Cybersecurity and data protection are consistently ranked among the top concerns of organizations and business leaders across many industries. And the automotive industry is no exception. A recent cybersecurity attack on CDK Global, a leading automotive software developer, left thousands of dealerships across North America technologically hamstrung, which forced employees to revert to using pens and paper for essential functions such as processing sales and checking inventory. Was the CDK Global cyberattack just an unfortunate and isolated incident or a sign of a broader trend? What should dealers take away from this incident and what should they do to shield themselves from cyber risk? Travis Walker, a cyber-security and privacy lawyer with Norton Rose Fulbright, shares insights on the cybersecurity landscape in the automotive industry and offers some practical strategies dealers should consider implementing to minimize their cyber risks.
Essential strategies for fending off cyberattacks at dealerships
Q: What are the top cybersecurity risks facing the automotive industry today?
Travis Walker: Studies and annual trend reports continue to suggest that cybersecurity attacks are becoming more prevalent, more impactful and more sophisticated. That certainly holds true across the many incidents we’ve helped clients investigate and recover from during the past several years. Like many other industries, the automotive world increasingly relies on technology for greater efficiencies, improved connectivity and better user experiences. That shift is evident at various levels of the industry, from smart vehicles to sophisticated enterprise-management software for dealerships. Beyond that, dealers are required to interface with a variety of third-party vendors, suppliers and stakeholders and increasingly rely on technology to do so as seamlessly and instantaneously as possible.
Those two factors – increased reliance on technology for internal operations and third-party dealings – introduce new levels of risk that can be difficult to quantify and manage as cyber threats evolve. System and data integrity are threatened by social threats like phishing, spoofing and social engineering, along with technological threats like ransomware, malware and data theft. Even if an organization’s systems remain intact, an attack on an essential third-party vendor can result in significant disruptions for those in its supply chain. While this may seem daunting, the key is to accept that no one is immune from cyber risk. As such, it’s critical to focus on the essential items organizations can control to bolster their resilience and defense postures in the fact of these threats.
Q: What are the major consequences of cyberattacks?
Walker: The major consequences typically fall into one of four buckets: operational, financial, reputational and legal/regulatory. Operational consequences are first and foremost. Depending on the severity of the attack and the resulting impact on an organization’s systems – or on the third-party systems it relies on – operational impacts can range from minor inconveniences to potential catastrophes if essential systems are offline for an extended period of time or are unrecoverable. Financial consequences can range from lost revenue due to business interruption or downtime, contractual penalties and the inability to process payments, generate invoices or calculate payroll. Reputational harm often stems from negative media attention or public/customer perceptions or loss of trust, particularly if customer data or other sensitive information is impacted. Finally, customers and/or employees whose personal information is stolen could file civil suits over the organization’s failure to safeguard that information. Organizations also could be subject to investigation by privacy regulatory authorities, who could subsequently impose financial penalties.
|
||||||
Q: What role does third-party vendor risk management play in an organization’s overall cyber risk management strategy?
Walker: Risk management for third-party vendors is critically important, but often overlooked. Third parties that connect to an organization’s network or process important information on its behalf increase the organization’s attack surface and introduce consequences if those third parties are breached. It’s important to have a plan for evaluating and managing these risks. Third parties that link to your network should only have access proportionate to the service they provide or that is minimally required to meet a business need. Essential vendors should be vetted to ensure their cyber risk-management practices meet an acceptable standard. Moreover, contractual provisions should be built in to ensure vendors are obligated to produce key information if a cyberattack impacts your organization’s operations and information.
Q: What are three things every organization can and should do to protect against cyber threats?
Walker: There are a number of things organizations can and should do to protect themselves against cyber threats and their consequences. To name just three measures, I would develop a cyber-incident response plan, provide employee training and create a strong backup and recovery plan.
An incident-response plan outlines specific actions to take if a cyberattack occurs. It assigns roles and responsibilities to ensure the organizational response is as effective as possible. Like any emergency plan, incident-response plans are rarely effective unless key stakeholders know what’s in them and they are practiced and updated regularly. Promoting a culture of cyber hygiene and providing training to help employees spot and report common threats is essential. The majority of cyber incidents today involve some level of human error that, with proper training, could otherwise have been avoided – or reduced the severity of the incident. Finally, backups of critical systems should be captured at regular intervals and securely stored off of the organization’s network in the event those systems need to be cleanly restored following a cyberattack. The backup program should be regularly audited to ensure it is functioning properly and to test the system recovery time, which may inform critical decisions and timelines in the incident-response plan.
ABOUT THE PANELIST
Travis Walker
Senior Associate
Norton Rose Fulbright Canada LLP
Travis acts as a cyber-breach coach to clients from a wide range of industries, including the automotive sector. He helps clients investigate and recover from all manner of cyberattacks and manage their cyber risks.