The State of Dealership Cybersecurity

1. The state of cyber crime in 2020

Introduction

Many auto dealers fail to understand the gravity of this unfortunate truth: Dealerships are prime targets for cyber attacks.
Some view cybersecurity as just another expense, and that’s a big mistake. Cybersecurity is a critical business practice, and it will only become more vital for dealerships as cyber attacks become more common.

Cyber Crime at a Glance 2020

11 Sec

Ransomware is expected to attack a business every 11 seconds by the end of 2021.1

91%

of successful data breaches start with an email phishing attack.2

71%

of ransomware attacks targeted small and medium-size businesses in 2018.3
The average cost of 
a security breach is 
$3.92 million.4
The transportation sector was the 
second-most targeted industry in 2018.5
In 2019, the average data breach impacted 25,575 records.6
2. Why cyber criminals target dealerships

Why cyber criminals target dealerships

Think of all the data that’s collected and stored at your dealership.

The customer names, addresses, email addresses, and phone numbers in your CRM; the bank information and social security numbers collected by your finance and insurance departments; your employees’ usernames and passwords.

Your day-to-day operations require you to gather and store private information for thousands if not tens of thousands of customers and employees.

In other words, your dealership is a data goldmine for cyber criminals. And sometimes, all it takes to gain access to this data is a simple email phishing attack. Why wouldn’t you be a target?

So who’s behind these attacks? When you imagine a cyber attack, do you think of a teenager hacking into someone’s server out of boredom? If so, you’re grossly underestimating today’s cyber criminals.

The truth is, you’re up against some tough characters. The people who want to exploit your data security weaknesses are much more sophisticated than you might think.

Most “hackers” today are employees of large multinational crime organizations, some of which are state-sponsored. Around the world, smart and tech-savvy people are being lured by the promise of huge salaries.

Entry-level cybercriminals make about $40,000 per year (which is an excellent salary in many countries). But the real payoff comes with experience, with seasoned cybercriminals raking in $1-2 million per year.

Read full article

In most cases, dealerships aren’t doing nearly enough to protect themselves.

Rather than spending the necessary resources to expand their security controls and policies, many dealers just ignore the problem or cross their fingers. They still see cybersecurity as an expense to be controlled, and that means they’re leaving their businesses vulnerable to cyber attacks.

3. How cybersecurity can affect dealer reputation

How cybersecurity can affect dealer reputation

When your dealership is left open to a data breach, there’s obviously time and money at stake — it takes resources to respond to and recover from a cyber attack.

But you’re also risking something else: your reputation.

Most dealerships sell the same vehicles at similar price points, so when consumers need to choose between dealerships, reputation is one of the only differentiators.

And if you think customers don’t care about a data breach, think again: 84% of consumers say that they would not purchase another car from a dealership whose data has been compromised.

If your dealership were to experience a data breach, word would get out fast. Between online reviews and social media, customers can communicate with one another quicker than ever. Your reputation could take a huge hit.

This means that just one data breach could sink your dealership.

Here’s just how important reputation is for dealerships:

59% of consumers use reputation to select a dealership.7
84% of consumers say that they would not purchase another car from a dealership whose data has been compromised.8
77% of consumers find negative reviews either somewhat or very useful to their car shopping research.9
A cyber attack isn’t just a momentary crisis that goes away once resolved. It’s an event that could potentially devastate your bottom line for years.
4. Dealer data privacy and compliance

Dealer data privacy and compliance

We’ve talked about time, money, and reputation, but there’s another thing at stake in the event of a cyber attack.

Due to new data privacy legislation, a data breach could lead to legal trouble, including fines and/or lawsuits.

Laws such as the CCPA in California, the SHIELD Act in New York, and the Data Protection Act in Ohio have already been passed, and there’s also a federal consumer data privacy act in the works.

Luckily, many of these dealership privacy laws require similar things, including baseline cybersecurity controls. By implementing these controls now, you can be prepared for new and evolving regulations.

Over 150 consumer data privacy bills were introduced in U.S. state legislatures across at least 25 states in 2019 alone. More bills are expected in 2020

Source: National Conference of State Legislatures

Luckily, many of these dealership privacy laws require similar things, including baseline cybersecurity controls. By implementing these controls now, you can be prepared for new and evolving regulations.
5. Map of data privacy regulations

U.S. data privacy regulations

*Map updated February 2020

Oregon Colorado Nebraska Louisiana Illinois New York California Texas Ohio Hawaii
Federal Online Privacy Act Federal Online Privacy Act
Free Workbook

CCPA requirements for auto dealers

Is your dealership compliant? Find out with The Auto Dealer’s CCPA Preparation Workbook.
Download Now
6. Dealer IT best practices: How to prepare for cyber attacks

Dealer IT best practices; How to prepare for cyber attacks

The only way to mitigate the risk of a data breach, protect your reputation, and stay compliant with data privacy laws is to implement dealership security best practices.

For the most foundational items, you can start with a DIY approach: training your personnel, securing your network, and following best practices for digital marketing.

However, to truly ensure that you’re as protected as possible, you’ll need an expert on board — and no, your internal IT manager doesn’t count. Most dealers make the mistake of assigning responsibility for IT security to someone who is neither professionally trained nor certified in cybersecurity.

Only 30% of dealers employ a network engineer with computer security certifications or training.
Only 25% hire a third-party vendor to test their network for vulnerabilities.
More than 70% of dealers are not up to date on their anti-virus software.

Remember, just one data breach could sink your dealership, so trusting a non-expert to defend your organization’s systems and data from today’s sophisticated cyber criminals is unnecessarily risky.

Defining and implementing IT security best practices for dealers takes an expert — that means a team with deep expertise in both data security and the business of selling and servicing cars and trucks.

7. About Helion

About Helion

For more than two decades, Helion has been working exclusively with auto and truck dealers to optimize their IT performance and secure their systems and data. Today, Helion is the largest dealer-focused IT service provider in the country.

With Certified Information System Security Professionals (CISSPs) and Certified Information System Security Auditors (CISSAs) on our team, Helion addresses complex cybersecurity challenges and protects IT infrastructure at dealerships nationwide.

Helion’s President & Founder Erik Nachbahr has surveyed the technology infrastructure of more than 1000 dealerships, assessing cybersecurity and data privacy compliance in the context of everyday dealership operations.

Our team’s IT expertise and comprehensive understanding of the business make Helion the ultimate resource for dealer IT.

Learn more about Helion

Is your dealership secure?

Contact Helion for an IT risk assessment.
Get started