Vigilance crucial to keeping data secure

Dealerships have deployed more software tools in the past year to help consumers buy vehicles online.

Yet while technology makes it faster and easier to transmit customers' information as dealerships look to improve car buying, employees who use the technology are a potential weak link when it comes to securing that data, according to information technology consultants who work with dealerships.

And, they say, a surge in cyberattacks during the pandemic means it's as important as ever for dealerships to be vigilant about monitoring their systems and training employees to spot suspicious activity.

To keep from falling prey to scammers — and potentially having customers' information hacked and leaked — dealerships should invest in upgraded computer systems and devices, and create visibility into their networks so they can identify potential threats, several IT consultants told Automotive News.

In addition, dealerships should ask about third-party vendors' security practices and policies when vetting software products before signing a contract with a new provider.

The pandemic accelerated dealerships' adoption of technology to enable digital deals. Some larger groups, including public retailers, have developed their own software tools in-house, while other dealership groups sought out products from outside companies.

Jason Walling, who manages information technology for Honda of Kirkland and Honda Auto Center of Bellevue, both in Washington state, said how vendors approach data security is a major question dealerships need to ask — not just whether their products integrate with a dealership management system or how simple they are to use.

"Dealerships have the responsibility to maintain their equipment," he said. "They manage their users and their firewalls and do their phishing tests to make sure that everybody is acting within the confines of their security policies. But I think that dealerships are reliant upon those providers that are doing the digital retailing to say, 'Yeah, our information is secure.' "

Data security is a hot topic for dealerships as the prevalence of cybercrimes rises. Some dealership groups have been hit with ransomware attacks, in which a hacker locks down an organization's computer system in exchange for a ransom demand. Cybersecurity experts say those attacks are becoming more sophisticated.

On the regulatory front, California and other states have weighed data privacy laws, and the Federal Trade Commission continues to review proposed changes to the federal Safeguards Rule, which dictates how financial institutions — including dealerships — protect consumer data.

And that was before the coronavirus hit.

"We know that the pandemic has put the cybercriminals on overdrive," said Erik Nachbahr, president of dealership IT consultant Helion Technologies.

The FBI's Internet Crime Complaint Center reported a record 791,790 complaints about cybercrimes in 2020, up 69 percent from 2019.

More than 241,000 complaints last year were related to email phishing scams — an eightfold increase from more than 26,000 in 2018 — and nearly 2,500 complaints involved ransomware incidents.

"The thing that's really driving interest now [in security] is all of these attacks that they're seeing. They're seeing other dealers getting attacked," Nachbahr said of dealers. "Most of the sales activity that we've gotten over the last year has been driven by, 'Hey, we want to make sure that we're secure.' "

Vendors take that responsibility seriously, too, said David Hahn, chief information security officer at CDK Global Inc., which sells dealership management systems and other dealership software products.

Many applications now are cloud-enabled, which Hahn said makes it easier to manage security than hosting them on a physical server at the dealership.

Hahn said CDK also considers security on all of its tools during development and conducts tests to intentionally break into the system and find weak spots before the products are released.

Retailers should "ask lots of questions, as well as look for verification" of vendors, he said.

CDK, for instance, employs outside auditors to test the company's internal controls and provide independent reports that verify the processes.

Asbury Automotive Group, the nation's sixth-largest dealership group, requires third-party vendors provide independent reports verifying their data security protocols, and brings in outside consultants to test its own network for vulnerabilities, said CEO David Hult.

"We have significant money being spent on securing this data," Hult said. "And to this point, we have not had anyone be able to penetrate it. But again, as we sit here today, it's every month — month in, month out, there are thousands and thousands of people from all over the globe trying to hack in."

Asbury has launched its Clicklane omnichannel retailing tool, which is intended to offer a seamless vehicle-buying process whether the customer shops online, in the store or via some combination of the two. Barry Cohen, Asbury's vice president and chief information officer, said that vendors connected to Clicklane also are long-standing vendors of the company so Asbury is familiar with their data-security protocols.

Protecting a dealership network is like protecting a home, said Chris Wilkinson, a principal at consulting firm Crowe, which specializes in cybersecurity.

An IT department can lock the doors and windows and set up a hard-to-guess garage door passcode, Wilkinson said. But all of the work to fortify the house can be undone if a resident invites someone inside, such as by clicking a malicious link.

Dealerships often have vulnerabilities that hackers can exploit, from weak passwords to missing security patches to older computer systems no longer supported with security updates, said Tom Tollerton, managing director of cybersecurity and data privacy compliance at consulting firm DHG, which works with dealerships.

The past year provided opportunities for cybercriminals to trick users into inviting them in by sending phishing emails about engaging topics, such as the pandemic, the 2020 presidential election and, now, the rollout of COVID-19 vaccines, Wilkinson said. Dealerships can protect themselves by employing phishing tests, which train employees to identify and report suspicious emails, and penetration testing, a simulated cyberattack meant to expose weak spots.

Retailers can strengthen their internal processes, too, Walling said.

For instance, many customers will take a photo of their driver's license with their smartphone and send the image via email or text message. But because those are not the most secure transmission methods, Walling said his stores discourage customers from emailing personal identifiable information and instead offer an encrypted, secure form to upload the files.

When customers do send personal information via email, the dealership will call its customer relationship management system provider and ask for the file to be manually erased, Walling said. Simply deleting the email from an employee's inbox could send it to a recycle bin that could be accessed if an intruder gained entry to the employee's email account.

"I don't think customers think [about] what happens to that image when they get to the dealership," Walling said, "so it's up to us to make sure that we manage that appropriately."

Jackie Charniga contributed to this report.