By Debbie Kirlew
Cyber threats are rising and fraudsters and hackers are finding increasingly clever ways to infiltrate businesses and trick employees and consumers.
The statistics are alarming – 74% of small businesses and 90% of major businesses experienced a security breach in the past year, according to figures on the Government’s website. The digital threats include hacking, spamming or DDOS attacks (distributed denial of service – when an online service is made unavailable by overwhelming it with traffic).
However, the biggest IT security threat facing car dealers comes from people, according to industry experts.
Craig Goodwin, chief business security officer at CDK, whose security credentials include working for large financial institutions, said: “Attacks on dealerships are not going to be at the top of the list for hackers, but if a business is an easy target, they could find themselves hacked. Getting the basics right is essential.”
About 60% of attacks in 2014 were made on small- to medium-sized businesses, according to the latest 2015 Internet Security Threat Report (ISTR) from Symantec. It also revealed malware (malicious software) increased by 26% in 2014, with more than 317 million new pieces created, while ransomware attacks grew 113% with a more than 4,000% increase in crypto-ransomware attacks (when a ransom is demanded in return for a decryption key).
The IT director of one of the biggest groups in the AM100, who asked not to be identified, said human error is the most common weakest link in a company’s IT security. That view is reflected in a Symantec report highlighting the increased sophistication of ‘spear-phishing’ attacks, when the fraudster imitates an email so recipients believe it is from someone they know. Spear-phishing rose 8% in 2014, but with 20% fewer emails.
Jason Fry, managing director of PAV IT Services, whose clients include automotive retailers, regards these old-fashioned con techniques with a digital twist as the most prevalent threat.
“You may have the most sophisticated anti-virus and malware protection, but if Joe Bloggs in accounts is fooled, it doesn’t make a difference” IT director, AM100 dealer group
He said: “It’s not even about obtaining banking or credit card details, but gathering the right information to dupe the customer. With much of the purchase process taking place by email, fraudsters are looking for details of who is buying what car for how much, the deposit amount and the outstanding balance.
“The fraudsters then replicate an email from the dealer asking for the deposit or settlement and providing bank details for payment. As far as the customer is concerned, it’s all very plausible because all the information is correct so they transfer the money.”
With no solicitor handling the transfer of funds, no additional verification protocols and often just a regular bank transfer, the sector is vulnerable to such scams.
Fry said: “Dealers should be making customers aware of how they will transact to reduce the risk.
“It can also be really easy to gain access to company emails. The fraudster simply finds employee information on LinkedIn, calls head office and asks for the IT department. He then gives them the name of a sales manager and tells them he is working from home but has forgotten his password, so requests it to be reset. This is invariably undertaken over the phone without confirming the person’s identity.”
The IT director agreed: “The biggest risk we have comes from email, where hackers or fraudsters try to con money from people or obtain data for criminal use. We come across this at least two or three times a week.
“Fraudsters will also obtain information about the shareholders or senior directors which is in the public domain, including their email address. For example, they would identify the chairman and finance director and send an email supposedly from one to the other requesting a bank transfer, including the bank details of where the money should be paid. This then ends up in the email box of an accounts employee in one of the branches who is told to take immediate action. Generally, the lower down the hierarchy the fraudster aims, the more likely they will get a result.
“We do have tools in place to protect us from spoof emails, but it is not 100% and spoofing is reasonably easy to do.”
Weak passwords or those that remain unchanged from the typical default of ‘password123’ are one of the most common ways security is breached.
Goodwin advises dealers to implement a rigorous password policy: “Change passwords frequently and the more complex they are, the stronger they are, which can prevent many business attacks.”
Fry urges dealers to ensure employees whose jobs place them most at risk, such as those who authorise payments, have multiple layers of authentication, such as a randomly generated pin number which needs to be entered along with their user name and password. The group IT director advises against allowing employees to access applications using a ‘group’ password.
Goodwin said: “The industry can help by making sure dealers educate their employees on issues such as how to spot a dodgy email to prevent human error. And it doesn’t cost much; small to large dealership groups can access a range of resources online, such as webinars, which provide security advice.”
The IT director advised: “Processes should be put in place, such as never providing bank account numbers in emails. If such an email request is received, it is then escalated to the general manager or group accountant and let them take the decision.
“We are certainly on the radar of people who undertake this kind of activity; so far we have never failed to spot them. Our employees know if something doesn’t seem quite right to send it to the IT team or me. You may have the most sophisticated anti-virus and malware protection in place, but if Joe Bloggs in accounts is fooled, it doesn’t make a difference.”
The group IT director advises dealers to prepare the answers to a number of ‘what if’ scenarios such as ‘what if your website is the subject of a DDOS attack’ or ‘what if your data is stolen’ so it can be put into action as soon as required.
CDK launched a dealer education programme 18 months ago, which includes access to white papers, webinars and guides to help boost security at a local level. CDK also speaks at seminars and expos to further raise awareness. This year, the programme will be stepped up to increase protection among all its users.
Meanwhile, good housekeeping is just as important, such as ensuring end users only have access to the data they need and when someone leaves, their access to the dealer management system is immediately removed.
Keep security software up to date
Most companies deploy sophisticated anti-virus and anti-malware systems, with many day-to-day activities sitting behind a firewall, but operating a highly secure IT strategy is again dependent on the basics, such as keeping up to date with patches (fixes or repairs) from providers such as Microsoft.
Web design company Autoweb Design endured a tough lesson eight or nine years ago when an attack known as a SQL server injection crashed its website and those of its clients. This led to the implementation of a rigorous set of security protocols that not only protect its own website, but the 400-plus websites of its automotive clients.
Co-founder Richard McCombe said: “We didn’t realise how vulnerable we were and it showed us the need for substantial security protocols. Thankfully, we have not experienced anything like it since.”
While automotive retailers need to be aware of the likes of DDOS attacks, Fry believes there is little to gain for attackers targeting the sector. With few transactions taking place online, a DDOS attack would be a major inconvenience with some inevitable loss of custom, but it would not be severe enough for companies to pay a ransom.
Other attacks to be aware of include the crypto-locker, whereby a laptop or device can become infected after using a public network, the external source encrypts the device and locks the password often demanding money to re-open access.
Fry said: “Ensuring a company has the right protection in place is an ongoing process; it has to be audited and reviewed regularly.”
The AM100 IT director advises dealers to identify the risk within their business or group, including how each application is accessed, such as by a LAN (local area network), WAN (wider area network) or the internet. It’s a continual process that incorporates an audit when new features are released as part of an application already in use.
He said: “I am 99.9% certain that our firewalls won’t fail and most dealer groups will have something along those lines in place. Hackers and crackers are looking for a back door; they are seeking out the weaknesses. A hacker is more likely to utilise third-party, cloud-based systems if they are less secure and find a route that way.
“We all use those third-party systems and that’s where we are most vulnerable, so we need to monitor them. We start with a list of all the applications in use and we then undertake a risk assessment to determine their level of security. When you think every dealer in a group could be using at least 10 different systems, there’s every chance some will not meet your security standards.
“Most IT departments are only concerned with the security of their own systems and not the third-party systems that are in use. But the dealer is still responsible for the security of the data handled by these applications.”
He added: “I would be surprised if the amount of traffic which incorporates sensitive data is all encrypted. For third parties transferring our data, full encryption would be our minimum standard, so if it got out into the ether no one would be able to do anything with it.”
Threats to your search results
When Autoweb Design is approached by a potential new customer or a competitor’s contract comes up for renewal, the team uses sophisticated software to carry out a website audit.
McCombe said: “We still find issues, although most are usually self-inflicted and are issues where search rankings have been affected as a result of bad back-linking.”
During one of Autoweb Design’s ‘reconnaissance missions’, it uncovered a server hack on a car manufacturer’s website. A commission scam was driving affiliate traffic to the website of a well-known sunglasses brand. Scammers had created several bogus sunglasses pages on the manufacturer’s domain, then created backlinks to these bogus pages. This would elevate the pages up the rankings.
McCombe said: “The biggest issues we usually dig up are legacy problems from backlinks earned in the days when relevance didn’t matter. It is possible to distance yourself from these legacy links by utilising tools which effectively ‘tell’ Google that your website is no longer associated with them.”
Fry thinks people in the automotive retail sector would benefit by sharing their experiences: “I have no doubt the majority have been the victim of a cyber-attack, security breach or scam, but I am not convinced they would be open and honest, which is how companies can learn, benefit and ultimately reduce the likelihood of an attack.
“Unfortunately, it remains a taboo subject in the industry as no one wants to admit they have experienced a security breach.”