In today’s uncertain economic climate, many Canadian dealerships are focusing almost all their discretionary spending on initiatives directly aligned with increasing sales. Running a dealership means striking a balance between heavily investing in moving more product, while continuing to invest in other departments less closely linked to sales, such as IT.

But how much is enough? One of the ever-present threats facing all small and medium-sized businesses including dealerships is cyber crime — and your dealership being targeted is a matter of when, not if. Investing in cyber security is like property insurance against hail or flooding: it’s necessary to protect the whole enterprise.

Your balancing act requires you to invest in cyber security in a cost-efficient way. And getting the most out of your cyber security spending always starts with an assessment.

The first thing to look at in a cyber security assessment is which pieces of data and information are the most important to protect. These are “crown jewels” — data that, if compromised, would bring significant financial and/or reputational harm to your dealership.

Many well-intentioned dealership owners assume they should just protect everything. But protecting all your data equally is too expensive and time-consuming to be feasible. Cost-efficient cyber security requires you to focus on the crown jewels.

Your clients’ financial data, especially personally identifiable data that includes names and birth dates, tops the list. Credit card numbers and insurance information being breached, published, or sold on the black market is a worst-case scenario to avoid.

Protecting employee passwords and devices would be next among the top priorities as well. Data regarding product prices, employee compensation, emails, inventory and parts suppliers, etc. may seem crucially important on the surface, but a breach of this data likely will not cause substantial harm to your dealership. There are easier paths to recovery if they get breached.

The next step in an assessment is to look at where your dealership is most exposed — not only which types of attacks are most frequent, but which are the most likely to be successful.

A common fraud example we see in dealerships is where an attacker fakes an identity as one of your regular suppliers or contractors, then alters the payment information to redirect funds. Victims of this type of attack end up in double jeopardy — losing funds to a fraudster and becoming delinquent to their true vendor or supplier.

While this example may not be as frequent as an ordinary email phishing attempt, if it has a higher success rate, it can still be more dangerous.

Another large area of exposure to cyber crime is through third parties you do business with, such as insurers. Sensitive information gets passed between your dealership and your vendors; one mistake can lead your data to be misplaced or downloaded incorrectly and leave your dealership open to a breach. At the same time, a weak cyber stance at your dealership can lead to your vendors’ data becoming compromised.

In your assessment, ensure you’re taking precautions to share data securely with third parties.

Finally, your staff can be a source of a cyber breach. Your assessment should include a review of the internal cyber awareness training your employees go through. We will discuss this more in the next section.

During your assessment, look at the tools, systems, and processes you’re already using to protect yourself. Is there a gap between where you are and where you need to be?

As a dealership owner, you understand the importance of insurance better than almost anyone. The typical business insurance plan would protect your dealership from floods, hail, theft, and other common threats. But does it include provisions for cyber security?

Some dealerships are insured against cyber threats, others aren’t. If you haven’t recently looked at your policy for cyber coverage, your assessment is the perfect time to do so.

The most cost-efficient cyber security investment you can make is simply ensuring your staff, at all levels, understand these fundamentals:

• Understanding what constitutes a strong password, and using it
• Recognizing email phish attempts
• Securing hardware like company laptops and phones
• Not downloading company data onto personal devices
• Using secure wi-fi
• Detecting and preventing various types of fraud

Rogue employees being the source of a breach at dealerships are rare; a breach is much more likely to result from an employee who is simply untrained or careless. Thus, a little training goes a very long way.

Your assessment should include reviewing, or creating, a response plan.

If you are the victim of a cyber incident, a crisis response plan can be the difference between minimal damage and worst-case scenarios. Your plan should provide a step-by-step outline of how to react to a cyber incident: how to shut down devices, contact external counsel, and keep damage to a minimum.

Good technology is important, but it’s more important to have it in the right hands.

Part of your assessment should be to make sure you have the right cyber security tools for your dealership. That doesn’t always mean the most expensive or sophisticated; you can save money by having the appropriate software for your needs, and the right staff and processes behind it.