Personne n'est à l'abri de la cybercriminalité, y compris votre concessionnaire. Apprenez comment vous protéger et que faire si le pire se produit.
The cyberattack on CDK and the shocking effect it had on so many dealers is a reminder that this type of espionage is a very real danger. It doesn’t just happen to big corporations, either. While there’s a potentially big payoff for hackers who get into those, it can often be easier for them to get into small businesses – like yours – and make it worth their while.
An attack can be extremely expensive to you in terms of time, money, and customer trust. If you’re not already protected, you need to be; and even if you are, you still need to stay one step ahead of cyber criminals.
What makes dealerships attractive to hackers?
You have a great deal of information in your system about your customers, including their names and addresses, vehicles, and especially their credit cards and financing information. They can potentially steal from your customers with that, or “go big” and kidnap your system for ransom, as happened with CDK.
You’re also vulnerable by the very nature of how you serve your customers. All your systems may be integrated, so that sales, service and parts have equal access to each customer’s full information, requiring only one point of entry. You may use cloud storage for information. You may offer free Wi-Fi; and your computer system is likely set up for easy access by your salespeople so customers don’t have to wait for answers. While your customers appreciate all of this, and you still need to do it for them, hackers will appreciate it too.
What types of attacks could you face?
Hackers use a variety of ways to get into and mess with your system, which makes it tougher to keep them out because you have to use a multi-step approach. Some of these are:
- Phishing: Hackers send an email that looks like it’s from a legitimate source, such as a bank or government agency. These can contain links or attachments, and if someone opens them, the hacker can steal passwords or other information, or install malware and viruses on your system.
- Ransomware: Hackers break into your system and encrypt it so you can’t get into it or retrieve your data, and demand payment to release it back to you.
- Point of sale: Hackers get into your payment system and steal the information when credit cards are processed.
How can you protect yourself at low level?
- Insist that employees practice “cyber hygiene.” Users should change their passwords regularly, and they shouldn’t be easy to figure out and of course shouldn’t be revealed or written down. Some businesses use passkeys, including facial or fingerprint recognition; two-factor authentication; or authenticator devices with rolling passwords. They’re aggravating when you just want quick access, but they can help keep you safe, or at least safer.
- Use privacy screens on phones and monitors so others can’t sneak a peek. You’ll still be able to show them to customers as needed by turning them directly to them. Don’t leave screens unattended when there’s important data visible on them.
- Log off and turn off computers when the store closes. Hackers tend to be busiest at night, or on weekends and holidays, when they know the business is closed.
- In addition to cloud storage, if you use it, back up your data regularly on external hard drives that you keep in a secure place. Regularly test the files on them to be sure there aren’t any infections in them. If you do need to restore your data, it’s faster to do it from a hard drive than from online.
- Use the most recent versions of firewalls. Consider programs such as Mailwasher, which allow you to preview emails before you download them into your system. This lets you delete emails with suspicious attachments before they can get into your programs and start their attacks.
- If employees leave, scrub their access completely from your system. Even if they’re not a danger themselves, someone hacking into their devices could potentially trace them back to yours.
- Limit network access based on employee level. For example, those who have no need to see customer financing information shouldn’t be able to get to it.
How can you protect yourself at a higher level?
- Work with an IT security company to button down your systems. You need to identify any issues with your system; and find any vulnerabilities and plug them, including in any online storage or applications you use. IT providers aren’t necessarily IT security, so be sure you’re dealing with people who are experts in cybersecurity.
- Look into automated software that monitors your system 24/7 for suspicious activity.
- If you provide Wi-Fi for your customers, consider having two separate Internet systems: an open one for them, and another strictly for your store’s operations, with the added password/passkey restrictions noted above.
- Train your staff to identify attacks and immediately report them. Even simple phishing scams need to be addressed with everyone so they know what to look for. If customers call asking about unauthorized charges they’ve found, get someone on your system right away.
- Get cyber insurance, offered by many insurance companies. This can help cover the cost of fixing the breach, along with any liability you might have to pay to customers whose information was compromised, or any funds that were misdirected by the hackers.
What do you do if it happens?
- It’ll be tough, but stay calm. Get everyone off the system in all departments.
- Don’t negotiate with hackers if they reach out to you. Call your IT security company or insurance company for them to recommend your next steps. If the hackers are threatening extortion, call the police.
- Contact your legal providers so they’re aware of what’s happened and can prepare for any liability issues. You will need to inform your customers of what’s happened, but don’t do this without consulting your lawyers, who will assist you with how to present it to them.
- When there are breaches, even minor ones, work with your IT security to find out how it happened and how to prevent it in future. Cyber attacks aren’t “one and you’re done” – if you’ve been hit once, you could be hit again. Your dealership, your employees, and your customers are counting on you to keep everyone’s data safe.