Cyber attacks have become a permanent fixture in the contemporary news cycle — and for good reason: Cyber incidents have featured as one of the top three business risks on the Allianz Risk Barometer every year since 2016. The number of breaches continues to increase year over year, along with the volume of data exposed and the costs to recover networks, settle litigation, and manage related regulatory and reputational fallout.
Major breaches in recent years have compromised millions of financial records, leaked sensitive personal information, and even caused fuel shortages across parts of the U.S. Yet, even with all this attention, many business leaders still aren’t recognizing the risks and taking meaningful steps to protect their organizations.
You’re never too small to become a target
You wouldn’t know it to look at the headlines, but more than two in every five attacks target small and medium-sized businesses (SMBs). At first glance, this may seem inefficient on the part of cyber criminals. After all, there’s certainly more to gain by targeting a government, utility, or Fortune 500 business.
However, cyber criminals can get the same payout by breaching 15 or 20 SMBs for the effort it would take to breaching a large enterprise — and with a far lower likelihood of getting caught. These organizations know they’re being targeted and have millions to spend on cyber risk management, expertise, and technical controls.
On the other hand, SMBs are less likely to feel at risk and therefore less inclined to allocate their limited budgets and manpower to prevent, detect, or restore their systems after a cyber threat that may never occur. This is often a decision they make at their peril, as attacks on SMBs aren’t just more common than they seem, they’re also more likely to be successful and cause a business to fail as a result.
Dealers are particularly vulnerable
Your dealership likely has a range of qualities that makes it uniquely attractive to would-be attackers. The nature of your business requires you to collect significant amounts of sensitive customer data, as well as maintain ready access to a wide range of financial and insurance information. Not only is this information and access extremely valuable on the black market, it’s also likely you’re willing to pay good money to prevent that from happening — a likely win-win for a cyber criminal.
Moreover, like many dealerships across Canada it’s possible you’re currently (or at least considering) investing in cloud and digital transformations to reduce costs, remain competitive, and improve the customer experience. New platforms and technologies almost invariably introduce new vulnerabilities and third-party risks. Left unchecked and unmitigated, these can provide a convenient entry point to other systems and networks within your business.
Equipment makers, too, aren’t making your life any easier. With each new generation of machinery, they’re constantly increasing the number of digital technologies that comes standard. Consider how many machines on your lot now offer Wi-Fi or Bluetooth, connections — and how many customers connect their devices to these vehicles every day. All it would take is one infected device to connect to one, and that one to connect to your business network for a potential breach to occur. Given you’re likely responsible for securing your own environment, it’s understandable if you’re suddenly feeling uncommonly vulnerable.
Make the most of your limited resources
The challenge, of course, is how to balance your limited resources between delivering on core business priorities and protecting from the myriad threats lurking in your digital infrastructure. Thankfully there are several straightforward and cost-effective steps you can start taking immediately to stop any would-be hacker gaining entry to your business.
Protect your critical assets
Revenue is the lifeblood of your business. You have a responsibility to your employees, to the future of your business, and to yourself personally to invest your limited resources in profit generating endeavours. It’s therefore not practical, or cost effective, in most cases to protect all business systems with the best technology and 24/7 monitoring.
However, you can still make significant inroads by focusing instead on the critical and sensitive data in your dealership and prioritizing the areas where the business is most at risk. Taking a stepwise approach to ranking and prioritizing your key focus areas will go a long way to stretching your cyber security dollars. For example, what is more likely to be the target of a breach — electronic tire pressure sensors or your client database?
Start with an assessment of how you’re protecting vital assets such as login credentials, payment records, personal client and employee information, logs, backups, etc. Are you and your team members adhering to best practices or do you need to modify certain policies and procedures?
Next, review your system logs and backups to ensure they’re operating property, capturing critical data, and can be recovered in the event your systems go down. Test these to ensure they’re free of malware and viruses. Clean logs and backups can be a critical lifeline in the event your systems go down or are involved in a ransomware breach.
Finally, take steps to identify and address key vulnerabilities in the existing cyber security coverage and close these where possible and cost effective. If you’re not sure how to do this or where to start, a qualified cyber security advisor can help.
Become cyber security aware
According to IBM’s 2020 Data Breach Study malicious cyber attacks were responsible for over half of all data breaches over the previous year. Of these, the following root causes were responsible for nearly 70 percent of attacks:
- Compromised credentials (19%): Attackers exploited weak passwords or leveraged re-used passwords recovered from previous breaches.
- Cloud misconfiguration (19%): In-house IT teams or technology contractors failed to property address security vulnerabilities in cloud installations such as Office365 or Amazon Web Services.
- Third party software vulnerabilities (16%): So-called zero-day software flaws (e.g., the Solardwinds Orion vulnerability) allowed attackers to compromise a business.
- Email phishing (14%): A cyber attacker sends a malicious email prompting the recipient to click an infected link, download an infected attachment, or willingly submit login credentials or personal information.
Simply understanding where you’re most likely to face an attack and exercising the appropriate level of vigilance can significantly reduce your risk of a breach.
Your people and your vendors are the first and often most effective line of defence. Training your team on basic security practices like how to create and protect secure passwords and how to identify and report phishing emails can reduce your threat by up to a third. Creating a cyber awareness program, updating internal policies and procedures, and ensuring staff are regularly updating their software can lower your risk even further.
Similarly, as you continue to invest in digital transformations and technologies, you need to be holding your third-party technology providers equally accountable. They should be able (and eager) to clearly demonstrate and prove the steps they’re taking to protect your business. What steps have they taken to configure and secure your new cloud platform? What access do internet connected applications and devices have to other systems, and what risks might they introduce to the business? What about your new mobile application?
Cyber security isn’t a standalone initiative you address once all the other pieces of your technology infrastructure are in place. It’s a continuous conversation that needs to take place frequently, among everyone, and throughout all areas of your business.
Create and practice a response plan
The length of time it takes to identify and respond to the threat correlates strongly with the financial and reputational impacts of a breach. Organizations that have comprehensive incident detection and response procedures in place are in a much better position to detect attacks early and mount a full recovery. Like fire drills, your incident response plan needs frequent practice to be effective and to become second nature.
This plan should involve everyone in the organization to some extent with clear guidelines on:
- When to report suspicious activity,
- When to contact third-party advisors,
- Reporting responsibilities,
- How to communicate with employees, customers and regulators,
- And more.
Figure 1: The anatomy of a breach response plan
Triage the situation deliberately and with a level head. Reach out to a qualified cyber security advisor who can help assess the situation, guide your next steps, and begin taking steps to restore your network.
Determine if there is cyber insurance
You may be entitled to compensation for your losses. However, insurance is not a silver bullet. Review your policy carefully so you understand the rules of engagement, including which third parties to call for assistance.
Contact external counsel
If there is potential for personal information to be exposed in the attack, you may be at risk of future litigation. Contact legal counsel for guidance around next steps and communication with clients and regulatory bodies.
Establish roles and responsibilities
Every person in the organization has a role to play throughout the breach and recovery process — not just your IT department. Set clear guidelines and expectations for everyone including around what (and what not to say).
Note: Don’t try to re-invent the wheel; your Disaster Recovery and Business Continuity plans can provide a good starting point.
Establish the war room
Create a centralized venue where people can report on actions, exchange information, discuss ideas, and provide critical updates.
This should be private, secure and easily accessible for all priority stakeholders. But for obvious reasons, it should also be separate from the dealership’s main technology infrastructure.
Establish communication protocols
Know what to communicate, when to communicate it, and what communications mediums to use. Consider contacting a third-party communications advisor to help develop key messages and strategies for speaking with the media and affected parties.
Avoid putting any conclusions in writing that may result in potential litigation for negligence (e.g., Individual failed to perform required backups). Assume all emails or recorded communications are public record in legal proceedings.
Take care of the team
Ensure all staff and individuals responding to the incident feel fully supported. Frequently check in on people’s wellbeing. Ensure everyone can get adequate rest, rest, and transportation. And bring in crisis and/or mental health counselors if required.
Figure 2: Containing, neutralizing, and recovering from a cyber attack
Get as much visibility as possible into every enterprise system and device to determine the extent of the breach. They will then work to contain the issue through various means such as disabling access, disconnecting internet connection, or moving systems offline
Root cause investigation
Determine how the threat actor was able to access the organization’s system. This may include forensic investigations and log reviews to trace the attacker’s path through the system.
An intensive and stepwise process of restoring the systems, implementing additional security protocols, testing their fixes and bringing systems online securely and gradually.
Determine whether any personal identifiable information has been compromised. If so, the organization will need to take subsequent actions to report to regulators and affected parties.
Archive all evidence, actions, and results of the previous steps to provide as evidence in future claims or legal proceedings. Continuously monitor the dark web and social media sites to determine whether any sensitive data related to the breach is being offered for sale or may damage the dealership’s reputation.
Learn from your own experience, and the experiences of others
Business owners must be willing to share information with their peers and learn lessons from others’ mistakes. Don’t be afraid to discuss cyber security with your competitors. While you may be vying for the same share of business, the threat against your industry is one area where you’re on the same team. Attackers will continue using the same exploits until they stop working — so if something’s worked once, you can be sure they’ll try it again.
Keep an eye on the media for stories about contemporary attacks and actively question whether you have any of the vulnerabilities that made other breaches possible. Communicate often with your team members, vendors, and professional advisors to ensure you’re all up-to-date and informed on the latest tactics and threats. Complacency is your greatest risk, and vigilance is your best tool to avoid becoming a victim yourself.
Chris Law is a Cyber Security Partner with MNP’s Technology Solutions team in Vancouver. To learn more about steps to protect your business or how MNP can help, contact Chris at 604-817-4852 firstname.lastname@example.org or Sean Kosior, CPA, CA at 306-790-7939 Sean.Kosior@mnp.ca