Introducing an additional step to the login process can help protect dealerships from the threat of cyberattacks.
The technique, known as multifactor authentication or two-factor authentication, increases the challenge for a criminal seeking to breach the system. A hacker would need to obtain each of the required inputs to impersonate the user, in contrast with a system that could be accessed with, say, a stolen password alone.
“It’s essential,” Helion Technologies President Erik Nachbahr said during an Automotive News Retail Forum: Dealer Discussions panel on Nov. 4.
Nachbahr said some insurers are requiring dealerships to adopt such a precaution before granting coverage. Panelist Erik Day, CFO of Warren Henry Auto Group, said his North Miami, Fla., dealership group couldn’t take out cybersecurity insurance without it.
“In our business, we are big targets,” Day said of dealerships. This was particularly the case of larger groups and small or medium-sized companies that might be “big enough” in a hacker’s eyes.
The risk of failing to take appropriate cybersecurity countermeasures can be significant. Hackers can lock down a dealership’s computers, steal customer data and demand a ransom to restore access or as a payoff for not releasing the customer’s data to the Internet, according to Nachbahr.
“They’ve got dealership data, and they’re using it in a lot of different ways,” he said.
He said his firm has seen dealerships with hundreds or even more than a thousand employees forced to shut down for a week, followed by “months of recovery.”
Day said his dealership group became a victim of a ransomware attack in January after an employee opened an email attachment. He called the event “pretty nasty,” one that tried to even delete backup data. He said it took about three days to address, and the company was ultimately able to restore “the majority of everything” and avoid paying a ransom.
But Day’s dealership group was tech-savvy, and potentially more prepared for the attack than other dealerships might be. “We were pretty buttoned up before,” Day said, adding that the company has since toughened security further.
That’s not the reality throughout the industry. Nachbahr said his company finds obsolete technology, 10-year-old passwords, employees not required to change their passwords and data including customer bank account information stored in easy-to-access digital locations.
Nachbahr said that in his firm’s experience, dealers “across the board” display weak cybersecurity.
According to dealership software company CDK Global, multifactor authentication involves the user providing two or more items from categories involving things “you know,” “you have” or “you are.” For example, a user might need to provide both a password and a fingerprint scan, or a pin and a key card.
Presenting a harder target by requiring additional inputs makes it more likely criminals will simply move on to a less secure victim, according to CDK.
Panelist Michael Alf, general manager of St. Charles Toyota in Illinois, said: “We’re really big on two-factor authentication here.”
Dean Evans, executive vice president of Cars.com, said every employee at his company must use that format.
“We’re required to go through this authentication multiple times, sometimes, a day,” he said.
Alf and Nachbahr warned that some forms of the technology are less secure than others. Alf criticized authentication codes sent via email or SMS as “really not two-factor authentication.” Nachbahr also described email authentication as a risk.
Even if dealerships institute multifactor authentication, they might face another security hole. Nachbahr said “a significant number of vendors” don’t incorporate the technology.
“All vendors really need to start enabling that across their software,” said panelist Mahesh Shah, chief product and technology officer at CDK.
Shah said dealerships should feel free to ask their vendors about security practices, and Day said his group tends to raise the topic during the contract stage. Shah said some sophisticated cybersecurity insurers can perform basic checks on vendors if requested in addition to assessing policyholder dealerships.