Dealers face far more of a threat from hackers disrupting their systems than they do from data theft.
That’s according to Ian Mann, founder of cyber security specialist ECSC, who spoke to Car Dealer in the wake of the major cyber attack on Holdcroft Motor Group.
Cyber attacks are a massively serious matter, with the government reckoning they cost UK industry in excess of £10bn a year, said Mann.
Problems typically arise when something is opened on a computer that shouldn’t be or systems aren’t maintained properly, he said.
‘Hackers spot that and exploit it,’ said Mann.
Data held by dealerships isn’t all that valuable to hackers as it’s very basic information, he said, and to exploit it they need extra information that dealers wouldn’t have, such as identity documents.
‘Compared with hospitals, where they’ve got people’s medical records, or banks, which have all your banking details and credit card details and things like that, then if I think what my car dealer has about me – my name, address and phone numbers and what sort of cars I buy – they don’t have anything I would regard as too sensitive.’
And he dismissed the line of thought that says hackers are so clever they’ll always get in.
‘The reality is that it’s mistakes that lead to people getting hacked.
‘So people make a mistake, the hackers get in, and they’re then saying “Right, how do I turn this into money?”
‘They’ll do that either by stealing the data and holding you to ransom because they’ve got your data and threatening to sell it or release it, or they’ll deploy ransomware that cripples your systems.
‘For most organisations, ransomware is the big one because you lose your IT systems and people can go bust within days.
‘ The CEO of a £4bn-a-year organisation once told me that without us recovering their systems after they’d been hit by ransomware, they’d have been bust within the next 48 hours.’
Mann, who also worked at the government intelligence and security organisation GCHQ, said prevention was far better than cure.
‘It’s much better and more cost-effective to stop having the breach in the first place. I’ve never heard of a breach that wasn’t preventable.’
But if the worst happens, isn’t it wrong to give in to ransom demands, Car Dealer wanted to know.
‘It isn’t a guarantee, but ransomware gangs know if they don’t give the data back, people will stop paying them,’ said Mann.
‘The ransomware gangs are quite professional outfits. A couple of them actually have helpdesks.
‘So when you get your ransomware, they’ll give you a helpdesk ticket, and if you’re having trouble restoring your data from the key they give you after you pay up, you can contact them for technical support.
‘It sounds crazy but it’s a commercial operation. They’re operating from countries where they’ve got impunity.’
He was keen to stress, though, that it wasn’t necessarily affordable or even ethical.
‘We have many clients who under no circumstances would ever pay because of the nature of their organisations – charities, government bodies, etc.’
Although insurance companies typically indemnify against ransomware and cover the repayment, the cost of cyber insurance is going up substantially because of the losses.
Some insurers are now refusing to cover certain sectors – not because they’re targeted more but because they have very poor cyber security.
Mann wouldn’t be drawn on whether the car industry was guilty of under-investing in IT and therefore exposed to poor cyber security, but he said: ‘Everybody has to be taking it seriously, looking at and assessing their capability.
‘We spend more time preventing breaches than we do recovering from them. The majority of our work is helping companies understand where their vulnerabilities are and helping fix them.
‘The main impact we see is companies crippled, nothing’s working and they just can’t do business. Everything grinds to a halt.’
Tips for dealerships to thwart cyber criminals include back-ups that are physically removed and stored elsewhere, as well as having independent cyber security reviews plus penetration tests, which mimic the behaviour of hackers to see what can be done.
Mann emphasised that car dealers really had to understand their vulnerabilities.
‘Your weaknesses in many ways are unique to you, because they’re unique to what IT systems you’ve got and the skills of the people that manage it.
‘I wouldn’t say that you’ll have the same weaknesses across a whole industry. It will vary according to different organisations.’
For most organisations, they’re more concerned about the impact of ransomware, the disruption and potentially going bust as opposed to any fines that may be imposed for losing data – and those fines can be substantial.
Mann said that what works for individuals can work for very small businesses, but certification with the Cyber Essentials scheme is recommended for larger organisations.
‘If you don’t have anyone in IT, then I’d go with the advice given for home users.
‘If you get big enough that you’ve got an IT person, or it’s outsourced, then I’d get Cyber Essentials Plus certification. That’s a really good way of dealing with the majority of things that cause breaches.’
Main image shows one of ECSC’s security operations centres, where its experts monitor clients’ IT infrastructure to detect, analyse and respond to cyber security events in real time in conjunction with an ECSC centre in Australia. Picture copyright © ECSC 2022