Cybercriminals are getting craftier as auto retailers continue to fall victim to well-disguised attacks. According to the second annual dealership cybersecurity study by CDK Global Inc., an automotive retail software provider, 15% of dealers have experienced a cybersecurity incident in the past year. Of those impacted, 85% of the occurrences were due to sophisticated phishing attempts concealed as legitimate emails that resulted in data breaches, IT-related business interruptions and loss of revenue. The consistent cyberthreats have auto retailers concerned about securing their networks as they prepare for the upcoming Federal Trade Commission (FTC) Safeguards Rule implementation on Dec. 9.
“Consumers are continuously shifting to a more mobile environment, requiring automotive dealerships to streamline their sales and service online. Unfortunately, it can lead to creating gaps in IT networks for securing data,” said Joe Bell, vice president and general manager of IT Solutions Product & Technology, CDK Global. “Updating a dealership’s IT infrastructure, establishing an incident readiness plan and identifying qualified individuals to oversee the requirements are important steps for auto retailers in meeting the upcoming FTC compliance deadline.”
The amended FTC Safeguards Rule outlines compliance measures that includes securing customer data and implementing a comprehensive information security program. Having a solid cybersecurity plan in place is key for dealers to meet the Safeguards Rule, yet the study found that only 37% of auto retailers are confident in the current protection, resulting in a 21% decrease in preparedness compared to CDK Global’s 2021 study. With the Rule compliance deadline fast approaching, dealerships are getting serious about their cybersecurity measures.
The CDK Global State of Cybersecurity in the Dealership report found nearly 60% of dealers plan to prioritize upgraded investments in IT infrastructure, including:
- Anti-virus and malware protection increased by 31% compared to 2021, followed by establishing secure networks with consistent updates and patching.
- Dealers plan to update cybersecurity measures to combat top cyberthreats, such as email phishing, ransomware, lack of employee awareness, theft of business data, PC virus or malware, and stolen or weak passwords.
- Additional action plans include securing endpoint devices, investing in cybersecurity insurance and continued staff training.
Dealerships are preparing for the influx of possible attacks to their infrastructure, including hiring cybersecurity experts both in-house and externally and educating staff on detecting potential cyber threats.
“With the recent surge of ransomware attacks around the world and the advancement of security protocols we have made, cybersecurity remains a huge priority,” said Preston Petersen, general manager and partner at Team Automotive Group in Baton Rouge, Louisiana. “The risk to businesses and our industry is at an all-time high, and we take that risk very seriously.”
Ensuring that dealers will be FTC compliant by Dec. 9 remains uncertain, as many auto retailers are finding the Safeguards Rule to be difficult to understand or complete. CDK’s State of Cybersecurity report found that only 35% of dealers fully comprehend the new ruling and less than half are well-prepared. While 71% were familiar with protection mandates including multi-factor authentication, data encryption, and data and systems inventory, several requirements remain cloudy, including compliance on mitigation, threat detection and response.
“Partnering with a managed service provider can assist dealerships in eliminating the guesswork for FTC compliance, ensuring a safer, more secure and up-to-date IT infrastructure,” said Bell.
Andrew McClure, director of IT Operations of The Patrick Dealer Group locations in Illinois, echoed Bell’s recommendation on dealer cybersecurity safeguarding. “Engage with a chief information security officer who aligns with (analytic models) FAIR/NIST/CISA standards, research best practices and follow directions on structuring a layered cybersecurity program for your business,” McClure suggested. “Cybersecurity investments will pay dividends in threat/risk reductions.”