ARB recently attended a Dealers Edge webinar hosted by Erik Nachbahr of Helion Technologies, a leading IT vendor in the auto dealer industry. Erik presented a general overview of some industry observations and best practices in the wake of the CDK attack. Here are a few key takeaways to consider at your dealerships.
FTC Safeguards Standards
Erik indicated that overall, he supports these measures and noted they are based on industry best practices. So, although it may seem like “more regulation,” it’s really what dealers should be doing from a best practices standpoint. These measures may already be in place at your dealership, but the largest issue Helion has seen is with compliance in form over substance, i.e. these are being treated as a checklist to complete, not a tool.
IT Costs Are Viewed as a Cost to Be Controlled
This includes cyber security, hardware, network, training, etc. These costs have gotten larger for essentially all entities, and dealers looking to cut costs are creating vulnerabilities in their organizations.
Cyber Insurance
The biggest issue here is dealers claiming to have protocols and safeguards in place that they don’t actually have. This gives insurance company an “out” when it comes to a breach. Note: Watch out for the use of the term “ALL” in your insurance agreements—such as “security installed on ALL computers”—as this creates exposure. What about that old desktop in the office that’s only used for X? Does this include all smartphones, tablets, etc. that connect to the network?
You should know whether a Breach Coach is available from your provider—this may be offered by your insurance company, but depending on the breach, they may not be able to act quickly enough to mitigate or stop the damage.
Knowing Your Technology
This was a major point of the presentation as at least of few of these generally can’t be answered by dealers or their IT “departments.”
- Responsibility — What is your IT team responsible for? Do you know? Do they know?
- Process and Procedure — What are the processes in place? Are they sound? For example, what is your procedure for technology and equipment procurement? Is your IT department buying used laptops on eBay to save money?
- Inventory — What technologies and vendors are you using? Is there an inventory of all the software used? Are the vendors reliable?
- Opportunities — Are there reasonable opportunities to enhance security? This will vary by entity size, geographic locations, etc., but pick the low-hanging fruit for your organization.
- Trust but Verify — Make sure any new protocols or technology you acquire are tested and reviewed before implementation.
Network Security
The webinar covered several key considerations related to ensuring network security.
- Real-time attacker hunting/continuous monitoring — This is the preferred method of monitoring and keeping your network safe as it continuously goes through the logged network activity.
- Penetration Test — Required annually under FTC safeguards rules. There are different tiers to choose from, but the overall purpose is to gauge what someone outside your business can access with given information.
- Vulnerability Scan — Required semi-annually under FTC safeguards rules. This looks for anything on your network running old software, such as software that may no longer be supported or has security risks. Note: Don’t run ANY software that is no longer supported by the vendor. Windows 10, for example, is retiring in October 2025. Look to replace PCs now, as a lot of people will be looking to do it last minute, which will likely impact availability and timing.
- Running Day-to-Day IT Is a Different Skill Set than IT Security — One of major issues with penetration testing and security breaches is that there generally isn’t someone on staff that knows what to do with the information or how to shut down the breach. Your dealership likely needs to supplement internal IT function with outside security. Where possible, Erik recommended a cloud-based vs on-site network as the cloud providers are generally able to devote more resources and technological savvy in their security.
Account Security
The webinar concluded with recommendations to help keep your accounts secure.
- IT Software — Who at your business has access to IT software? Is access appropriately limited? Is the access list reviewed periodically?
- Passwords — Passwords need to be complex, secure, and changed regularly. Maintaining strong passwords at the C-suite level is probably most important—executives at your business should not be able to circumvent these requirements as they essentially hold the keys to the kingdom when it comes to their rights and privileges within DMS and banking relationships.
- Multi-Factor Authentication (MFA) — MFA is a good step in helping to secure access by requiring users to supply two or more pieces of evidence in order to authenticate their identity.
- Employee Training — Employee training is a MUST and should be conducted during orientation for new hires and recur at least annually thereafter for everyone in your organization. Quarterly phishing tests are a good way to gauge EE awareness.
Cybersecurity threats are constantly evolving. While implementing best practices is crucial, navigating compliance, technology, and insurance can be challenging. For further guidance on comprehensive protection tailored to your dealership, consult your financial services advisor.
Matthew Marcoullier is a director at ARB. He focuses primarily on financial accounting and consulting services for auto dealerships, commercial businesses, and closely-held businesses. Matt previously served as a Senior Auditor for the State of Maine Department of Audit.
