Automobile dealerships have problems when it comes to information security. One of these problems is that, being relatively small organizations, they have limited resources to expend on information security. Exacerbating this problem is the fact that dealerships are difficult to secure and are juicy targets for cyber-criminals and identity thieves.
What do I mean by “juicy targets?” Dealerships of necessity must collect a great deal of personal private information about their customers in order to do business. This not only includes names, addresses, phone numbers and email addresses, but also potentially includes information such as Social Security Numbers, credit ratings and other financial information. Criminals can exploit this level of information to cause all sorts of mischief and make lots of money.
What do I mean by difficult to secure? Dealerships typically have various sales departments (i.e. new, used, fleet), service departments, finance departments and body shops. All of these departments employ computers and most of these departments are also accessible to customers. In addition, dealership personnel are often called upon to leave customers and computers unattended while they perform various tasks away from their areas. This means that there are lots of “attack surfaces,” both physical and cyber, for cyber-criminals to try to exploit.
One inexpensive and effective way for dealerships to fight these problems is to ensure that access to your computer networks is well secured. There are basically two ways for attackers to access your computer networks: through a physical connection or a wireless connection. If your dealership still uses wired connections for workstations (many don’t), you should ensure that these connections are secure from tampering. You don’t want unattended customers to be able to successfully plug their devices into an open port and get access to your network. Access via these ports should be limited to approved MAC addresses, or should employ some other access controls to prevent casual network access.
Even more important than this, though, is ensuring that your dealership wireless networks are properly configured and secured. On top of having the same vulnerabilities as wired networks, wireless networks have the added weakness of working via electromagnetic signals that can be accessed by anybody in range. To secure your wireless networks, you should follow best practices advice including:
- Use strong access controls to limit access to wireless networks to only authorized users. Multi-part authentication is strongly recommended for this.
- Ensure that your wireless network employs strong protocols like WPA2 and is fully encrypted.
- Ensure that wireless access points and other networking equipment are fully secured. It is preferable to have this equipment secured in locked rooms or cabinets. It’s even better if access to this equipment is logged to individuals.
- Ensure that your wireless systems are securely configured. Change all vendor default passwords, and ensure other device settings conform to best practices recommendations.
- Ensure that your wireless devices and software applications receive proper security maintenance, and are well updated and patched.
- Separate your wireless networks into segments and ensure that only those with a business need to know can access each segment.
- Ensure that guest networks are available and properly secured. Each user of the guest network should have separate access control to prevent other guest network users from illicitly spying and compromising others on the network.
- If you are allowing your employees to use their own devices to access the production wireless networks, ensure that these devices are secured according to best practices recommendations. Also ensure that users are fully educated in their responsibilities for maintaining wireless security.
- Monitor your wireless networks with an eye for anomalies and misconfigurations.
Following these and other good network security recommendations can greatly increase information security at your dealership without having to expend inordinate amounts of money and employee time.