When it comes to cybercrime, it’s important to realize that this threat has the potential to not only damage your ability to generate revenue but also to punch a gaping hole in your dealership’s reputation.  Remember, when it comes to buying cars, 84% of those surveyed said that they would NOT buy from a dealership that’s been hacked.

Most cybersecurity experts suggest that all businesses should assume that they WILL be attacked.  Therefore, it’s in a dealership’s best interest to plan accordingly to mitigate their risk – and potential impact – of a cyberattack.  This is where an incident response plan comes into play.

An incident response plan lays out the roles and responsibilities of your cybersecurity/IT team when an attack is detected.  It also defines the tools for monitoring and managing an attack and the specific steps taken to address a cybersecurity incident.  Additionally, it describes how the incident will be investigated and communicated to both internal and external stakeholders.  An incident response plan is critical to an organization’s ability to detect and respond to a cyberattack swiftly.  A dealership’s ability to quickly identify and stop an attack is the key to minimizing the impact the attack will have on a dealership’s data, revenue, and reputation.

An incident response plan is typically setup to address 6 phases of a cyberattack:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Phase 1:  Preparation

In the preparation phase you should ensure that all employees have received some basic cybersecurity awareness training.  In addition, those responsible for dealing with a cyberattack should be trained on how to effectively handle an attack.  Training isn’t a once and done type of thing.  This phase of your plan should discuss how training will be maintained in an ongoing manner since the cybersecurity threat is constantly evolving.

The preparation phase should also identify all critical assets within the organization and the procedures for ensuring that these assets are protected from an attack.  This is where an IT risk assessment can come in handy.

Phase 2:  Identification

This phase is all about identifying if you’ve been attacked.  You want to define the people, processes, and systems that will be able to answer key questions like:

• When did the attack occur?
• How was it discovered?
• What areas have been impacted?
• How has it affected dealership operations?
• Has the point of entry for the attack been identified?
• What is the depth of the compromise?

Critical to this phase is the use of tools like Security Information Event Management (SIEM) and Advanced Endpoint Threat Protection.  Tools like these make it much easier to understand the source and depth of an attack and how to contain it.

Phase 3:  Containment

In the containment phase, the focus is on how to stop the attack as quickly as possible.  You should be able to answer questions like:

• Has all malware been quarantined?
• What sort of backups are in place?
• Have all access credentials been reviewed, hardened, and changed?
• Have all security patches and updates been applied?
• What short-term actions need to be taken immediately?
• What is the long-term plan for dealing with the effects of the attack?

Phase 4:  Eradication

Here, your plan needs to address the removal and remediation of the damage discovered in the identification phase.  This involves discussing the restoration of systems from backup and the re-imaging of workstations.

In this phase, it’s essential that the eradication of the cyber infection be performed by trained professionals.  Often, organizations are quick to delete, restore and re-image before fully understanding how the cybercriminal penetrated the organization.  This then prevents the organization from ensuring that the same type of attack doesn’t happen again.

Phase 5:  Recovery

This phase of the incident response plan focuses on the testing, monitoring and verification of the affected systems and returning these systems back to normal.

Phase 6:  Lessons Learned   

It’s this phase of the plan that is probably the most important.  This phase makes it possible to continuously improve your cybersecurity posture.  It helps you to answer questions like:

• How can we better train our employees?
• What changes to our cybersecurity are needed?
• What weakness did the attack exploit?
• How can we detect an attack earlier and contain it quicker?
• What can be done to prevent this type of attack from happening again?

Keep in mind that an incident response plan should be routinely tested.  You should go through mock cyberattacks and then analyze the performance of your incident response plan.  By developing a plan and regularly testing it, you will keep your dealership’s money, data, and reputation safe.