Insights: Article

Cybersecurity at Dealerships

By Karen Andersen

September 24, 2018

In auto dealerships, showrooms, car lots and implement dealerships, there is a constant flurry of activity amidst the smell of car wax, the gleaming smooth finishes, and all the latest models. As you approach the service area, the sound of impact wrenches and the scent of grease, motor oil, and all things mechanical become apparent. One area that can easily get overlooked is cybersecurity.

In today's world of instant communications, connected devices, Wi-Fi in cars, infotainment consoles, and a whole world of financial and consumer information, cybersecurity plays an important role. Don't forget to consider the existing cache of paper documents that contain customer financial data. To help emphasize the need for strong security practices and awareness, Eide Bailly has been partnering with dealerships to provide insight on this crucial topic.

When building anything, it’s important to start with a solid foundation. The same principle holds true for cybersecurity. Leaders need to be on board, have an understanding of what needs to be protected, and align cybersecurity to business objectives. The creation of a cybersecurity steering committee is one of the services we have developed to help dealerships build a strong foundation. The first steps include creating a charter and a mission statement. Subsequent steps include determining who has a seat on the steering committee table, defining authority, reaching consensus as a team and defining roles and responsibilities. The mission should also align information security strategy to business objectives.

When to Bring In an Advisor
Most organizations realize there is some sort of responsibility regarding information security, but do not know what best practices look like. What data is considered critical? Which targets may be enticing to a hacker? Do employees know how to spot potential threats? Are employees themselves potential threats? Cybersecurity can seem overwhelming and too technical for business leaders to discuss, which is all the more reason to have someone help you make sense of this complex topic.

By realizing that cybersecurity is not solely an IT problem but requires the input of the business, the focus starts to shift. The formulation of an Information Security Steering Committee engages technical leadership with the business. Leaders outside of IT start to recognize they have an impact on shaping the security objectives and ensuring the solutions are workable. Key decision makers then realize they are able to determine priority on how to support business objectives instead of simply relying on IT to solve problems after the fact.

A successful security steering committee also fosters collaboration by building a common understanding and agreed upon objectives. At the beginning of a business, there is an entrepreneurial feel, and employees may fill a multitude of roles. As a business grows, opens up more stores and hires more employees, roles and responsibilities may not be clearly defined. Are your IT resources focused on strategy and aligning to business objectives, or are they stuck in reactive mode because they are known for problem solving with functional users calling on them to resolve minor but frequent incidents?

By shifting leadership focus on technical strategy and away from reactive mode, the security posture of the environment is able to mature. A collective decision on what matters to the business overall becomes the goal. Other areas of the business also realize they have a responsibility to ensure information security is part of each area of the dealership. Lastly, functional areas are the end customer and recipient of technical solutions, so it makes sense to include their insights when developing successful solutions. You have defined objectives for the growth of your business, so it’s important to align your technical strategy to support and grow with you.

Real Life Application
Eide Bailly worked with a large auto dealership that had more than 25 stores. Like many businesses, it started small and added employees as the business grew. People wore many hats and were mostly operating in response mode. The business was family-owned, and as it grew, additional family members became leaders. Stores were divided across family members, and each member approached their dealerships in their own way. This created a culture of disparate processes behaviors, and because they were family members, it was challenging to get issues raised to a level that could be acknowledged.

To help solve these issues, we worked with leadership to formulate an information security steering committee. Challenges were collectively discussed, assigned skillsets were reviewed and it became obvious that changes were needed to support the growth of the business. Compliance became easier as consistency was applied, and key decision-making power was reigned in once a consensus was obtained. Initial conversations were tough, but as we continued, and individuals had the chance to reflect on proposed changes, anxiety started to change to relief and a sense of support. Responsibilities were redefined and positioned to be proactive, rather than reactive and efforts became collective, rather than the entire weight being placed on IT.

Bringing in experienced consultants to help navigate the conversation can address some of the tougher operational challenges by bringing them out into the open. As a consultant, asking these tough questions is less risky as an outsider. Lastly, as a trusted advisor, we bring the necessary expertise to the table to create the foundation needed to grow the business.

Contact your local Eide Bailly professional or a member of our Cybersecurity team to start making strides today.

Latest Insights

November 21, 2018
Article
Each month, we strive to bring you the hacks, vulnerabilities and challenges of securing your daily habits and work environment. This brief is intended to help you make sense of the ever-changing world of cybersecurity so you can avoid similar…
September 12, 2018
Article
Applications have made a huge impact on our lives, allowing us to keep track of the complexities of our day-to-day and save for our futures. But it’s important to understand where we are laying our trust.
September 10, 2018
Infographic
Did you know a recent study found nearly 40 percent of manufacturers and distributors don’t have a cybersecurity plan? This is alarming for several reasons, and we’ve created this infographic to help show you just how critical a strong cybersecurity…
September 6, 2018
Article
Manufacturing and distribution is an industry built on momentum, but what happens when maintaining the necessary speed puts you at risk of grinding to a halt completely?
September 6, 2018
Article
While cybersecurity should be top of mind for virtually any business today, many manufacturers don’t seem to take the threat seriously.
September 6, 2018
Article
Developing a risk-based approach identifying the areas of most concern for your business will help your team understand that cybersecurity isn’t just an IT problem, it’s everyone’s concern.
August 14, 2018
Recorded Webinar
Service firms that handle client information have particular responsibilities to protect that information—protection that can be strengthened if the firm’s clients are protected as well. We’ll discuss particular protections required for different…
June 14, 2018
Article
It is not to say that well run companies do not get breached, but all indicators lead to the conclusion that if certain things are done from the top down, the effects and cost of defending your company against data breaches, and recovering from a…
June 12, 2018
Recorded Webinar
While your company may be secure, can you say the same about your vendors? In this session we’ll discuss different techniques for performing appropriate due diligence, negotiating the right terms in your vendor agreements, and monitoring vendors for…
Find A Location