It’s no secret that cyber attacks — especially ransomware attacks — are increasing across industries and organizations. Attack methods are evolving and rapid digitization, along with the rise of cloud computing and a remote workforce, are creating new threat vectors and exposing new vulnerabilities.
One industry that has become a major target for attacks is the automotive industry. So much so that the Federal Trade Commission (FTC) has updated their safeguard rules that will go into effect in December, with the intent of better protecting consumers’ financial and personal data—two data sets that auto dealerships have easy access to and often store within their networks.
The Growing Risk of Ransomware Attacks on Auto Dealerships
Before diving into the specificities of risk for auto dealerships, and why both cyber criminals and the FTC are paying attention to them, it’s important to look at the trends across industries.
Every Industry Is Seeing a Rise in Cyber Attacks
The bad news is that hackers aren’t going away anytime soon. According to the 2022 Verizon Data Breach Investigations Report (DBIR), ransomware attacks increased by 13 percent year over year, a jump greater than the past five years combined. The biggest attack vector is credential theft, followed closely by phishing, which continues to find success against unsuspecting users. The average ransomware payment was up 8% in the first quarter of 2022 to $228,125 with an average organizational downtime of 24 days.
In addition, supply chain attacks accounted for 61% of security incidents this year. While not a traditional supply chain, auto dealerships are connected to banks, manufacturers, and other dealerships. According to data released by CDK Global, a single dealership may have their internal systems connected to 20 vendors. This interconnectivity creates risk.
Cyber criminals have been able to show, time and again, that not only do methods like social engineering work, but there is big money to be made in ransomware, and organizations like auto dealerships are finding themselves in the cross hairs.
Four Ways Auto Dealerships Are Vulnerable to Ransomware
1. Auto Dealerships Store Consumers’ Private Data
Auto dealerships have the data that threat actors want. Personal Identifying Information (PII) goes for a pretty penny on the dark web. Not to mention that, since auto dealerships deal in financial transactions, there’s financial information up for grabs. Many dealerships keep financial data in their networks and have access to consumers’ banking information. Ransomware attacks can hold that valuable data for ransom or just steal it outright.
2. Dealerships Haven’t Invested in Cybersecurity
According to CDK Global, only 24% of organizations surveyed stated they increased their cybersecurity spending in the last year. That’s not enough, especially since 85% of dealerships stated threats are “very or extremely” important. Inaction is costing them more than proactive measures.
3. Less Than A Third of Dealership Employees Receive Security Awareness Training
Phishing is still as prominent (and successful) as ever, but organizations aren’t training their users how to spot these cyber threats. In the broad world of cyber attacks, 98% involve social engineering on some level. Users are the first line of defense against cyber threats, so it’s critical that they receive frequent, effective training. A lack of proactive education can be devastating if a user clicks on that suspicious email.
4. Attackers Understand Reputation Risk, And How to Use it to Their Advantage
Ransomware works because bad actors know organizations would rather pay the ransom than deal with the fallout of data theft or a complete system meltdown. It saves time, money, and reputation — a fact that is especially important to auto dealerships. According to CDK Global, 84% of consumers stated they would not return to a dealership if their data had been stolen. That’s a high reputational cost that dealerships would like to avoid.
How the FTC Safeguards Rule Can Prevent Ransomware Attacks
Considering these rising risks, the FTC acted to protect auto dealerships and consumers. The FTC Safeguards Rule was enacted in 2003 with the goal of keeping customer information secure.
The rule “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
It applies to auto dealerships because, while not inherently a financial institution, they work with financial institutions and qualify as authorized users, aka “any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.” Because auto dealerships deal in credit transactions, they are subject to these rules.
What Is the New FTC Safeguards Rule?
The original rule was written before ransomware skyrocketed and digitization created new threat vectors. The update considers the changes in cybersecurity and cyber risks and applies new scrutiny to the rules.
- Designating a qualified individual for overseeing, implementing, and enforcing an information security program or architecture
- Basing the information security architecture on a written risk assessment
- Implementing specific elements within that architecture including access controls, information encryption, multi-factor authentication, log activity monitoring, and annual penetration testing
- Drafting of annual compliance reports
What these changes all have in common is they consider the changing nature of cybersecurity and the common threat vectors that are exploited by cyber criminals. These changes overlap with best practices that organizations should employ to improve their cybersecurity posture and are also proactive tactics they can use to thwart threats like ransomware.
By taking these steps, auto dealerships are putting themselves in a more secure position. However, implementing these new rules is more complicated than understanding them. Auto dealerships have until December 9, 2022, to comply, which for many — including those that may have outdated cybersecurity systems, a lean IT team, or the lack of budget and talent to implement these changes — is not a lot of time.
We’ve created a resource to help auto dealerships navigate these changes. Visit “Auto Dealerships Secure Critical Data with Arctic Wolf” to learn more.