CDK, Other Recent Cyberattacks a Wake-Up Call to Dealers

The CDK cyberattack made glaringly obvious what dealerships should already be aware of: A robust cybersecurity protocol is essential. A cybersecurity breach costs huge, both in dollars and in reputational terms.

Erik Nachbahr, president and founder of IT support services firm Helion Technologies, recommends that dealerships prevent and, if necessary, deal with a cyberattack.

“A good start is to know as much about your IT system as you do about other aspects of the business,” Nachbahr says in a recent webinar.

Information technology “is the only area in a dealership business that the executive leadership tends to not understand exactly how this stuff works,” he says.

Dealers need to trust but verify the work their IT team does, he says. That includes having a general idea of the equipment and software their dealership uses as well as who has access to the system.

“The mistake I see dealers make is they verify very little when it comes to their IT,” he says. “Can you pull out a report and describe what you have and how it has evolved?”

The Safeguards Rule and a False Sense of Security

Knowing what your cybersecurity system is and how it has evolved is the essence of the Federal Trade Commission’s Safeguards Rule, Nachbahr says.

First implemented in 2003, the Rule, which mandates that financial institutions have procedures in place to protect customer information, was revised in 2021. It applies to dealerships, which are considered financial institutions under the Rule.

Its recommendations are essential cybersecurity practices, Nachbahr says. An annual security review performed by certified individuals and presented in writing to the board is a minimum cybersecurity requirement, he says, and “it needs to be a comprehensive discussion.”  

But “quick fixes” aren’t enough to protect dealerships and may give dealers a false sense of security.

Vulnerability Testing

Testing a cybersecurity system is essential. Nachbahr recommends using technology that does real-time attack hunting. Such technology can see everyone logged into a system and uses artificial intelligence to correlate that information with who should be on the system. It can detect an attack as it is happening and work to shut the attack down as quickly as possible, he says.

An annual PEN (penetration) test which simulates a cyberattack, is a good idea, as is a semi-annual vulnerability scan, Nachbahr adds.

Nachbahr says it is also vital to work with a security operations center (SOC) separate from a dealership’s IT team. The latter is frequently not trained to know what a system is telling them about an attack. The SOC should have enough system access to stop an attack once an alarm goes off.

Reduce the Attack Surface

It’s also important to reduce a dealership’s “attack surface” by limiting who has full access privileges to an IT system.

“We always find when we assess dealers that there is too much privilege,” Nachbahr says. “People are able to do things they don’t need to do. Attackers always want high-level privilege.”

Changing passwords frequently is another easy cybersecurity step that Helion finds is often ignored, he says. Indeed, some of the worst offenders are high-level executives and IT staff, Nachbahr says.

“We find they frequently don’t have passwords changed and have very simple passwords,” he says.

Nachbahr says multifactor authentication—a process that requires a password and other information to access an account — is also important.

Update Technology

Helion worked with a large dealership group using the Windows 2003 operating system. Using such old technology is dangerous because it isn’t updated, including patches for vulnerability.

“You don’t need to be cutting edge,” Nachbar says. “The key thing is you cannot have technologies that are end of life.”

An essential date dealerships need to be aware of is October 2025, when Microsoft (MS) will retire Windows 10, he says.

After that, the system will not be updated. “You need to be on Windows 11,” Nachbahr says. “You can’t be on a retired operating system.”

A dealership’s personal computers may also need to be replaced to run the updated MS system. “Don’t wait until next summer (to replace current PCs), or they may not be available,” he advises.

Dats Breaches Cost Money and Customers

The consequences of a cyberattack linger, including the reputational harm. “The internet is permanent,” Nachbahr says. So, when someone searches CDK and cyberattacks next year or the year after, the attack's impact will be relived. The same is true of companies and dealerships that have had other cyberattacks.

The loss of revenue due to an attack and potential business from reputational harm can be significant. Then, there are cleanup costs and regulatory accountability issues.

According to Helion, the average cost of a data breach in 2023 was $4.45 million. The potential reputational cost was also high; 80% of consumers defect from a business if their information is compromised in a breach, Helion says.