Cybersecurity Best Practices for Car Dealerships Post-CDK Global Attacks

Every business needs to be on high alert regarding cyberattacks. Much of the data businesses generate, store, transmit, and use includes valuable PII (personally identifiable information), and hackers are eager to obtain it. No matter the size of your business, your infrastructure, or the cybersecurity best practices in place, you are at risk. 

Attack numbers are rising in the industry. According to an automotive cybersecurity report, known cybersecurity incidents reached 295 in 2023, an average of 25 per month. The type of attacks that grew the most impacted thousands of assets. 

Being cyber secure is an evolving process, but the industry can learn from past attacks. You can use these insights as a guide to improving car dealership cybersecurity. 

Strengthening Car Dealerships’ Cybersecurity After the CDK Attack

Cybersecurity impacts every industry. Dealerships are no exception, but with the CDK Global incident and its effects, it’s now front and center. 

In the case of CDK, hackers breached their network and launched a ransomware attack. They seized control of the entire platform, causing dealership-wide disruption to sales and service operations, inventory management, loan processing, and even accounting. 

Even though the attack disrupted one application, the result was catastrophic. Over 15,000 dealerships experienced some fallout. Systems were offline, and sales could not be completed. They had to resort to manual processes to track vehicle inventory, record sales, and manage customer information. Hackers don’t have to infiltrate your network to cause damage. They can go through your vendors to get to you. 

Prior to the CDK attack, dealerships may not have been aware of their vulnerability. It was a wake-up call to the industry and has implications regarding the FTC (Federal Trade Commission) Safeguards Rule.

The FTC Safeguards Rule requires financial institutions to develop, implement, and maintain an information security program. They must also adhere to reporting requirements and notify the FTC about security incidents that involve unauthorized access to at least 500 consumers.

It applies to dealerships because of an amendment that included non-banking institutions, with car dealerships classified as such. 

The security program must enable safeguards in the digital and physical world to protect PII. Failure to comply can lead to fines of up to $10,000 per violation. The FTC can also take legal action. A non-compliance complaint would also be public, which can result in reputational harm.

Understanding the CDK Global Cyberattack: Lessons for Dealerships

The cyberattack on car dealerships did deliver some critical lessons. Since this incident was high-profile and disruptive, there is a new awareness of cybersecurity.   

The most important takeaways from the CDK cyberattack include:

The Need to Address Outdated Systems

Legacy systems don’t have modern security controls, and many dealerships are still on old versions of software. Without full-time IT staff, many dealerships may still be using pre-Windows systems, which is extremely risky because they lack encryption, are vulnerable to unauthorized access, and serve as “easy” targets for hackers.

Managing Vendor Cybersecurity Risk

 

In the CDK attack, dealerships weren’t the target but felt the impact. Supply chain attacks have become a favorite approach for cybercriminals. They can affect many more systems and breach more PII. Forgoing due diligence in selecting software providers heightens your risk.

Dealers may not be able to prevent a third-party vendor from getting hacked, but they’re still responsible for their data, even if it’s managed by someone else. Plus, the law requires dealerships to assess the impact of any vendor breach to understand the extent of the damage and take appropriate action.

Lack of Proactive Cybersecurity Best Practices

Another lesson to consider is the effect of not employing proactive cybersecurity best practices. Techniques like penetration testing and vulnerability assessments aren’t always a priority or may seem unnecessary to smaller businesses. They can be the difference between being cyber secure and attacking victims.

In our recent cybersecurity survey, only 42% of dealers feel prepared to manage a cybersecurity breach. It’s a clear signal that dealers lack the knowledge or urgency to protect against vulnerabilities. 

Why Cybersecurity Is Critical for Car Dealerships

The CDK incident wasn’t the first ransomware attack to make headlines in the auto industry. Honda, Toyota, and Nissan have all been on the receiving end of this dangerous type of malware. The goal of ransomware is to extort money for the “safe” return of data and access applications.

Ransomware has been steadily rising. An analysis of ransomware in the automotive industry revealed that from 2021 to the first half of 2024, the estimated damage was $920 billion.

 In the case of CDK, the supply chain attack rendered its users unable to access platforms.  Car dealership cybersecurity is about protecting your business and customer data. Cyberattacks can derail your business, leaving you unable to operate, cost you thousands of dollars, and impact your reputation. And If they steal customer data, you will likely have to report this for compliance reasons.  The last thing dealers want is to have the FTC breathing down their necks.

Malware and Ransomware

Malware infects software, allowing for cybercriminals to gain control. It’s the next step after infiltration. They can use malware to steal the data outright or encrypt it. When they choose the latter, it becomes a ransomware incident. 

The risk is not limited to vendors.  Dealerships themselves can be prone to direct attack because of the large amounts of valuable PII data they handle, their operational complexity including heavy reliance on digital systems, inconsistent/unsophisticated cybersecurity practices, and financial pressure to quickly resolve the attack.

To protect against a direct attack, network and data protection cybersecurity best practices include:  

• Ensuring that all dealership networks are protected by robust firewalls to block unauthorized access.
• Separating different parts of the dealership’s network, such as sales, service, and financial systems, to minimize lateral movement in case of a breach.
• Deploying intrusion detection and prevention systems ((IDS/IPS) to monitor, detect, and block malicious traffic.
• Ensuring that all computers and mobile devices have up-to-date antivirus and anti-malware software.
• Encrypting sensitive customer data both at rest (in databases) and in transit (over the internet). This includes financial records, PII (Personally Identifiable Information), and customer vehicle information.
• Regular backup of critical data, ensuring that backups are stored securely offsite or in a cloud environment and are tested periodically for integrity and restoration.

Other Cybersecurity best practices to protect against this threat include:

• Penetration testing and vulnerability scanning to identify weaknesses
• Regularly update all software, including dealership management systems (DMS), CRM systems, and any other platforms, to ensure vulnerabilities are patched in a timely manner.
• Applying a Zero Trust model, which requires every access request to be authorized, authenticated, and encrypted

The threats won’t dissipate, and for smaller dealerships, the threats are especially real. Hackers find small businesses more fertile for attacks. According to a small business cybersecurity report, 41% of companies in this category experienced a cyberattack in the past year. 

Other Common Cyber Threats Facing Car Dealerships Today

The CDK Global attack was related to ransomware, which is a type of malware that locks and encrypts data. Ransomware has been steadily rising. An analysis of ransomware in the automotive industry revealed that from 2021 to the first half of 2024, the estimated damage was $920 billion. It’s a threat like any malware but not the cause of the breach.

Infiltrating a network occurs most often as a result of phishing, which can cause users to click links or download attachments that house malware. Another way hackers get into networks is through unsecured endpoints. An example would be employees working remotely using an unsecured internet connection.

Let’s review each threat type and how to protect against it with automotive cybersecurity best practices. 

1. Phishing

Research suggests that 36% of dealership data breaches are the result of phishing. Phishing has been a constant attack method for hackers, who’ve become more sophisticated at it. 

Phishing attacks aim to trick employees into revealing sensitive information, such as passwords, financial details, or customer data, or into clicking malicious links that introduce malware or ransomware into the dealership’s network.

The once common signs of a phishing email—bad grammar, errors, and extreme urgency—are no longer so obvious. Social engineering and spoofing have replaced them. In social engineering, those receiving an email or text may be expecting it, so it seems authentic. 

Hackers search social media profiles and other public information to create a better phishing hook. Unsuspecting recipients click a link or download a file. That’s how malware gets its foothold.

Key ways to prevent successful phishes include:

• Conducting regular employee training and phishing simulations to test and improve employee awareness of email-based threats.
• Implementing multi-factor authentication (MFA )to  ensure that even if an employee’s credentials are stolen, the attacker cannot easily access systems.
• Using advanced email filtering and anti-phishing tools to block known phishing emails and flag suspicious ones. 
• Implementing email authentication methods to verify the source, which protects against domain spoofing, which hackers use to impersonate an employee.
• Using role-based access control (RBAC) to ensure that employees only have access to the systems and data they need. This limits the impact of a successful phishing attack.
• Running browser isolation, which can prevent malware attachments from being delivered 
• Enabling a secure web gateway (SWG) to inspect data and network traffic for known malware 

2. Data Breaches

For 58% of dealers, a data breach is their top cyber security concern, driven by potential financial damages and reputational risk – according to our Q3 2024 Cybersecurity Survey.  Additionally, 96% of dealers now prioritize PII protection when selecting vendor partners, demonstrating a higher awareness of this threat.

An automotive cybersecurity expert noted that data breaches often occur because of lax information hygiene. Failure to protect customer data enables hackers to seize it, and it impacts consumers considerably. The fallout does damage to a business’s reputation and often requires an extension of credit monitoring services for victims.

Preventing data breaches begins with cutting off the root cause, such as phishing or endpoint exposure. Other cybersecurity best practices to take include:

• Conducting regular penetration tests and vulnerability scans to identify weaknesses and fix them before hackers exploit them
• Enforce strong password policies, requiring complex passwords and regular changes. 
• Implement role-based access control to ensure that employees only have access to the systems and data necessary for their job roles.
• Ensuring multi-factor authentications (MFA’s) for all systems that require access to sensitive customer and financial data.
• Creating rules about the use of technology outside the dealership, such as using VPNs (virtual private networks)
• Ensure that mobile devices, laptops, and other portable equipment used by employees are encrypted and can be remotely wiped in the event they are lost or stolen.
• Auditing data use and exchange

3. Insider Threats

Sometimes, the threat is inside your organization. Employees, contractors, or vendors with access to your systems could knowingly or unknowingly harm your network. 

A malicious insider could intentionally misuse access to “punish” an employer in retaliation. They may want to seize PII for financial benefit or simply damage the dealerships brand. 

There are also negligent insiders who fall for phishing attacks or don’t secure their access.

A culture of cybersecurity with training and education can minimize the threat from negligent insiders. To counter a malicious attack, identity and access management (IAM) provides more rigid controls around access. 

The principle of least privilege (PoLP) limits what the user can access, limiting it to only the data or applications necessary for job functions. 

4. DDoS Attacks

A distributed denial-of-service (DDoS) poses a threat to car dealership cybersecurity. Cybercriminals “flood” servers with internet traffic, which prevents actual users from connecting to their web-based applications. 

Methods to thwart a DDoS attack focus on network and traffic insights. Reducing your attack surface can decrease DDoS threats. A content distribution network (CDN) or load access control lists (ACLs) help control the traffic to your applications.

Monitoring your network should also help you identify abnormal traffic. Deploying sophisticated web application firewalls (WAFs) is another layer. They can more precisely distinguish disguised good traffic from irregular traffic.

Achieving Cybersecurity Best Practices with a Risk Management Plan

Once you have a full scope of threats and how to mitigate them, you can form a cybersecurity risk management plan. 

Developing one also outlines your response should a dealership cyberattack occur. Make sure it includes these fundamentals.

 

Business Continuity Planning 

This document outlines your response should a cyberattack occur. It defines contingencies, dependencies, and roles. Develop one and update it regularly. Redundancy and backups are also part of business continuity. 

If you aren’t regularly backing up all your data and applications, start now. It may be what saves you should a ransomware incident occur. Redundancy means this data lives in a completely different network.

Another way to ensure business continuity is not relying on a single sales and finance platform. In our cybersecurity study, 76% of dealers said they were less willing to do so, which safeguards against a single system failure. 

Ensuring Systems Are Always on the Latest Version

Software without the latest patches and updates poses a risk. Ideally, these platforms are cloud-based and vendor-supported. The software developers should push updates without the need for interaction.

One area of concern is legacy systems. Outdated and unsupported software can be exploited. It’s a good idea to decommission these applications in favor of those with modern architecture and security built in. 

Formal Vetting of Vendor Software Providers

Dealership technology has expanded, but you can keep it simple by consolidating systems and creating one ecosystem for efficiency. It’s essential to be concerned about each dealership’s security infrastructure. 

When evaluating software, the features and functionality are essential considerations. How they support security is just as crucial. Technology can deliver automation and better processes, leading to more revenue. It must be part of the modern dealership, but you should be confident it won’t become an Achilles heel later. 

When assessing options for platforms that will use PII, like auto finance software, these questions can be good for vetting purposes:

• Are specific clauses about data protection and cybersecurity requirements in the vendor’s contract?
• Do your vendor contracts include an obligation to comply with your data protection standards?
• Are your platform providers and third-party vendors expected to provide your dealership with information security protection assessments regularly?
• How often do you review and update your contracts regarding data security with third-party vendors?

Additionally, you should audit the cybersecurity practices of third-party vendors with access to your systems and platforms. Make sure they are still compliant with all applicable laws and rules. Also, ask them about their internal proactive cybersecurity best practices, such as pen testing and vulnerability scanning. 

The Importance of Regular Cybersecurity Audits

Internal audits via scanning for anomalies or unknown traffic should be constant. You also need to partner with cyber firms for regular vulnerability assessments and pen tests: Trust in the experts to conduct these. They’ll be more helpful in closing security gaps than simply scanning on your own.

Training Your Team on Cybersecurity Awareness

Providing regular training for employees is your first defense against dealership cyberattacks. When employees know how to spot hacking attempts, most commonly phishing, they are less likely to make that errant click or divulge login information. Make cybersecurity part of your culture and not a box to check. 

Your pen testing firm may be able to provide resources. Otherwise, you can invest in on-demand required learning via reputable companies like KnowBe4.

Choosing the Right Security Software and Tools

A wide range of software and tools support car dealership cybersecurity. You can keep this relatively simple, and you don’t have to be a tech expert. Start with these fundamentals:

• Antivirus software: It can detect, prevent, and remove malware.
• Firewalls: These are the barriers between your digital world and the rest of the internet.
• Intrusion Protection Systems (IPS): This tool monitors networks and systems for suspicious or unauthorized activity. 
• Encryption software: This protects customer data by converting it into a code. 

Car Dealership Cybersecurity Threats Persist, But So Can Your Vigilance

The CDK attack was an eye-opener to dealerships. It was a clear reminder of the target the industry has on its back because of its access to PII. It’s impossible to avert all risks, but a proactive stance against threats and creating a cybersecurity risk management plan offers protections across your entire digital footprint.