Ally All Ears Podcast: Protecting your dealerships against cyber-attacks

In this episode of the All Ears podcast, Emma Hancock and guest Donna Hart, Executive Director and Chief Information Security Officer at Ally Financial, discuss the pressing issue of cybersecurity in the auto industry. They highlight vulnerabilities, share IT tips, emphasize the importance of staff training, and provide insights into evolving security threats. 

Advertisement: With nearly 5,000 specialists dedicated to supporting dealer financial services, Ally has the expertise to help you with your retail finance, F&I, and remarketing needs. We're all better off with an ally. Contact your local Ally account executive to get started today. Ally ¬do it right.

Emma Hancock: Hi everyone and welcome back to the All Ears podcast. I'm Emma Hancock, host and strategist at Automotive News. This podcast is sponsored by Ally Financial and produced by the Automotive News Content Studio. In each episode, we explore topics that are important to leaders in automotive retailing. Our guests include experts in their field from Ally, plus dealers from around the country, and we cover tips and explore insights that can help dealerships successfully navigate the transformational changes taking place in our industry. So, on that note, let's get into our topic for today. We're going to be talking about cybersecurity. And it's no secret that cyberattackers target the auto industry. It’s fertile ground for cyberattackers. Dealerships collect, process and store vast amounts of customer data, everything from credit apps to Social Security numbers to bank account information. Even the dealerships' own bank accounts and vendor accounts are at risk of being subjected to cyber invasions and fraud. All of this has put dealers in a position where they have no choice but to spend and invest heavily to ensure the safety and security of their business. Not only does a security breach cause potential harm to dealers and their customers, 84 percent of customers say they would not buy another vehicle from a dealership if a breach compromised their data. So, for a dealer, it's about protecting the business in real time as well as in the future. Our guest today is Donna Hart, executive director and chief information security officer at Ally Financial. Welcome, Donna. Thanks for being here.

Donna Hart: Thanks for having me, Emma.

Emma Hancock: Great to have you here. So, Donna, dealerships are suffering security breaches through many access points, from their IT infrastructure to the computer-based diagnostic tools in their service departments. What are some ways that data breaches can occur at dealerships?

Donna Hart: Security breaches – and data breaches in particular – kind of really occur in multiple ways. Threat actors – that's what we call activists trying to get into your systems – can exploit those weaknesses to gain access before moving into your network and stealing your customer or your company data. Weak points continue to be vulnerabilities in your systems, your processes and specifically your people. 74 percent of all breaches include that human element, with people being involved either in an error, privileged misuse, use of stolen credentials or social engineering. But one of our biggest weaknesses remains our people. The human factor is the most common access point. Threat actors can capitalize on those weak employee passwords, leak credentials at entry points. A large majority of successful compromises continue to occur with the result of social engineering and something we call ‘phishing,’ which is the ability to try to get you to click on something – to get you to bite. It only really takes one person clicking on a malicious link to gain access to your system. I continue to tell folks it’s like opening your front door and allowing someone to come in unfettered and you don't know who they are. It's the same with clicking on a link in an email. Some of the things we think about is about 46 percent of known attacks happen with stolen credentials, clicking on that link or phishing and exploiting vulnerabilities. They can also access that dealership data through trusted relationships with third parties. How your dealership allows access to people who are in your dealership, how they have access to your data and your information is really how they are able to get multiple pieces of your customer or employee data.

Emma Hancock: We're learning more about cyber hygiene and cybersecurity hygiene. What are some IT tips for dealerships to be aware of?

Donna Hart: That's a great question. I always tell everybody defense in depth. It's like security in your own home or physical security at your dealership. You never rely on a single control. You don't have a lock just on your front door. You have a gate to your dealership. You may have access to certain aspects of the dealership you wouldn't want the customer to come into. The same should be with how you think about your IT systems. You really want to maintain that operating system of your PCs and any servers you maintain yourself. Don't ignore that system update either from Apple or from Microsoft. If it says you need to update, update as soon as quickly as possible because they're trying to protect you. You also really need to think about who you give access to what. It's the same as physical security. You don't want to allow someone to have access to an administrator portion of your systems when really, they're a service manager and they really just need access to certain aspects of your systems. Don't give elevated access or don't give them access to privileged areas. The same goes with how you allow them to get to your websites. Many of your systems, either you've outsourced your technology, or you run it yourself. You really need to make sure that you don't allow your user population within your company to gain access to all websites. The web has a dark side. We know about it. Just really make sure that they should only get to business-critical functions and always think about that inventory of your systems – know where you’re keeping the data. Don’t have data everywhere. Try to centralize your data and make sure that you’re really watching those crown jewels and you’re thinking about how you stop data loss. Also, I’m a big fan of cyber insurance. There continues to be debate in this area, understanding that smaller dealers have smaller budgets. But it doesn’t mean that they shouldn’t think about cyber insurance. There should be a smaller premium and we do offer a cyber coverage as part of our garage program, which is something we think about in broad terms around insurance coverage of dealers and how they think about their overall insurance needs, from building and commercial properties to workman's comp. We also include cyber insurance in that. And last, but definitely not least, is educational awareness. Really train your staff about not opening attachments or clicking on links that they weren't expecting – even from trusted sources. Now we're finding that you really can't always trust your neighbor – that they’ve sent or thought about security in the same way you did. We perform regular phishing assessments to our employees, and I do recommend you do the same, just to teach them to always be aware and thinking about what they're getting.

Emma Hancock: I love how you framed it up, just at the beginning there, about how to look at those levels of security, even just using your home as an example and just understanding the access points and who you're giving access to. I think just starting with those basics is really, really smart. What are some of the top security threats for dealerships right now? Because I'm sure it's always evolving.

Donna Hart: Its funny – many companies have a lot of things they would rather not get out into the Internet or what we refer to as that open space that never forgets. But customers, customer data, employee data and company information are just so important, and that really centers around data breaches themselves. They really think about how the company and their customer data needs to remain private. Response and recovery to any exposures around data losses is really important to a dealership or any company because if you lose your customers’ trust and you lose their data, you're going to have brand issues. You're going to think about financial loss. There could be legal difficulties associated with privacy issues and really about the reputation as a whole. Those data breaches should be handled and thought about extremely carefully and handled in a quick and powerful way. The next thing I think about is ransomware. We hear a lot about ransomware in the public. The big one you probably all are going to know is Colonial Pipeline. This is where a breach was able to come into their systems, shut down certain aspects of their systems via something called ransomware. This is the ability to stop functioning of your IT systems – make them so that you can't get to them, and they ask you to pay a ransom before giving you access or the key to do so. These are really important to think about how you manage and protect those systems, so they're always up and performing what you need them for your customers and yourselves. And last but not least is considering that insider threat. Employees and previous employees remain a top security threat for organizations across all sectors, really including the automotive industry. This threat can cause substantial harm to dealerships and how they think about insider access, proximity to critical data. That goes back to that defense in depth – having the ability, when employees leave, that you delete their access to all systems, both physical and technical, as well as making sure that people don't have an overabundance of access. Because even the most secure companies and dealerships are going to have challenges that are faced when insider threats become a concern.

Emma Hancock: I think with threats, something that is important to remember is that they're not always intentional. And you were sort of touching on this when you talked about training. Many cyberattacks happen innocently, something as simple as an employee opening the wrong email. What kind of training can dealers implement to ensure that all staff understand the risks?

Donna Hart: I think it comes down to effective and continuous education and awareness. Companies really should incorporate frequent engaging training aimed at teaching staff about what phishing emails look like, social engineering, fake websites and any form of deception technologies that targeting them might look like. Education shouldn't be limited to just quarterly computer-based training. Companies should incorporate training exercises that simulate real phishing emails. At the end of the day, employees who are most aware of phishing threats and consequences are least likely to click on the wrong link. 21 percent of users don't know that an email can appear from someone other than the actual sender. 33 percent of people took a risky action by clicking on links or downloading malware when faced with phishing attacks That's one-third of your population. 44 percent of people think email is safe when it contains familiar branding. It's important to recognize that you should assume most email coming to you from the outside isn't safe and you should always be on the lookout. And then 63 percent of users don't know that an email link might not match the website it's going to. And you really need to make sure that the address you’re clicking on is the address you intend to go to.

Emma Hancock: It's clear how easy it can happen and how good the cyberattackers have gotten. Well, Donna, you've really given us so much useful information about cybersecurity awareness tips. That was fantastic. Bringing us up to speed on cyber hygiene, some of the big threats to watch out for right now and training so that staff are all aware of these threats. It feels like you can never be trained enough. So, I want to thank you for your great insights.

Donna Hart: Thank you. Thanks for having me, Emma.

Emma Hancock: That is it for this episode of the All Ears podcast. I hope everyone found this helpful. I certainly did. On behalf of Ally Financial and the Automotive News Content Studio, thanks for listening and bye for now.

Advertisement: For over 100 years, Ally has helped dealers like you serve your customers by providing the best-in-class products and services you need. And by remaining true to the automotive passion we share, your dedicated Ally account executive will work hand-in-hand with you to help you gain efficiencies, increase your product offerings and work to improve per-vehicle revenue because we care about your business as much as you do. We're all better off with an ally. Contact your local Ally account executive to get started today. Ally do it right.