Risky Business: The Cyber Risk Impacting Dealerships

At the end of November 2019, the Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) to the automotive industry, informing organizations of an increase in threats and cyberattacks to steal sensitive data. This is due to the nature of data that dealership groups collect daily. Data protections are frequently dictated by automotive manufacturers and often require specific controls that are highly individualized. In a few cases, manufacturers require dealerships to relinquish control as a whole.

Some manufacturers need network infrastructure to meet exact specifications, regardless of the lack of controls, or else they will be unable to provide the service updates that need internet connectivity. In certain circumstances, if these specifications are not met, manufacturers will prevent the dealer from selling their vehicles. In these scenarios, it is easy for dealership groups to feel as if they are on an island with no help in sight.

There have been several high-profile attacks on dealerships in 2019. In some attacks, entire network infrastructures were compromised with ransomware via phishing emails or weak, reusable credentials found elsewhere on the internet and dark web. In these cases, the consequences to affected organizations were two-fold:

  • Revenue could have been directly impacted during downtime while waiting for networks to restore.
  • Reputational damage may result with being a victim of a publicized attack.

The FBI PIN also disclosed that with several cases this year, restoration of the network after a ransomware attack was not possible. These organizations discovered data was corrupted or destroyed after completing the restoration process. Historically, this is an uncommon outcome, frowned upon in the adage of honor among thieves. It is critical for dealerships to invest cyber defenses to prevent an incident.

The best defense is an organization risk assessment to identify gaps between critical assets and data. Two of the most beneficial assessments that can improve defenses are an IT Risk Assessment and Network Security Assessment.

IT Risk Assessment

A general assessment of the IT infrastructure with the intention of identifying key assets, systems and processes that are critical within the organization. The goal of this assessment is to identify risk within the organization for areas that are deemed critical and may need a corrective action plan.

Network Security Assessment

An assessment of IT infrastructure by performing a simulated attack on the network from the standpoint of an external threat actor. This technical assessment performs a deep dive into the cybersecurity controls in place by attempting to evade defenses while accessing an organization’s most critical data. By the nature of this assessment, results of the Network Security Assessment can help identify deficiencies within the overall IT security program.

There are some inexpensive, highly effective safeguards and best practices that dealership groups can implement to bolster data security in their custody. These protections include multi-factor authentication (MFA) on corporate email and storage devices; strong password policies that are enforced by IT; and employee education about the threats they could face via email, phone or in person, and the appropriate responses to them.

The FBI closed the PIN by warning of increased attacks during the next year due to the introduction of internet-connected vehicles. With this new attack vector, it is paramount that dealerships have protections implemented to secure vehicle data. Dealers should understand the threats facing the industry so that they may proactively build strong controls that mitigate the risk of data loss, safeguard their customer data and ultimately protect their reputation.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG IT Advisory, visit dhg.com/itadvisory.

About DHG Dealerships

DHG Dealerships is one of the largest professional service teams providing assurance, tax and advisory services to dealers across the country. We collaborate with key industry stakeholders to enhance the insights we bring to our clients and provide them access to valuable resources. For more information, visit dhgdealerships.com.


© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.