Auto dealers – like many other businesses – are facing a serious problem when it comes to cybersecurity. They’re drowning in “security debt,” which means they have a multitude of unaddressed technical vulnerabilities that need to be addressed to protect their dealership from a cyberattack.  These unaddressed security vulnerabilities include things like unpatched software, unmanaged devices, obsolete hardware, and insecure network protocols.

The issue of security debt is becoming more and more prevalent due to the lack of qualified technical resources, and the speed at which technology changes and cyber threats evolve.  Dealers simply don’t have the resources they need to proactively stay on top of their dealership’s technical vulnerabilities.   In fact, according to the 2023 Global Cyber Confidence Index, 77% of IT decision-makers say that outdated cybersecurity practices were to blame for at least half of the incidents they experienced.  Virtually all (98%) of those surveyed believe that they’re running at least one insecure network protocol.

Businesses find that they are overburdened with the lack of qualified technical cybersecurity and IT expertise.  This is why the FTC pushed the deadline for complying with the new Safeguards Rule from December 2022 to June 2023.  Because of the lack of experienced technical resources, dealerships often deprioritize basic cybersecurity necessities.

The risk of a ransomware attack is inversely proportional to a dealership’s level of cybersecurity debt.  The inability of a dealership to effectively manage their security debt will result in downtime, financial losses, reputational damage, and legal liabilities.  These costs significantly outweigh the costs associated with securing the resources needed to proactively address security debt.  Taking a reactive approach and waiting for an attack and then addressing the technical vulnerabilities your dealership has is a mistake.