Ninety percent of automotive retailers are getting serious about their dealership cybersecurity plans, yet they are still succumbing to data breaches at an alarming rate, according to a recent study by CDK Global, a leading automotive retail software provider. CDK’s third annual 2023 State of Cybersecurity in the Dealership Study unveiled that 17% of dealers experienced a cyberattack or incident in the past year despite 53% of respondents being confident in their current protection.
CDK Global’s comprehensive survey reveals a concerning trend: cybercriminals are evolving their methods to steal user and client data. Email phishing scams continue to rank the top threat for the third consecutive year, while lack of employee awareness claimed the second spot, rising from #4 in 2021 and #3 in 2022. Fake emails from trusted internal and external sources are posing substantial risks to auto retailers, including IT-related business interruptions, ransom demands, financial loss and damage to the dealership’s reputation.
“Cybercriminals are increasingly targeting auto retailers utilizing sophisticated methods meant to appear from secure and trusted sources. Unfortunately, human error can waylay the best-laid plans and put a dealership at serious risk,” said David LaGreca, senior vice president and general manager of IT Solutions at CDK Global. “Employee awareness training should play an integral role in a dealership’s plan to prevent potential cyber threats.”
Data theft and extortion has skyrocketed in the past four years, according to research findings from ransomware specialty company Coveware. The average cybercriminal financial payout dramatically increased from $44,000 in 2019 to $740,144 in 2023, with a 126% uptick from Q1 2023 alone. Dealers are left scrambling to secure customer information, resulting in an average 3.4 weeks in downtime and nearly a quarter of impacted auto retailers failing to retrieve the stolen data.
“Unfortunately, it is no longer a matter of ‘if’ but ‘when’ a cyber breach arises. Having the necessary preventative measures in place, along with a trusted partner to manage IT infrastructure, can help minimize a dealership’s impact when an attack does occur,” LaGreca added.
The State of Dealership Cybersecurity key findings from CDK Global Research and Insights research data also found:
Additional top threats included ransomware (#3), PC virus/malware (#4), theft of business data (#5), stolen/weak passwords (#6), and vehicle cyberattacks (#7).
32% of dealers experienced a cyberattack that resulted in information theft, affecting sales transaction data (56%), customer personally identifiable information (22%), and finance and insurance data (22%).
Of those that experienced a cyberattack, 46% resulted in a negative financial/operational impact that included employee downtime (69%), hardware/software replacement (46%), and damaged dealership reputation (31%).
Seventy-five percent of dealers who updated their security policies to meet the FTC’s June 2023 compliance deadline are already seeing vast improvements. The uptick was attributed to appointing a qualified individual to oversee and be accountable for the dealership’s cybersecurity (85%), along with implementing ongoing cybersecurity training for employees (73%). These measures, along with utilizing multifactor identification and establishing preventative and recovery plans ahead of cyberattacks, can minimize impact on a dealer’s IT network. Auto retailers are continuing to make the investments, CDK’s report shows, as over 50% of auto retailers will be increasing the cybersecurity budget and utilizing managed service providers for the remainder of 2023.
To view CDK’s Dealership Cybersecurity Report, visit State of Cybersecurity in the Dealership.
