April 17, 2025
MAKE IT SIMPLE, MAKE IT STRONG: CYBERSECURITY INSIGHTS FOR DEALERSHIPS
Let me be clear, I haven’t suddenly become a cyber security expert. But I had the pleasure of spending time with someone who is, Jason Kalwa, the founder of Salus Cyber a cyber security consultancy based in the UK.
We started our chat by looking back at what happened to one of our competitors who I won’t name last June. A ransomware hit that cost them somewhere between $10 million and $50 million but is estimated to have cost affected dealers $600 million. He said this attack illustrated a couple of general points. First that any industry that has extensive and extended supply chains is an attractive target because you can create a massive network impact with a single strike. Second, that as online services have grown and as software systems have increased their ability to connect to other software systems through APIs the ‘attack surface’ exposed to cyber-malevolence is exponentially greater than ever before.
"The mechanics of cybercrime haven’t changed in 40 years — the scale and speed have. Every dealership is part of a digital supply chain now — even if they don’t realise it. There’s no flashy silver bullet. It’s the boring, day-in, day-out stuff that keeps you safe."
He went on to add that the organizations most at risk were those running older tech stacks or legacy systems, especially where employees had to maintain different user names and passwords for different systems I want to emphasise this is not a comment about any specific competitor but a general statement and one which dealership groups who may have older legacy systems would do well to think about.
The next area we talked about are who these malevolent agents are. For larger companies in particular, the biggest threat is most likely to come from professional
criminal groups for whom ransomware can be highly lucrative (as the above referenced competitor discovered). It’s estimated that the average ransom demand in 2024 was almost $3 million. But for many companies, it’s not about the money. Damage done by employees is common. This typically occurs when they are moving jobs and want to take company knowledge with them, or simply because they’re disgruntled and want to cause disruption when they go.
That’s enough talking about the problems. What you want to know is what can you do that helps reduce the risk to your business of cyber security incidents? The good news is that the answers involve a few simple steps that most people will be familiar with. They don’t require you to hire cyber security experts or introduce a ‘big brother’ culture where every employee is under constant surveillance. Our friendly expert described it as “doing the boring stuff really well”.
- Make sure you are using Multi Factor Authentication. We have to use it in our personal lives for almost all online transactions, so employees are familiar with it and today’s technology and networks make it fast and easy.
- Patch everything and do it quickly. Lots of software today updates automatically, but if you have to run the update don’t delay.
- Most of us are predictable when it comes to creating passwords. Even if we are forced to combine letters with numbers and special characters we get into a pattern. Consider pass phrases where you combine three random words.
- Look at the architecture of your system and where you store the valuable data. Use your website as a simple vessel that you collect data from but don’t connect it directly to your core systems; treat your valuable data the way you’d treat valuables at home – if you don’t have a really secure safe hidden in the wall then you wouldn’t put everything in a top drawer.
- Email remains the first point that cyber thieves will probe, so make sure your email system security is properly configured.
None of these are a silver bullet, because there is no silver bullet, no system can ever be 100% secure. The point is to ensure that when a cyber-criminal is scoping out their next target, they see your business is a lot better protected than your neighbours. There’s always going to be an easy target, just make sure it’s not you.
Related Articles
