Dealerships' cybersecurity plan targets vendors

Much of dealership group Zimbrick Inc.'s effective cybersecurity strategy comes down to vetting vendors.

"We are not necessarily the vendors' best friend in this world. We make sure that they can meet our security requirements or have some compensating controls in place before we'll sign up with that service," said Tom Zimbrick, CEO of Zimbrick Inc., a 15-store dealership group in Madison, Wis., and Milwaukee. "That helps us confidently grow the business because … we know the data is secure."

Zimbrick's stringent vendor standards are part of its broader effort to stay ahead of data security threats.

The strategy includes installing sophisticated firewalls, sending regular phishing email tests and limiting network access.

"We implement security not just to protect customer data; it's also to keep our systems running," said Ryan Horstmann, information technology director for the group. "It's the easiest way to for us to keep our uptime as high as possible."

Said Tom Zimbrick: "Virtually everything we do today depends on our systems. And when our systems are down, it really harms the business substantially."

Some of Zimbrick's toughest battles are with providers of dealership management systems that don't meet security requirements, said Horstmann.

"It is a never-ending battle with all vendors. The DMS providers are really important to our business, so in my world, they get the most attention."

Usually, Zimbrick and its vendors come to an agreement that solves the concern, but the dealership group has to be persistent, Horstmann said.

In at least one case, a vendor rolled out a security standard developed for Zimbrick to all of its dealership clients using the Internet-facing product in question. Zimbrick declined to identify the company.

"We firmly believe that this is our data. We hold customer data in a sacred trust. We are very uncompromising in that way," Tom Zimbrick said.

Zimbrick, which sold 9,336 new vehicles and 7,855 used retail vehicles last year, has a three-person IT team, led by Horstmann, that oversees cybersecurity and other IT tasks. The dealership group also works with an outside firm that handles simpler IT issues. Horstmann was a software developer for a payroll and timekeeping company for 10 years before joining Zimbrick in 2007. Much of his responsibility in his previous role centered on protecting data.

Once a month, Zimbrick sends its employees a phishing email. The subject line may say something like "Donald Trump has a heart attack" or "One of your employees was behaving badly."

If employees click on the email link, open the attachment or enter their username and password when prompted, they will automatically be routed to a video on cybersecurity training.

"If there is going to be a breach or a break-in, it is most likely going to happen accidentally through an employee [when] a customer or an outside person sends a request [and] the employee forwards it, answers it, opens the message," said Tom Zimbrick. Phishing is the primary source of attack, he said.

The phishing tool, a Cofense product called PhishMe, creates awareness, added Horstmann. The videos are short and to the point, he said.

PhishMe costs about $8 per user per year, but "The real question is, how much does it cost if you don't have it?" said Tom Zimbrick.

"It's seemingly innocuous, yet interesting, yet makes the point that we're trying to stay focused here and don't open emails [if] you don't know where they came from," he said.

In February, about half of employees reported the email as phishing, while 35 percent deleted or ignored it, thus passing the test. About 15 percent clicked the link in the email.

Zimbrick built its systems with security in mind from the start and has a reliable backup system, said Horstmann. Since 2015, the group has run a firewall with 24/7 monitoring to block threats. Zimbrick's firewall is more cutting-edge than others, Horstmann said, because it identifies not only verified attacks but what could turn into one. For example, if the system recognizes that a website created within the last few days is trying to access the dealership, it won't trust it because it's too new.

Zimbrick also has separate networks for customers and employees and requires two-step authentication for employees entering the network remotely.

The company has leadership meetings every month with general managers and other high-level staff. At those meetings, Horstmann "has a seat at the table," Tom Zimbrick said. "So we're all up to speed."

There was no single event that prompted Zimbrick's commitment to cybersecurity. The group was motivated by a fear of the unknown.

"Whether it's our business or someone else's business, we know the attacks are increasing. We know they're getting more sophisticated," Tom Zimbrick said. "We're just trying to get ahead of them."