the link, they will find themselves redirected to a spoofed website that looks completely legitimate. At this point, the cyberattack victim might find themselves offering personal information such as their social security number, password, or credit card information. Even worse, there are numerous sub-categories of phishing scams:
- Spear-phishing is a targeted type of phishing attack that focuses on a certain industry or victim.
- Whaling is another targeted attack aimed at an organization’s “big fish,” such as the CEO or CFO.
- Vishing scams occur via phone lines, voicemail, or Voice over Internet Protocol (VoIP) calls.
- Smishing takes place through SMS text messages.
- Pharming is an insidious attack that occurs when malicious code is installed on a computer and redirects the victim to fake websites.
The best protection against phishing attacks is knowledge and vigilance. Ensuring that your employees understand the nature of these attacks and the tactics involved in each type is crucial to protecting against this classic attack method.
Social Engineering Attacks. A significant percentage of attacks relies on a Social Engineering. Often combined with spear-phishing and whaling, this form of attack preys upon human nature, exploiting an individual’s natural trusting response and desire to help others. Most of these attack types can be mitigated through effective employee education and awareness combined with appropriate network controls and permissions.
Begin with Adherence to Core Principles
More and more, Dealers are recognizing the importance of effectively assessing and mitigating their overall risk exposure. This is no small feat! Dealers should begin by adhering to the following three core principles:
- Cyber Risk is Business Risk. Cyber Risk goes far beyond the purview of the IT organization. Human Resources, Sales, Marcom, Legal, Operations, Finance, and others play a critical role in preventing and effectively managing cyber risk.
- Law of Diminishing Returns. Organizations must recognize complete risk elimination is unattainable and that dollars invested beyond the elusive “optimal point” provide diminishing value. There are countless examples of organizations that have spent millions upon millions of dollars implementing measures to reduce risk only to find themselves victims of cybercrime.
- Program vs. Project. There are two constants in cybersecurity: 1) the business landscape of an organization is likely to change, and 2) the threat landscape will most certainly change. Organizations that address cybersecurity as an ongoing risk program initiative are historically far more successful than those that address cybersecurity as a one-time project. Managing risk never ends; projects do.
Make Cyber Risk Management a Priority
With these core principles in mind, Dealers should attempt to follow best practices found within common cybersecurity frameworks such as the NIST Cybersecurity Framework. NIST is a uniform set of rules, guidelines, and standards for organizations to better manage and reduce cybersecurity risk (NIST 800-171). NIST best practices are comprehensive, containing 110 risk controls across 14 risk domains / families. Organizations with limited resources will likely experience difficulty interpreting, applying, and prioritizing the risk controls within their environment; therefore, to mature one’s cybersecurity posture, Dealers should conduct a comprehensive Security Risk Assessment across all 110 NIST controls.
The cybersecurity industry finds itself in uncharted territory in terms of its ability to fend off attackers. It was projected that in 2021 there were 3.5 million unfilled cybersecurity jobs (source: cybersecurity ventures). This poses a significant challenge for Dealers who find themselves competing with large enterprises for the same security talent. For this reason, in March 2021, experts further predicted roughly 70 percent of organizations were planning to outsource security to a security provider during the next year (source: Kaspersky’s Global Corporate IT Security Risks Survey). Dealers would do well to follow the trend of outsourcing security services.
Cyber threats aren’t going away and leaving cybersecurity risk to chance is putting the health of your dealership and the trust of your customers at risk. Don’t fall into the trap of assuming you are too insignificant to be targeted. You may ask, “Why would anyone want my information? The truth is you have information they want such as employee, customer, and your own financial information, as well as intellectual property, trademarks, company secrets, etc. Remember, it’s not only that your data is valuable to them; it’s that they know the data is valuable to you.
The adage “an ounce of prevention is worth a pound of cure” has never been more relevant than in cybersecurity. Begin now to address cybersecurity risk; statistics say you’ll be glad you did.