Cybersecurity Best Practices Are a Necessity Now, Say Panelists

The CDK cyberattack should have been a wake-up call to dealers that having robust cybersecurity measures in place is not an option anymore.

“CDK and Future Cyberattacks: Best Practices for Auto Dealers,” a recent webinar hosted by CPA firm Rosenfield & Co., offered tips to help dealerships avoid and, if necessary, cope with cyberattacks, as well as a way dealers may be able to save some money because of the CDK attack.

The June ransomware attack resulted in system outages for two weeks and caused disruption nationwide to dealerships’ sales and service operations. The Anderson Economic Group reports the direct dealer losses during the first three weeks of the outage totaled $944 million.

“You don’t want to be the guy on TV talking about how you let all your customers down,” panelist Charles Gallaer, an associate with law firm ArentFox Schiff, says. “If CDK didn’t wake you up, you gotta wake up. “

He points out that different states have different laws regarding a dealership’s responsibility in case of a data breach and that dealerships must comply with each jurisdiction’s laws. Get advice on the laws, Gallaer advises.

In the case of the CDK breach, it was hard for dealers to notify customers because “CDK wasn’t telling dealers what was going on,” Gallaer says. But CDK has promised to handle the necessary notifications in each state, he adds.

Dealerships may be able to use the CDK incident to save some money, Ken Rosenfield, founder and partner at Rosenfield & Co., says.

Some of his clients are in the process of renewing their CDK contracts, he says. “They are considering if they can use some kind of damage assessment that can offset the cost of future contracts.”

If a dealership is a longtime CDK client, “maybe (CDK) is willing to negotiate with you a little more than they were in the past,” Gallaer adds.

Not an Afterthought

Cybersecurity can’t be an afterthought, Greg Weber, Rosenfield & Co’s chief product officer, says during the webinar. “Preparation is your best defense.”

Every dealership should have a Written Internet Security Plan or WISP, Weber says. A WISP is a comprehensive document outlining an organization’s strategies to protect sensitive information.

That plan should be written down, not saved online, he says. Creating a WISP may not be in the dealership leader’s job description, but “you can challenge your staff” to develop and follow it, Weber says.

Dealerships are responsible for any information stored on their network, cautions panelist Ikram Massabini, CEO of MVP Network Consulting. MVP is an information technology management and cybersecurity compliance firm.

“Cybersecurity is not about filling out a form,” he says. “It is about protecting the dealership and its clients’ data.”

He recommends implementing nine cybersecurity-related elements:  

Dealerships should also remove any personally identifiable information, or PII, from employee devices and stop printing documents with PII on them, says panelist Todd Smith, CEO of QoreAI, a firm offering fraud prevention software using an AI-powered unified messaging platform with identity verification.

Those steps “are what dealers can fix today to de-risk the business without even doing a lot,” Smith says. “They are the first steps in a world that is going to be more compliant-driven.”

Dealers should also ensure their staff is adequately trained in what actual documents are needed for an IT review rather than rely on software programs to produce them, Rosenfield says.

Rosenfield & Co.’s clients learned from the CDK outage that it can be hard to gather the proper forms, and “states impose fines for not having the paperwork ready,” he says.

Rosenfield also recommends what should be obvious: always do a daily computer system backup. “Our clients who did that had it much easier” during the outage, he says.