For big companies in big cities, cybersecurity is a big concern.

Just ask Jaguar Land Rover, whose factories are still shut down following an incident last month, or Google and Salesforce, victims of a recent data breach. And, of course, there was last year’s ransomware attack on dealership software provider CDK Global, which sent shockwaves throughout the auto retail industry.

But what if you’re the owner or general manager of a dealership in, say, Moose Jaw, Saskatchewan? Should guarding against cyber threats be top of mind for you?

“That’s a very valid question,” said Duncan Cochrane, senior vice president of Edmonton-based dealership group Go Auto. “There’s going to be degrees of what I would call the give-a-[expletive] level. Whether you’re a small, single rooftop operator in a secondary market versus a major metro operator, versus a small hotel or a national business, there are different levels of concern.

“If I’m Mr. Moose Jaw dealer, I probably don’t have to go to the extent of what the big groups big manufacturers are doing. But I do think if you look to the CDK incident, it took a lot of people offline and it really hampered people’s businesses, big and small, because no one had a plan.”
Cochrane, whose purview within Go Auto includes software and cybersecurity, said every business, down to the smallest dealerships, needs a business continuity plan.

“If I’m running that Moose Jaw store, I want to think about, if there is a security incident and my major systems go offline, how do I service my oil changes that day?

How do I serve the guy wanting to buy a new truck that day? How can I at least be able to conduct business?” he said

“So you need some sort of business continuity plan, and that might just be, ‘Hey, we’re going to pen and paper.’ We know this is where the bills of sale are stored, and this is where the service forms are stored, or anything like that. Just make sure you have some sort of plan, so if the worst-case scenario does happen and one of your major vendors is taken offline, you can still actually run your business and transact your sales.”

That’s not to say that a single dealership can just completely ignore the threat of cyberattacks and data breaches.

“No one wants to be the source of one of these issues,” Cochrane said, noting that a small dealership is “probably not a target for the most part.

“But I do think having awareness that those things can happen, and educating yourself on what’s out there and what could happen is also super important for the small dealer. Just to have some base awareness that there are people out there trying to do these things, and what are the basic steps you can take to protect yourself and your business.”

For a larger business like Go Auto, which operates 69 locations in five provinces and the U.S. state of Washington, the concern over cybersecurity is at a higher level.
Cochrane said the company’s IT department has been on top of the issue “for quite some time,” but the real wakeup call came last summer, when the massive attack on CDK shut down the software used by the majority of North America’s franchise dealerships for two weeks.

“I’d like to think we were a bit ahead of the average dealer group in terms of security,” he said. “But the catalyst for rapid advancement was the CDK incident, which

I think for all of us in the dealer world really shined a light on cybersecurity and the fact we were not immune to it.

“So what we did at that point really started with a lot of education, really understanding what the threats are, really understanding how we can prevent them.”

The most common of those threats is phishing, in which scammers send an email or text that mimics a legitimate company or entity — or even someone in the recipient’s own company — hoping to trick the recipient into giving them sensitive information such a password that can allow them to infiltrate a network.

But, Cochrane said, as technology keeps advancing, phishing is moving beyond just emails and texts.

“They’re getting more and more sophisticated,” he said. “We’ve heard of examples of voice phishing, where they will essentially replicate the CEO or president of your organization’s voice.

“You’ll get a voicemail saying, ‘Hey, you need to reset my password right now. I’m about to give a presentation and I can’t log in to my Windows device, so you’ve got to reset it right now.’ And you have a junior-level IT staffer who’s probably scared and is thinking, ‘Oh my God, that is the CEO’s voice!’” Cochrane said.

“So phishing in all of its formats — and understanding that phishing is not just an email activity anymore — is probably the number one issue.”

In the face of such increasingly complex schemes, dealerships and dealer groups need to have a plan.

“Everybody says it’s not if you have an incident, it’s when you have an incident,” Cochrane said. “So there’s also the planning components. If this does — when this does — happen to us, how can we make sure we minimize the incident as much as possible, and get back online as quickly as possible?”

The plan should include data management — understanding where your data is, who has access to it, how it’s protected and how long you’re storing it for. Does everybody need access to everything or do certain roles at the dealership only need access to certain things?

There also need to be preventative measures such as multi-factor authentication, which requires a code sent to a user by text or email in addition to a password to log in, and a password management system to protect passwords, making it harder for intruders to enter.

Cochran said those methods can be effective against many phishing scams, “and it’s easily implementable. It doesn’t require a ton of sophistication.”

Not that there aren’t more sophisticated aspects to Go Auto’s plan. Cochrane said the IT team does a lot of proactive technical work behind the scenes, including firewalls and other technologies.

That part of the strategy also includes cybersecurity audits by a third-party partner and penetration testing to identify gaps and vulnerabilities.

“We’re working on closing the loop on all of those, and we’ve been doing that for some time now,” Cochrane said. “So that’s the back-end component of it. The second component is we’ve really upped our education, not only for our executive teams and our leaders, but for our staff.

“So, there’s the technical component, the auditing component, that we’re pretty heavily into. But I’d say the training component would be the second really big thing we’re focused on with our staff to make sure everybody on the front line is vigilant and aware of what could be happening.”

The importance of that education/training component cannot be overstated. That’s because according to studies by a variety of sources, the vast majority of incidents are caused by human error, with data showing it accounts for anywhere from 75% to 95% of those issues.

Cochrane said the problems start “because of an employee doing something they shouldn’t be doing, whether that’s giving someone the wrong access, leaving a laptop open or clicking on a phishing email. So education of your staff is a huge part of it.”

Much of Go Auto’s cybersecurity training is outsourced to Hoxhunt, a company that specializes in such education, following extensive research, but Cochrane was quick to note “there are a lot of great providers out there.”

In addition to mandatory training, Cochrane said, “we actively try to phish our own team multiple times a month, and if you click on a phishing email, you do have to go do more training right then and there. And then if you report the phishing emails, you get bonus points essentially … for being active and being able to detect those things yourself.”

Training is among the top measures dealers can take to deter cyber incidents, Cochrane said, because “anyone can do this. You might not be able to afford the best technologies or tech partners, or you just might not understand them. But training is pretty straightforward, pretty simple. There are many companies out there that offer this training at varying price points. It is affordable and effective.”

The third major piece of Go Auto’s plan is to actively prepare for what to do when an incident does occur.

That includes a number of areas to consider. For example, where is the company’s data backed up and stored? Having that information stored offline or on air-gapped machines — that is, a device that is disconnected from the internet and any other networks — makes it accessible even if connected systems are shut down.
“If there is an event, we can get back up and running as quickly as possible to limit any service interruption for our customers, as well as minimizing the impact of a breach based on how our data is stored or how it’s encrypted, what data we store and so forth,” Cochrane said.

Go Auto also holds “active tabletop exercises” in which its third-party technology partners lay out an incident scenario and ask, “What are you going to do?” Those sessions include the executive leadership team as well as the IT, data, software and marketing teams.

“It covers everything from how are you going to identify and address the data breach or whatever it might be,” Cochrane explained. “It’s really for us to be very prepared in these situations, to help us maintain that business continuity. Like if we’re totally taken offline, similar to what happened with CDK, we know where the printed bills of sales are that we can put back into action really quick, or the service forms or whatever it might be.

“How are you going to communicate it to your customer base and to the public? For instance, on the marketing side, we have a number of pre-drafted communications based on different events so we’re not scrambling to figure out what to tell people.”

But the thing about those communications is it’s not just about having the right message. It could also be about how to get the message to its intended audience.

“You might not have access to your email,” Cochrane said. “You might not have access to ant of your normal communication channels. So you’ve got to be prepared for not only what to say, but you’ve got to be prepared for how you’re going to disseminate it, not only to your staff, but to the greater public, given that you might not be able to even use email.

“Another thing is this stuff never seems to happen on Monday morning at 9 a.m. It’s going to happen on Friday at 3 p.m. going into a long weekend. And the head marketing guy or the head communication person is going to be on vacation somewhere you can’t get ahold of them. So we have printed hard copies of the business continuity disaster plans in multiple places with multiple people read into it.

“How do we contact every dealership’s general manager? Do we have their cellphone numbers and are they printed off someplace or saved on some hard drive somewhere? Once you really start unraveling it and peeling back the layers of the onion, there’s a lot of little nuanced and you have to be prepared for a lot of different things.”

Overall, Cochrane said, Go Auto’s plan boils down to three main elements.

“One strategy is the awareness of your current situation,” he said. “Two is the training. And three is the business continuity planning in case an event does happen. You know, what are you going to do? How are you going to respond both internally and externally?

“Then a fourth thing is to have some insurance. Things are going to happen, so you want to make sure you have some sort of insurance policy for this stuff because, like insurance for anything, you only want it when you absolutely need it. And if you go through a cyber incident, you’re absolutely going to want to make sure you have some insurance to cover you.”

Cochrane is not exactly who one might expect to be the executive leading the cybersecurity charge for a large company. He isn’t an engineer or IT expert by trade. In fact, his background is in marketing, which is also among his duties.

But he became interested in the issue when he went to a cybersecurity conference that happened to be in the same city at the same time as an automotive conference he was attending. The event opened his eyes to a potential problem and sparked his intertest in doing something about it.

“I wouldn’t maybe be the typical person that would take on some of this stuff, but I think you don’t have to be,” he said. “You don’t need to be the IT specialist to learn all this stuff and to figure it out. There are a lot of resources out there that can help you understand it, whether it’s a conference, online resources or courses through the HBRs or the Courseras of the world. You’ve got to educate yourself and make yourself aware of the situation that’s out there.

“But as a senior executive, I took a bit of a personal interest in the whole concept of cybersecurity and really wanted to just kind of help push it. I mean, I’d rather spend the money on security and doing everything we could than to pay a ransom, right? Then everybody was very involved from the top on down, so it was one of those moments in your organization where everybody came together to really advance a project and a cause.”