By Art Ocain, VP of Incident Response, Airiam
The FTC upgraded its Safeguard Rule to include some robust new requirements that impact dealerships. These added security measures are essential because threat actors are becoming more sophisticated, and no company is immune to attacks. Ensuring your dealership is compliant is a step forward towards protecting your operations and customers’ sensitive data from falling victim to cybercrime. Compliance aligns your dealership with the bare minimum in cybersecurity, and dealerships may want to consider extra measures to protect their operations from cybercrime.
Last year, businesses experienced 50% more cyberattack attempts each week compared to 2020. The Russia-Ukraine war has slowed ransomware attacks by 42%, but most cybersecurity experts predict this lull is just the calm before a dangerous storm as threat actors reorganize. The FTC Safeguards changes come at a critical time as experts warn businesses to beef up security, believing attacks will be more frequent and virulent when they start again soon.
Ransomware impacts small, medium, and large dealerships.
What was once only a worry for big corporations has now become an increasing concern for small and medium-sized organizations, including auto dealers. Cybercriminals are becoming increasingly sophisticated, and the size of companies they target is decreasing. In Q4 of 2020, the median number of employees of companies under attack was approximately 235; in Q2 of 2022, the median dropped to 105.
Dealerships and their vendors store valuable consumer data that can be ransomed or sold on the black market. This data, combined with dealers’ and vendors’ limited cybersecurity resources, makes dealerships prime targets. Hackers breach smaller organizations because they’re more vulnerable, and their attacks attract less attention from law enforcement. Does your dealership use mobile technology, engage with external partners or vendors, accept credit cards or other forms of online payment, or store confidential information? If so, your systems and networks are susceptible to a cyberattack. The FTC’s new compliance requirements are the minimum every dealership should follow.
Why All the Added Precautions?
Dealerships may be at greater risk than they realize. The average ransom payment increased from $84K in Q4 of 2019 to more than $800K in 2021. The Safeguards Rule requires your dealership to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect your customers’ information.
Your plan should ensure the security and confidentiality of customer information, protect against anticipated threats or hazards to the security or integrity of that information, and provide protection from unauthorized access to that information that could substantially harm or inconvenience customers.
The FTC knows that simply having a cyber insurance policy isn’t enough to save a dealership’s customers from a ransomware attack. While the FTC is most concerned with protecting customers, other factors make compliance an intelligent move to protect your organization. Not all policies pay ransoms, and the costs to recover and rebuild after a ransomware attack include more than hiring a qualified incident response team. Dealers must also factor in downtime, lost data, customer service delays, and the business impact of exposing customers’ confidential data.
As cybercrime becomes more common, dealerships can no longer rely only on cyber-insurance and take a gamble of facing even longer recovery times if attacked. Insurance companies and incident responders’ resources will be stretched thinner under the expected barrage of increasing claims. Insurance and antivirus software won’t be enough if dealerships want minimal impact on their systems and structures from cybercrime. Effective business leaders must understand the threats and invest in adequate cyber-protection to remain compliant and viable players in their industry.
1. Data Retention Policy
If your data is held hostage, every piece of information is vulnerable. The less data your dealership stores, the less impact a breach will have on your customers and operations. A strategy and formal policy to safely delete any stored data containing customers’ sensitive, personal information after two years is best practice. The FTC also requires it for compliance. Newer stored data may still be compromised, but the blast radius in the event of an attack will be smaller.
2. 24/7 Monitoring – MDR
FTC-compliant dealerships must have continuous monitoring and vulnerability management of their networks. Managed Detection and Response (MDR) combines technology with hands-on human expertise to provide proactive monitoring, threat hunting, and response. MDR analyzes and adapts to ensure infrastructure is secure. The best MDR includes advanced 24/7 security control, analytics, threat intelligence, and incident investigation and response deployed at the host and network levels. Proactively engaging MDR services identifies and limits the impact of cyberthreats. At a minimum, businesses should employ MDR. Adding endpoint and extended detection and response (EDR/XDR) provides even more visibility and robust protection.
3. Multi-Factor Authentication (MFA)
MFA adds extra steps when there is an attempt to sign into your system. If you’ve ever received an SMS with a log-in code, you’ve used MFA. That one-time code you’ve entered ensures you’re authorized to access the system and helps prevent attacks. Some systems have more than one step, but even one additional step makes systems more secure. Extra steps create additional hurdles for would-be attackers.
4. Employee Awareness and Training: Do your technicians answer e-mails? Do customers receive text messages for appointments and marketing outreach? Your sales managers and accounting teams are not the only employees who must be aware of risks. Cybersecurity is only as strong as its weakest link, and all it takes is one employee-even a well-intentioned one-to cause that chain to break. Offer employee awareness and training programs to everyone in the dealership so they can implement cybersecurity best practices. Ensure all team members use strong passwords, take precautions when downloading documents and clicking links in e-mails, and only access sensitive files from trusted devices.
Prepare your dealership for the next wave of cybercrime.
Compliance is a no-brainer. Dealerships that don’t comply by December 2022 face up to $46,517 per consent order violation. But compliance is more than bureaucracy and avoiding fines; it’s smart business. Taking measures to reduce cyber risk is more critical now than ever, and the cost of a breach could be far more than ten times the cost of a fine. Consider taking measures beyond compliance best practices and seek support from experienced cybersecurity professionals that offer state-of-the-art services. The success and prosperity of your dealership depend on it!
About the Author
Art Ocain, CISM, MCSE, VCP, CCNA, Airiam’s VP of Incident Response, is a visionary leader and IT business strategist. He specializes in resilience engineering, cloud architecture, incident response, cloud strategy, virtualization, server and network administration and security, business continuity planning, disaster recovery, designing storage solutions, network design, web server management, e-mail server management, web application development, database management, and project management. Before his current role, Art was President and COO of MePush, a cybersecurity and managed IT company acquired by Airiam in 2021. He holds an MBA from University of the People.