Auto dealership employees should come up with complex passwords for the computers they use, and they should change those passwords frequently.
They should securely dispose of paperwork that includes sensitive information, and they should ensure that laptops and computers are protected within the dealership, kept behind a locked door in a location that is not accessible to the general public.
“At GM Financial, we work obviously very closely with dealers, and on a fairly regular basis dealers reach out to us with questions relative to cybersecurity, privacy of customers and what are some things they can do to safeguard that data,” Ryan Bachman said.
Bachman, who is senior vice president and global chief information security officer for GM Financial, will talk about some of the top cybersecurity issues that the auto and auto-finance industries face during a session at the Automotive Intelligence Summit on July 23 titled, “Fireside Chat: Cybersecurity for the Future of Auto.”
Safety of customer data and safety while driving
Why is cybersecurity and its relationship to the future of automotive an important topic?
General Motors has made auto industry cybersecurity one of its primary strategic goals across all of its related businesses, said Bachman, who has the credentials to back up his expertise in this area. He is a certified information systems security professional, a certified information systems auditor and certified anti-money laundering specialist.
A search of the various news sites for information regarding data breaches that have taken place at financial institutions and other companies will show many results. Bachman has also seen consumer privacy pop up more often as a news topic.
For GM, cybersecurity as one of its primary strategic objectives extends to its manufacturing processes and development of its automobiles. With the auto industry’s current focus on connected and autonomous vehicles, GM is also focusing on security and safety for those vehicles.
“So I think the core on all of those is safety of our customers,” Bachman said. “Safety of their well-being while they’re operating our vehicles as well as the safety of our customers’ data when they do business with General Motors.”
Hackers: More sophisticated every day
Hackers’ methods are gaining in sophistication, but Bachman said the level of that sophistication depends on what the hackers are after. In auto finance, hackers typically want people’s personally identifying information or PII.
“Hackers are increasingly using email to attack finance companies,” Bachman said. The hacker will send a phishing email in an attempt to fool employees into doing whatever the hacker wants them to do.
That could be something as simple as clicking on a link that has malicious software associated with it, or opening an attachment with malware input into it.
Bachman often sees or hears about cybercriminals trying to get malware detonated into the environment by somehow duping the employee. He is also seeing a trend in cybercriminals pretending to be either a known customer of the company or an executive at that company, using email to try to trick an employee into providing information that he or she shouldn’t.
“We always see a spike in tax season, and I know other auto finance companies do as well, where you see individuals and organizations being targeted for tax information for ID purposes,” Bachman said.
He has heard of many of those attacks coming via email.
“They can be very convincing in their attack methods,” Bachman said.
Again, the hackers — or as Bachman refers to them, “adversaries” — mostly target PII for the purposes of ID theft. They could target the auto industry as a whole, a specific company within the auto industry, or an auto-finance company. Bachman has seen that adversaries target the auto-finance companies more than individual dealerships.
The reason for that, he said, is that auto finance companies will usually have a much broader cross section of PII, he said. A dealer might only possess information associated with customers that have done business with that individual dealership.
“So (that) effectively makes the auto-finance companies a bigger target,” he said.
GM Financial and dealers: A mutual interest in safety
Dealers regularly contact GM Financial with questions about cybersecurity and customer privacy, asking how they can safeguard data. The company provides information, guidance and tips to its dealer customers in that area.
“They will reach out to us and ask us questions on things that they can do to resolve the incident, mitigate the incident or whatever it may be,” Bachman said. “So, we do make ourselves available to try to assist our dealers in any way we can because we both have a mutual interest in ensuring that our customers have a positive interaction with us both with the dealers as well as within our products.”
Bachman also said GM Financial team members often attend dealer conferences in an effort to continue exploring as an organization how to assist dealers in protecting against cybersecurity threats. Those team members also attend dealer roundtable discussions and tell dealers how to safeguard the customer experience, and dealers have had a positive reception to those events, Bachman said.
What dealers can do now
For a first step, dealers should meet with their IT service provider and find out what measures the provider is taking to safeguard information, Bachman said.
“A lot of things can be found just in the course of that discussion,” Bachman said. “So, an understanding of what technology is being deployed to safeguard customer data, and also what processes and people are being allocated to safeguard customer data and the transactions that are occurring at their dealerships,” he said. GM also works to ensure dealers and their employees know what they can do in the area of cybersecurity hygiene to protect customers.
For basic security, complex passwords and other precautions mentioned earlier will help. Another of Bachman’s recommendations is in the area of wireless routers and wireless Wi-Fi signals. Bachman advises dealers to deploy the appropriate level of security on those Wi-Fi networks.
Bachman believes that attempts to steal data and breach the computing environments of the auto industry and more specifically the auto finance industry are “certainly going to be a continued threat and a persistent threat over the next several years.” Adversaries will continue targeting “an absolute broad spectrum of data.”
That could include PII, financial information of the specific companies, intellectual property, or technology designs within vehicles.
“Criminals have different motives for going after different types of targets, but I would say it’s a threat that both GM and every automotive company out there is facing,” Bachman said.