There’s a saying in the cyber security industry about cyber attacks: “It’s not personal’’.
As the scale and maturity of cyber attacks grows, affecting businesses of all sizes across every industry, it’s tempting to ask: Why? Why now? Why us? Why this type of attack? Questions that no one can definitively answer.
The reality is that cyber criminals look for low hanging fruit and can afford to launch attacks on anyone who looks vulnerable and so, to that extent, it’s true – it’s not personal.
Our recent research found that UK mid-market businesses lost around £30 billion in the last 12 months to cyber attacks.
Concerningly, of the c.500 businesses we surveyed, 65% did not have a cyber security team. But this is not unique to the mid-market, small businesses are also feeling the heat and are facing an increasing number of attacks.
The UK’s Federation of Small Businesses recently reported that small organisations are collectively subject to 10,000 attacks per day.
These findings are mirrored in the automotive sector.
A 2019 survey conducted by Synopsis and SAE International on current cyber security practices in the automotive industry found that 62% of respondents think it is likely or very likely that malicious attacks on their software or components will occur within the next 12 months.
Cyber attacks are no longer a matter of ‘if’ but ‘when’. But where do these attacks originate from and why are attacks evolving in such a way that more businesses than ever before are facing such a substantial threat?
There are a number of reasons for the exponential growth in cyber crime:
- Very few barriers to entry: the technical skills required to become a cyber criminal are easy to acquire, with plenty of ‘know how’ available online.
- It’s a highly lucrative industry: the global costs of cyber crime are predicted to hit $6 trillion annually by 2021.
- There are very few successful prosecutions for cyber crime, particularly when conducted against international targets
- Increasing ‘trickle down’ of exploits: attackers can buy ever more sophisticated attacks that used to be reserved for nation states only.
- Growth in available security credentials and personal information for sale: this enables easy targeting, particularly where there are other network vulnerabilities.
Smaller to mid-sized businesses are now most likely to face attacks from opportunistic cyber criminals. This type of approach is contributing greatly to the growth in cyber crime – volume attacks that seek to identify weaknesses to exploit, for example, unpatched software.
Why is the automotive industry attractive to cyber attackers?
As well as potentially falling victim to indiscriminate volume cyber attacks, there are groups of cyber criminals who do like to target specific industries that they think could be especially lucrative. Reasons for specifically targeting the automotive sector might include:
• Data theft - for example access to apps and services that contain banking information, personal identification data, insurance and tax data, travel permits, licence plate and other vehicle registration data, lifestyle information e.g. club membership, medical records (a driver suffering from a health issue may have information about their condition accessible via the vehicle), vehicle location information and vehicle physical security data
• Extortion or a denial-of-service threat - for example, ransomware that denies drivers access to their vehicle (a car owner could find themselves in the predicament of having to pay a ransom to take back control of their own car from a cyber attack mid-journey)
• Fraud and deception – for example, altering or deleting schedule logs and records
• Freight and goods theft
The challenge of security
Cyber security in the automotive industry raises several distinct challenges at each stage of the vehicle lifecycle – at manufacturing plants, from third party suppliers, for enterprise IT systems and for retailers and dealers.
Extensive amounts of data is kept by the dealer, this includes data on the vehicle and, because many individuals purchase vehicles through either PCP or PCH, a large amount of financial and personal data on customers.
Experiencing an incident such as a ransomware attack could prevent the motor retailer from trading. This would have great implications for a business if an opportunistic cyber breach took place in the last few days of the month or quarter, just as the dealer is looking to meet their month end vehicle targets.
Experiencing a cyber attack where personal client data is breached could result in reputational damage. A notable automotive cyber attack occurred in late 2017 when, Wales’ largest car dealership was held to ransom by hackers.
Systems were offline for several days and corrupted equipment had to be replaced after the shutdown which caused additional disruption to the business. However no customer data was accessed in this attack.
Dealers are a part of a local community and are trusted by their customers, who need to be retained.
A breach is likely to impact the dealer’s reputation and create a loss of trust which is not easily repaired. It is far easier to instead invest in basic cyber security measures before an attack occurs.
With this risk in mind, it is better to carry out pragmatic preventative measures now to help prevent a cyber attack from occurring.
Six steps to mitigate against cyber attacks:
We have identified six simple ways in which organisations in the automotive sector can start to recognise the cyber threat and put in place actions to mitigate against it:
1. Establishing a cyber incident response plan: this sets out the various actions to be taken in the event of an incident, together with who has responsibility and accountability. It need not be overly formal but should include the different functions in the business that may be affected such as IT, HR, Finance and Legal.
2. Monitoring and managing the risk posed from your supply chain: businesses are increasingly aware of the threat posed by their supply chains. Take steps to understand how your data is handled by your suppliers and what cyber defences they have in place.
3. Regular software patching: keeping software up-to-date is one of the easiest ways to close open doors.
4. Regular vulnerability scanning and security testing: put in place a regular scanning programme and perform penetration tests at least biannually to test security defences.
5. Understanding what ‘normal’ looks like for your business, in terms of application usage, so you can identify any unfamiliar patterns: take the steps to understand your environment and what behaviours and habits form a part of that on a day to day basis. This will help you to detect activity outside of the norm.
6. Investing in regular training and raising your people’s awareness of cyber security: your people are your strongest asset and weakest link when it comes to detecting cyber threats.
Author: James Arthur, head of cyber consulting, Grant Thornton UK LLP