With more employees working remotely, it is critical that dealerships be more vigilant than ever in the development and enforcement of cybersecurity and data privacy policies.
Auto dealerships are a favorite target of cybercriminals. This is due to the fact that dealerships collect, process, and store large quantities of sensitive customer data across their various technology networks.
In December 2019, Automotive News reported that, “On an average day, 153 viruses and 84 malicious spam emails are blocked by technology on a dealership’s network.” However, not all attacks can be stopped, and auto dealerships are among the growing number of companies suffering losses from cybercrimes. Cybersecurity Ventures, a leading researcher in the field, forecasts that the worldwide annual cybercrime damages will reach $6 trillion by 2021.
The COVID-19 crisis has exacerbated the problems and increased the risks of cyberattacks for auto dealerships. Throughout New England and the surrounding areas, dealerships have been forced to close their showrooms because of stay-at-home orders, but have been allowed to keep their service departments open. “By the time we completed the reduction of force of the service employees, the service departments remained busy, so we had to reinstate the furloughed employees,” one of our automotive clients told us.
This condition presented a very unique set of circumstances, meaning portions of the IT operation had to remain open with limited staff, while the remaining employees had to convert to working remotely overnight. One of the largest challenges that dealerships faced was getting all of their remote users trained to an acceptable level on the new technology. They also had to make sure they were using it effectively and securely.
As sales teams shift to remote-working environments, it is imperative for dealerships to review security processes and procedures related to remote access of their dealer management systems. Cybercriminals are not only aware of, but also actively targeting, workers who are remotely accessing confidential and sensitive information. Dealerships that have invested in cloud initiatives were well positioned to transition into a remote working environment due to the enhanced security protocols in the cloud.
One of the most effective defensive strategies is to have a robust ongoing corporate IT security awareness program. The risks are real, and the threats are growing daily as the fear of the virus intensifies. From phishing attacks to dangers stemming from employees conducting work using personal electronic devices, dealerships must be more vigilant than ever to guard against a breach. Notably, many dealerships don’t have cybersecurity privacy policies in place for remote-working employees.
There are a number of steps dealerships can take to help mitigate the risks of falling victim to a cyberattack.
A “phishing” attack involves an attempt by a cybercriminal to obtain sensitive information, such as usernames, passwords and credit card details, through a fraudulent email. The email may direct a recipient to enter personal information at a fake website that mimics a legitimate site, or the email may include an attachment that downloads malicious software onto the recipient’s computer.
The COVID-19 crisis has only heightened the risk of such attacks, particularly for those working from home.
To help ward off threats, dealerships should develop and implement processes to help notify and train employees to be on the lookout for such phishing attacks, and remind employees to:
Employees working remotely may be accessing and transmitting sensitive data from unsecured networks, which are more vulnerable to attack. As a result, dealerships are at greater risk of exposure, along with liability stemming from state, federal and/or international privacy and data notification laws should sensitive data be exposed. Risks are compounded to the extent employees use personal devices to conduct company business. But there are steps that can, and should, be taken to minimize the risk.
For instance, remote employees may attempt to download or use tools on a work-based computer. But allowing employees such unfettered permissions is ill-advised due to the possibility and extent of malicious software available. Bad actors need just one unsuspecting employee to provide backdoor access to a dealership network. Dealerships should devise policies for permissions given to remote employees on permissible software that can be downloaded and installed on a remote computer.
Dealerships should also employ security systems that allow remote employees secure access to sensitive corporate data, information, or remote applications. For instance, dealerships should, at a minimum, employ a virtual private network (VPN) to secure data and communications between a remote employee computer and the dealership’s network. Or, a dealership could employ a zero-trust network (ZTN), which may include multi-factor authentication or push notification authentication to approve or deny access.
While VPNs are still widely used to provide network security for remote employees, it has been reported that ZTNs are a much safer approach because they treat everyone equally as untrusted. Given the current crisis, and the possibility of a greater remote workforce in the future, providing zero trust for all remote employees is advisable since it takes just one mistake by a remote employee to provide a malicious actor access to your system.
With more employees working remotely, it is critical that dealerships be more vigilant than ever in the development and enforcement of cybersecurity and data privacy policies. Dealerships should communicate and reinforce cybersecurity policies clearly and frequently—and conduct remote training as necessary—to encourage adherence to them. Doing so will help guard against a costly data breach.
Disclaimer: Any written tax content, comments, or advice contained in this article is limited to the matters specifically set forth herein. Such content, comments, or advice may be based on tax statutes, regulations, and administrative and judicial interpretations thereof and we have no obligation to update any content, comments or advice for retroactive or prospective changes to such authorities. This communication is not intended to address the potential application of penalties and interest, for which the taxpayer is responsible, that may be imposed for non-compliance with tax law.