By: Jim Cockey, Market Executive, Dealer Financial Services, Bank of America
Craig Froelich, Chief Information Security Officer, Bank of America
As the pandemic and remote work continues, this year again brings to focus the fast-growing threat of cyber attacks and the scale of damage they can do. Due to a perfect storm of factors, which include often operating with outdated IT systems, handling customer data and high-value transactions, and reliance on outside vendors, auto dealerships are particularly vulnerable.
The following explains some examples of threat vectors and cyber security best practices, which together can help auto dealers build a strong and holistic defense against cyber criminals.
Business Email Compromise
Business email compromise (BEC) relies on exploiting people’s impulsive actions and willingness to trust. The FBI reported that BEC losses to business in 2019 totaled $1.7 billion, up from $1.3 billion in 20181. To protect against BEC, auto dealers need to ensure that employees are familiar with the company’s cyber security policies and how to handle suspicious emails, including not opening links from an unknown sender’s email, carefully examining sender addresses and escalating the situation should they think they’ve been targeted.
Auto dealers should also invest in training to help employees ward off social engineering attacks, which use a person’s digital footprint and their online presence to scam unsuspecting individuals out of money or sensitive data. Best practices include keeping personal information off social or digital channels, regularly reviewing privacy settings and verifying any requests for payment or personal information — even if it seems to come from someone you know.
Trainings should also cover “vishing,” through which cyber criminals use tactics such as pretending to be a trusted source or robocalls with urgent messages, as well as “smishing,” a tactic that targets consumers via text message2. More in-depth training should be provided for employees most likely to be targeted, like CEOs, CFOs, finance departments, human resources and payroll staff.
Connecting On the Go
Wi-Fi is available nearly everywhere, and it’s tempting to connect to free Wi-Fi for faster data speeds. However, using public or unsecured Wi-Fi can expose private information to cyber criminals who employ malware or watch individuals’ keystrokes to uncover PINs and passwords. Once these criminals have access to your device, they can access confidential personal and business information or perpetrate identity theft.
Employees can protect themselves and company information by minimizing the amount of personal and sensitive data stored on devices and by using a virtual private network (VPN) connection when possible. Auto dealers should strongly discourage employees from using public Wi-Fi networks and disable remote and automatic connections to Wi-Fi or Bluetooth networks.
Protecting Home Networks
Wireless networks and connected devices are turning homes into digital hubs. Today, more employees are connecting work devices to their home networks, which can be more vulnerable to compromise, enabling cyber criminals to access both your personal and work data.
To minimize risks, employees should change the default network name and administrative password on their home routers and opt for names that don’t easily identify the employee or the company. Organizations should also encourage employees to use the strictest security settings and encryption on their router. It’s also critical that IT leaders keep antivirus and firewall software up to date on work devices and recommend that employees turn off routers if they are away from home for an extended period.
Managing Mobile Devices
Mobile devices are especially vulnerable to cyber threats because they are used in thousands of places. They make attractive targets because one phone, tablet or wearable device could help criminals access an employee’s financial, social and email accounts.
Auto dealers should instruct employees to lock mobile devices with a strong password of at least eight characters and use multifactor authentication if the device supports it. Anti-theft software can also locate mobile devices remotely if they are lost or stolen. Employees should only download apps from official app stores and alert IT immediately if they receive an unknown password reset alert.
Managing Third Parties
Enterprise connections to third-party suppliers are critical targets for cyber criminals. Utilizing common threat methods such as business email compromise, these criminals search for gaps within these supply chains in order to gain a foothold into their target’s operating processes. Auto dealers can minimize these risks by establishing strict contracts that require third parties to maintain tight security policies as well as developing key contact procedures to safeguard against criminals interfering with business processes. Effective third-party management should also extend to a company’s technology platforms. Once in place, these policies require continuous compliance monitoring and reporting, either through remote audits or automated, real-time inspections.
Awareness and comprehensive preparation are critical for auto dealers to mitigate the risks of cyber threats. While risks evolve, socialization and education of cyber security basics, both internally and with contracted third parties, can provide a strong layer of defense.
1Be Cyber Secure: Business Email Compromise, Bank of America 2020
2Be Cyber Secure: Business Email Compromise, Bank of America 2020
