By Steve Akridge, CEO, BorderHawk LLC
I grew up around the car business as nearly all of my family worked with car dealerships, and many continue to do so today. Until the economic downturn of the 1970s created a catalyst for me to take a different path, I worked in the business myself. Through my family, I’ve continued to have some insight around the growing integration of Information Technology (IT) across the industry.
By the 1980s, the car business was becoming fairly well automated – from parts inventory databases linked to the shops to accessing credit information for loan applications to projecting sales inventory needs with delivery schedules. But that was then, and the computers providing that efficiency were networked with similar systems at similar businesses. In other words, they were trusted systems. Then came the Internet. The cost of custom systems and dedicated communication lines was gone and the whole world went onto the Internet and truly trusted systems were no more.
Today, because of the many cutting-edge solutions in use, a customer doesn’t even have to come into the dealership to buy a car or even apply for a loan ¾they can at least start, if not finish it all online. Don’t get me wrong, the efficiencies brought on with these technologies translate perfectly to the bottom line. But there’s a nagging problem that should not be ignored.
In the cybersecurity business, it’s called inherent cyber risk, which means that given the opportunity, every system or network can get manipulated in some way. Contrary to what every IT vendor has ever said in the sales pitch, there is no such thing as a completely secure product.
For years, people have failed to heed cybersecurity professionals’ warnings that there is an inherent risk in doing business with all IT solutions, most especially if they communicate via the Internet. And, solving for the inherent risk in those products and solutions is no longer just a matter of introducing a few specialized IT security solutions to mitigate the problem.
No, this isn’t about the effectiveness of the ‘anti-virus’ solution that you hopefully have on all your systems. Even though those solutions have a significantly less than 100% success rate in detecting malicious software, it offers some protection when used as part of a comprehensive risk-based approach. And that is the key – realizing the real issue is understanding that cyber risk is a much bigger part of your organization’s financial risk picture than you probably ever thought!
Have you ever seen a mechanic with a smartphone? Do you think someone can figure out a way to use a smartphone to run diagnostics on a car? Do you think that a mechanic’s smartphone is a trusted device within the dealership’s security perimeter? Could that phone open a whole new threat vector – not just to a car’s onboard systems but to every system that might be in use within a dealership? Absolutely – but that’s hardly the only critical point of cyber risk for most organizations. The risk to systems, networks, and data is multidimensional. That is to say, an attack can come in many ways, have a variety of motivations, and create numerous problems for the victim.
Of late, there’s been a lot of focus on hackers accessing onboard systems and wreaking havoc with the car. Then, there’s been volumes of stories about small to medium-sized organizations being held hostage with ransomware. Those are both big risks to the automotive industry and dealerships, but there is a much bigger risk that needs attention; That risk is a supply chain attack.
America’s automobile industry is an interconnected web of vendors and suppliers that communicate directly with members of the automotive supply chain as a normal course of business. Imagine if one of these vendors or suppliers were not being diligent about their cyber risk like you are. What if your supply chain ceased to exist? All the products and services you depend on, halted – so, no deliveries, sales or payroll. Could you go back to doing business manually, completely manually?
About 65 percent of the nation’s auto dealerships are single-store operations. While many of the mega dealerships may have the resources to develop and implement stringent cybersecurity programs, single-store owners are less likely to prepare, which is typical for most small to medium-sized businesses (SMB).
A 2018 study by the Ponemon Institute showed that 67 percent of SMBs have experienced a cyber attack. Even worse, according to Ponemon, 47 percent of SMBs said they have no understanding of how to protect their companies from cyberattacks. When you realize that 54 percent of organizations that suffer an attack spend about $500,000 to restore their systems, and 62 percent of SMBs close their doors after an attack, the financial risk involving cyber-attacks becomes very apparent.
Most small and medium-sized organizations are highly vulnerable to cyberattacks as a result of insufficient information technology infrastructure, limited internal staff and/or not having funds to contract external consultants to handle data security properly. So, how can a single-store auto dealer create a viable defense against cyberattacks?
The most important aspect of devising a solution is to have a good understanding of how the business operates. Since each business is unique, the first step is to have an initial assessment performed by an outside cybersecurity company.
The outcome of the assessment will determine the level of action and investment needed. Some dealerships may find their operating with limited risk and only need a basic level of outside support services, such as consulting before and after an attack. However, a dealership with a higher risk level may necessitate a customized approach that outsources the entire cybersecurity infrastructure and operation.
This threat to SMBs like single-store auto dealerships is real, and they need an affordable solution that will help them protect their operations which are the backbone of the American economy. It is not of a matter of if but when.
About the Author
Following a twenty-year career with the U.S. Navy’s Naval Security Group Command, Steve Akridge served as the State of Georgia’s first Chief Information Security Officer and later as a Technical Director with the U.S. Defense Security Service. Leaving public service in 2004, Steve became a private consultant and subsequently formed BorderHawk LLC, an Atlanta based company specializing in Cyber Security and Information Assurance in 2008. Steve has since earned a reputation for success in facilitating complex information security program development, strategic security planning, designing information risk solutions, as well as conducting security audit and compliance engagements in a variety of environments.