Recommendations to Improve Cybersecurity at Auto Dealerships

As data security breaches dominate the national headlines, dealerships are seeing an increased need in understanding what data they have and how they are protecting it from malicious parties. Though Dealer Database Management Systems typically contain sensitive consumer financial information, dealerships have often overlooked cybersecurity as an unnecessary cost or a low risk to the organization. Indeed, many small or medium-size businesses do not view themselves as a target for cyber fraud or external hacking. It is easy for management to lose visibility into data security practices when the IT function is outsourced.

Many dealerships do not fully understand the implications of failing to secure confidential data, which may include: 

  • Financial penalties
  • Severe brand damage
  • Loss of consumer trust
  • Significant investigation, legal and remediation costs

While dealerships vary in size and complexity, all must consider how they protect their most sensitive data.  When dealerships collect personally identifiable financial information from customers to provide financing services, they are classified as a financial institution by the Graham-Leach-Bliley Act (GLBA) subjecting them to the legislation’s requirements for securing client data.  When they collect credit card data, they are subject to the Payment Card Industry’s Data Security Standard (PCI DSS) for protecting cardholder data. Additionally, individual state breach notification laws stipulate requirements for notifying government agencies and consumers when their data is compromised.

The implementation of strong security controls is the best defense against various cyber attacks. Applying effective oversight, changing default passwords and regularly updating systems with the latest security patches are all critical in securing systems and data. Nonetheless, vulnerabilities are not limited to technical systems.  Personnel within your workforce may be the most attractive target to attackers, as social engineering techniques to exploit the trusting nature of people have been extremely successful in extracting passwords and confidential data. When users unknowingly click links or open attachments in malicious emails from untrusted sources, they open their workstations and the network to attackers.

As the number of data breaches continues to rise, dealerships must take responsibility for securing their customers’ data.  If internal resources lack the knowledge and experience to effectively evaluate the security environment, a third party advisor with dealership industry insight can assist. Valuable cybersecurity offerings to look for in an advisor include: 

  • Cybersecurity Risk Assessments
  • Network Security Assessments and Penetration Testing
  • Social Engineering Assessments
  • Sensitive Data Discovery Scans 
  • Data Breach Incident Response and Investigation Assistance

DHG’s Top 5 Recommendations for Immediately Improving Network Security at Your Dealership

  1. Ensure default passwords on all system passwords are changed to complex passwords that include numbers and special characters. Change these passwords at regular intervals, every 90 days at a minimum.
  2. Ensure that a system patching program is in place to keep all systems up to date with the latest security patches and fixes.
  3. Implement a security awareness training program designed to regularly inform your workforce about their responsibilities in protecting the dealership’s data.  Training should address the latest security threats, appropriate security behaviors and individual responsibilities for reporting suspicious activity on the network. 
  4. Perform technical testing against IT infrastructure to identify critical vulnerabilities in devices and systems that attackers could exploit to access and steal confidential information.
  5. Have an incident response plan ready for when a suspected breach occurs.  The plan should include assignment of roles and responsibilities for investigation, reporting and remediation.

About DHG IT Advisory

DHG provides cutting edge cybersecurity advisory and assessment services to assist organizations with evaluating and enhancing information security practices. Contact Rodney Murray, Principal, at 704.367.7062 or for more information about how DHG can help secure your IT environment and protect your company’s data.

About DHG Dealerships

DHG Dealerships’ team of dedicated professionals works exclusively with dealerships of all sizes, serving more than 1,500 rooftops across all 50 states, including six of the top 10 dealership groups in the country. Contact Lori Haley, Partner, at 205.212.5315 or for more information about how DHG can assist with the security and protection of your dealership group and the data within it.

If you experience issues with this form, please use a different web browser or contact us at


Lori Haley
Managing Partner, Atlanta | Birmingham | Nashville
© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.