Can car dealers avoid being “low hanging fruit”?6 min read

As the scale and maturity of cyber attacks grows, affecting businesses of all sizes across every industry, it’s tempting to ask: Why? Why now? Why us? And why this type of attack? In an article in Automotive News, James Arthur, head of cyber consulting at Grant Thornton UK LLP offers some answers and advice.

As he explains: “The reality is that cyber criminals look for low hanging fruit and can afford to launch attacks on anyone who looks vulnerable. Indeed, recent research found that UK mid-market businesses lost around £30 billion in the last 12 months to cyber attacks.

“Worryingly, of the circa 500 businesses surveyed, 65% did not have a cyber security team. This is not unique to the mid-market: small businesses are also feeling the heat and are facing an increasing number of attacks.

“The UK’s Federation of Small Businesses recently reported that small organisations are collectively subject to 10,000 attacks per day. These findings are mirrored in the automotive sector.

“A 2019 survey conducted by Synopsis and SAE International on current cyber security practices in the automotive industry found that 62% of respondents think it is likely or very likely that malicious attacks on their software or components will occur within the next year. So cyber attacks are no longer a matter of ‘if’ but ‘when’. But where do these attacks originate from and why are they evolving in such a way that more businesses than ever are facing such a substantial threat?”

Reasons for the explosion in cyber crime

• Few barriers to entry: the technical skills required to become a cyber criminal are easy to acquire. Plenty of know how is available online.
• It’s a highly lucrative industry: the global costs of cyber crime are predicted to hit $6 trillion annually by 2021.
• There are very few successful prosecutions for cyber crime, particularly when conducted against international targets.
• Increasing ‘trickle down’ of exploits: attackers can buy ever more sophisticated attacks that used to be reserved for nation states only.
• Growth in available security credentials and personal information for sale: this enables easy targeting, particularly where there are other network vulnerabilities.

“Smaller to mid-sized businesses are now most likely to face attacks from opportunistic cyber criminals,” explains Arthur. “This type of approach is contributing greatly to the growth in cyber crime – volume attacks that seek to identify weaknesses to exploit, for example, unpatched software.”

Why is the automotive industry attractive to cyber attackers?

As well as potentially falling victim to indiscriminate volume cyber attacks, there are groups of cyber criminals who do like to target specific industries that they think could be especially lucrative. Reasons for specifically targeting the automotive sector might include:

• Data theft – e.g. access to apps and services that contain banking information, personal identification data, insurance and tax data, travel permits, licence plate and other vehicle registration data, lifestyle information e.g. club membership, medical records (a driver suffering from a health issue may have information about their condition accessible via the vehicle), vehicle location information and vehicle physical security data.
• Extortion or a denial-of-service threat – for example, ransomware that denies drivers access to their vehicle (a car owner could find themselves in the predicament of having to pay a ransom to take back control of their own car from a cyber attack mid-journey).
• Fraud and deception – for example, altering or deleting schedule logs and records.
• Freight and goods theft.

The challenge of security

According to James Arthur, “at each stage of the vehicle lifecycle, cyber security in the automotive industry raises several distinct challenges: at manufacturing plants, from third party suppliers, for enterprise IT systems and for retailers and dealers.

“Extensive amounts of data are kept by the dealer. This includes data on the vehicle and, because many individuals purchase vehicles through either PCP or PCH, a large amount of financial and personal data on customers.

“An incident such as a ransomware attack could prevent the motor retailer from trading. This would have great implications for a business if an opportunistic cyber breach took place in the last few days of the month or quarter, just as the dealer is looking to meet their month-end vehicle targets.

“Experiencing a cyber attack where personal client data is breached could also result in reputational damage. A notable automotive cyber attack occurred in late 2017 when Wales’s largest car dealership was held to ransom by hackers. The company’s systems were offline for several days and corrupted equipment had to be replaced after the shutdown which caused additional disruption to the business. However no customer data was accessed in this attack.

“Dealers are a part of a local community and are trusted by their customers. A breach is likely to impact the dealer’s reputation and create a loss of trust which is not easily repaired. Instead, it is far easier to invest in basic cyber security measures before an attack occurs.”

With this risk in mind, he suggests that it is better to carry out pragmatic preventative measures now to help prevent a cyber attack from occurring.

Six steps to mitigate against cyber attacks

Six simple ways have been identified whereby organisations in the automotive sector can start to recognise cyber threats and put in place actions to mitigate against them:
1. Establishing a cyber incident response plan. This sets out the various actions to be taken in the event of an incident, together with who has responsibility and accountability. It need not be overly formal but should include the different functions in the business that may be affected such as IT, HR, Finance and Legal.
2. Monitoring and managing the risk posed from your supply chain: businesses are increasingly aware of the threat posed by their supply chains. Take steps to understand how your data is handled by your suppliers and what cyber defences they have in place.
3. Regular software patching: keeping software up-to-date is one of the easiest ways to close open doors.
4. Regular vulnerability scanning and security testing: put in place a regular scanning programme and perform penetration tests at least biannually to test security defences.
5. Understanding what ‘normal’ looks like for your business, in terms of application usage, so you can identify any unfamiliar patterns: take the steps to understand your environment and what behaviours and habits form a part of that on a day to day basis. This will help you to detect activity outside of the norm.
6. Investing in regular training and raising your people’s awareness of cyber security: your people are your strongest asset and weakest link when it comes to detecting cyber threats.

The original version of this article is available via the link.