Cybersecurity: Good Practices for Automotive Retailers

Please see the other blog in this series focused on Retail Focused Cyber Threats here.

With technology comes cyber threats, and from a security point of view, a couple of key security factors that all retailers have to accept and manage effectively are:

• More customer information is being provided and stored to make the shopping experience and warranty support more convenient for consumers, and
• Customer payment information is being provided and stored putting retailers more at risk of the potential for large-scale data breaches.

These points will be discussed further in this piece with a focus on the customer.

Without wanting to cite an array of retail data breaches in this article that will date quickly (as there are large scale ones every few days and big names such as Facebook and Uber are not immune) just Google the search phrase ‘retail data breaches’ and you will see a raft of up-to-date information and examples on this topic.

In addition, I do have some specific examples of Cyber-attacks or poignant aspects of Cyber Security that are very specific to automotive retailers in the following examples below (NB: generic pop-up adverts may occur on these sites):

• The US Federal Trade Commission (FTC) has identified that a hacker gained access to customer data at 130 dealerships
• A survey conducted by Total Dealer Compliance found that an absolute whopping 84% of customers would shun a dealership if they had become a victim of a data breach.
• An article in Wards Auto: Dealerships’ Biggest Cyber-Security Threat: Employees

The articles above provide quite stark reading illustrating that increasing trend of hacking retail markets but also the fact that brand reputational damage, especially around customer data breaches, will make customers shun a brand or organisation which will impact revenue when a customer will go to shop elsewhere and advises friends and colleagues to do the same.  Also, with mass media around the globe, bad news travels fast and even faster via social media which can in some instances be weaponised to affect a brand.

Customer Focused Cyber Management

I now want to touch upon some good Cyber practices and also potential Cyber threats more aligned to the customers themselves, I see these as broadly falling under the areas of:

• Customer data protection,
• Customer payment protection,
• A Cyber duty of care for customers, and
• Business Continuity/Incident Management.

I will now discuss these points further:

Customer Data Protection: Remember the General Data Protection Regulation, better known by its acronym GDPR which dominated 2018, well it hasn’t gone away like yesterday’s news it has been enshrined in law within the various legal systems in the UK under the updated Data Protection Act 2018 (abbreviated to DPA 2018).

I will focus on GDPR quite a bit as data protection is a fundamental Cyber Security requirement.

The key aspect is the protection of personal data (sometimes referred to personally identifiable information or PII), this means any information that could identify a living person, directly or indirectly and includes their name, location, or their phone number.

Some personal information is classed as sensitive and needs more protection, this includes ethnic origin, sexual orientation, religious belief, trade union membership to name a few; for the auto retail sector I would strongly advise against collecting any sensitive information unless there is a specific legitimate business need to do so and only when you have the consent of the individual.

GDPR has given the UK Information Commissioner’s Office (ICO) significant teeth with regards to whopping fines if an organisation is negligent in managing personal data. In the event of a serious data breach, the UK ICO can issue fines of up to about £17.5m, or 4% of a company’s global turnover, whichever is higher – quite an attention-grabbing figure!  Varying levels of fines can be issued for misusing data, data breaches, or failing to process an individual’s data correctly.

As the DPA 2018 came into force May 2018, I am sure all businesses have processes and procedures in place but what follows is some main points to cross-check against:

• Companies with more than 250 employees must document all of the data they are processing, including why, how customers opted in, who can see the data, and a description of their security measures.
• Smaller companies might need only to document data they process on a regular basis, or data they process that is sensitive.
• Companies are not allowed to collect someone’s personal details without their consent.
• Companies must also report any known data breaches to the ICO within 72 hours.
• Individuals will be able to request information about how a company might be using their data, what data it collects, and why.
• GDPR applies to all data “controllers” and “processers”, Controllers give direction on how and why personal data is processed (such as a company), while a Processor carries out the action of collecting and utilising the data.
• GDPR applies to any organisation offering services to citizens in countries who have signed up to apply GDPR in law (EU nations as of 2018 and Norway) regardless of where that organisation is headquartered.
• ‘Privacy by Design’ is essential to ensure that security around storing, accessing and transferring personal data has been effectively designed into an IT system and subsequently implemented.

Customer Payment Protection: The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. It applies to any organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

The standard provides a baseline of technical and operational requirements, there are 12 PCI DSS requirements and corresponding testing procedures with a minimum set of requirements for protecting account data.

PCI compliance demonstrates retailers have control over the payment card information they process.

All auto-retailers need to determine their obligations and where required scale of compliance against the PCI DSS standard and many companies including Capgemini can support auto-retailers with compliancy assessments.

Just to salt the battleground on this topic, the Cybersecurity firm Digital Shadows said it found more than 15 billion credentials on the Dark Web with bank account details available for between £56 and £400 apiece, more details can be found here.

Cyber Duty of Care for Customers: This may seem a little left-field but the area I want to highlight here is for an organisation to offer some form of guidance to their customers to help them be more aware of Cyber good practice and wary of illicit attempts to get them to share their personal information or payment details.  A good example of this is when a bank has a statement on its website or within its generic communication (e.g., letter or email) with a customer that the bank won’t ask for certain details in a cold-call format way (e.g., your credit card number, the CVV/CVS code on your payment card or your date of birth).  Anything that supports the client to be wary of Social Engineering techniques be it via rogue calls or emails to them trying to get them to part with their information to a potential fraudster/hacker.  Making them aware of the concepts of Spam, Phishing and Spear Phishing may help customers and your organisation in cutting down the possibilities of fraud attacks, some definitions below:

• Spam Email:  Unsolicited email originally used as low-cost commercial advertising but now also seen as a way to form an attack by using a barrage of email against an entity;
• Phishing Email: An attempt to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers;
• Spear Phishing Email: Targeted towards a specific individual, organisation, or business, often intended to steal data for malicious purposes or install malware on a targeted user’s computer.

Business Continuity/Incident Management: Here are some initial definitions to help frame context:

• Incident Management involves the monitoring and detection of security events on computing/storage services or a network, and the execution of proper responses to those events and their escalation to an incident when required. This is often managed via a Security information and event management (SIEM) tool with analysis and where possible a Secure Operations Centre (SOC) function.
• Business Continuity is about ensuring that your organisation continues to operate in the event of disruption. It’s a way of temporarily addressing the disruption until you’re able to fix the issue.
• Disaster Recovery is the process of resolving the disruption. At its most basic level, it involves identifying the source of the incident and finding a way to fix it. However, the plans are usually very technical and focus on specific deadlines that must be met to prevent catastrophic damage.
• Major Incident/Crisis Management is the process by which an organisation deals with a disruptive and unexpected event that threatens to harm the organisation or its stakeholders.

You also need to have very clear roles and responsibilities defined for the areas above and very clear and specific guidance on reporting and communication.  In the context of Major Incident/Crisis Management an organisations reputation might be at risk of harm, so it is essential that any external communications regarding a major incident are controlled and only released via the approved channels to prevent gossip and misinformation; PR management is as important as the incident management.

In all of the points above, an organisation’s ability to be ready, to respond effectively and to recover successfully are essential in being able to cope with cyber incidents.

In summary, the bottom line is that you need to protect your bottom line, weak Cyber security will hurt your business as attacks are common and widespread and it will be forever thus.   Risk has to be managed and straight away – don’t make it tomorrow’s problem as tomorrow is already stuffed with a truck full of challenges and Cyber Security will just get lost in that other noise.

Enabling all the above is one thing, it also needs ownership and maintaining.  If this looks like a tall order, then consider hiring temporary or permanent support from a specialist company that can be a supportive partner for you on your journey to Cyber Maturity.  Capgemini has a raft of experts that would be happy to discuss any Cyber Security requirements that you may have.

Kevin Eagles