Cybersecurity: Good Practices for Automotive Retailers

Please see the other blog in this series focused on Customer Focused Cyber Threats here.

Automotive retailers are acutely aware of the evolving retailing practices and changes with technology; in many areas, this type of retail sector has embraced developments in Information Technology provisions and management, for example, any organisations have increased Cloud adoption strategies.

Without wanting to cite an array of retail data breaches in this article that will date quickly (as there are large scale ones every few days and big names such as Facebook and Uber and are not immune) just Google the search phrase ‘retail data breaches’ and you will see a raft of up-to-date information and examples on this topic.

Importantly, a survey conducted by Total Dealer Compliance found that  84% of customers would shun a dealership if they had become a victim of a data breach.  There is an increasing trend of hacking retail markets and causing brand reputational damage, especially around customer data breaches motivating customers to shun a brand or organisation which in turn hurts sales.  Also, with mass media around the globe, bad news travels fast and even faster via social media which can in some instances be weaponised to affect a brand.

To provide some further ‘real-world’ context to automotive retailers, the following examples of cyber security incidents make for stark reading (NB: generic pop-up adverts may occur on these sites):

• The US Federal Trade Commission (FTC) has identified that a hacker gained access to customer data at 130 dealerships
• An article in Wards Auto: Dealerships’ Biggest Cyber-Security Threat: Employees

Retailer Focused Cyber Management

The following lists are provided to help shape an approach for an  Automotive Retailer, it’s not meant to be a prescriptive guide but a collection of pointers that help with the decision making with an approach for your organisation:

• Policies and Security Maturity:
  • Does your organisation have a Cyber Security Policy that governs the secure use of IT and data? Such a policy would cover both technical and procedural controls (e.g., password complexity as a technical control and ensuring privileged users who have administrator rights do not use their admin account for their standard daily system access as a procedural control).
  • In addition, does your organisation have an Acceptable Use Policy (AUP) which can cover expected behaviours and practices around corporate IT (e.g., not sharing passwords, misusing corporate IT, or copying corporate or personal data or information)?
  • What is the security maturity of your organisation against your governing policies (like those stated above) and have the policies been validated by an independent and experienced entity to provide assurance that they are as fit-for-purpose?
• Cyber Security Incident Management: Do you have a process or plan in place to deal with a security incident and who are the contacts that would deal with a security incident?  Do you team  know what they need to do to manage incidents, and how would they cope with a Denial of Service (DOS) or Ransomware attack?  This is also relevant to GDPR with known data breaches having to be reported to the ICO within 72 hours.  Related to this is logging, monitoring and alerting of IT systems and services.  Are your IT functions logging security events (such as failed logon attempts)? Do you need to implement a Security Incident and Event Manager (SIEM) tool or utilise the services of a Security Operations Centre (SOC) and analysts?  It does depend on scale too, a SOC may well prove to be a sledgehammer to crack a nut for some organisations but not for other larger ones.  Also, the management of capabilities such as an Anti-Virus solution, email scanners, web proxy services, logging functions and boundary protection are all essential aspects that an organisation needs to have a handle on.

Some additional helpful definitions below to assist with context:

• Incident Management involves the monitoring and detection of security events on computing/storage services or a network, and the execution of proper responses to those events and their escalation to an incident when required. This is often managed via a Security information and event management (SIEM) tool with analysis and where possible a Secure Operations Centre (SOC) function.
• Business Continuity is about ensuring that your organisation continues to operate in the event of disruption. It’s a way of temporarily addressing the disruption until you’re able to fix the issue.
• Disaster Recovery is the process of resolving the disruption. At its most basic level, it involves identifying the source of the incident and finding a way to fix it. However, the plans are usually very technical and focus on specific deadlines that must be met to prevent catastrophic damage.
• Major Incident/Crisis Management is the process by which an organisation deals with a disruptive and unexpected event that threatens to harm the organisation or its stakeholders.

Clear roles and responsibilities need to be defined and very clear and specific guidance on reporting and communication must be shared.  In the context of Major Incident/Crisis Management an organisations reputation might be at risk of harm, so it is essential that any external communications regarding a major incident are controlled and only released via the approved channels to prevent misinformation; PR management is as important as the incident management.

In all of the points above, an organisation’s ability to be ready, to respond effectively and to recover successfully are essential in being able to cope with cyber incidents.

• Data Protection, does your organisation have a Data Protection Officer (DPO) or someone who fulfils the role of a DPO?  A key requirement under GDPR.  Please also bear in mind that data protection also applies to your employees’ data and job candidates who provide you with their personnel data, and potentially suppliers or contactors that you might use; so, it isn’t just about protecting your customers personal data only.
• Strategy, what is your organisation’s IT Strategy and how does a Cyber Security strategy fit in with the IT Strategy, has anyone joined up the dots?
  • If you have in-house IT, outsourced or offshored provision, Cloud services or a hybrid mix of all of these you need to have a strategy to manage this IT and its security and ensure that Data and Information are protected and accessed appropriately.  Also, if you manage your own IT or use Cloud IaaS services, you will need to look at hardening server and or end point builds and if you develop your own Applications or APIs you will need to look at guidance from OWASP for secure development work.
  • Have your IT systems been subject to a vulnerability assessment, penetration test or audit to determine the security of services?  Also, has a Risk Assessment been undertaken on your critical IT systems and applications to indicate how vulnerable they might be to attack?
  • Do you have a managed Joiners/Movers/Leavers process whereby staff that move to other roles within the organisation or leave your employment have their access privileges altered accordingly or revoked?
  • If your employees use mobile devices is strong device encryption enabled with strong authentication methods as well?
• Proving your credentials. Think about accreditation of your IT services or those of your suppliers, schemes such as ISO 27001 (globally recognised) or Cyber Essentials (UK recognised) are useful indicators of the Cyber maturity of an organisation.
• Security cultural awareness training. I spoke earlier in the Customer Focused Cyber section on Spam/Phishing/Spear Phishing – are your employees aware of these terms and if they are aware of the terms are they fully understanding of the fact that they shouldn’t forward these emails on, or click links or open attachments in these unsolicited emails which are deliberately crafted to dupe busy people.  Does your organisation undertake background checks on prospective new hires, such as criminal record checks and reference checks?
• Insurance Cover. Check with your insurance company to determine if your policy has data-compromise coverage or similar. This may assist with data breaches or stolen assets (e.g., laptop theft) if there is a risk of unauthorised disclosure of personal data, but please check the fine print of any policy to determine whether it is going to be helpful.

The bottom line is that you need to protect your assets, weak Cyber security will hurt your business as attacks are common and widespread and unfortunately these are here to stay.   Risk has to be managed straight away – don’t make it tomorrow’s problem as tomorrow is already stuffed with a truck full of challenges and Cyber Security will just get lost in that other noise.

Enabling all the above is one thing, it also needs ownership and maintaining.  If this looks like a tall order, then consider hiring temporary or permanent support from a specialist company that can be a supportive partner for you on your journey to Cyber Maturity.  Capgemini has a raft of experts that would be happy to discuss any Cyber Security requirements that you may have.

Kevin Eagles