How your dealership can execute a robust cyber assessment

October 18, 2022

How your dealership can execute a robust cyber assessment

October 18, 2022

car at a dealership

A cyber assessment is the first step in preparing for, and preventing, cyber attacks on your dealership.


Chris is a member of MNP’s Digital Services team in Vancouver. With an extensive technical background and more than 25 years of IT and cyber security experience, Chris brings a keen understanding of company IT infrastructure, and demonstrated excellence in identifying risk and emerging issues to his role.

In today’s uncertain economic climate, many Canadian dealerships are focusing almost all their discretionary spending on initiatives directly aligned with increasing sales. Running a dealership means striking a balance between heavily investing in moving more product, while continuing to invest in other departments less closely linked to sales, such as IT.

But how much is enough? One of the ever-present threats facing all small and medium-sized businesses including dealerships is cyber crime — and your dealership being targeted is a matter of when, not if. Investing in cyber security is like property insurance against hail or flooding: it’s necessary to protect the whole enterprise.

Your balancing act requires you to invest in cyber security in a cost-efficient way. And getting the most out of your cyber security spending always starts with an assessment.

What information needs protecting

The first thing to look at in a cyber security assessment is which pieces of data and information are the most important to protect. These are “crown jewels” — data that, if compromised, would bring significant financial and/or reputational harm to your dealership.

Many well-intentioned dealership owners assume they should just protect everything. But protecting all your data equally is too expensive and time-consuming to be feasible. Cost-efficient cyber security requires you to focus on the crown jewels.

Your clients’ financial data, especially personally identifiable data that includes names and birth dates, tops the list. Credit card numbers and insurance information being breached, published, or sold on the black market is a worst-case scenario to avoid.

Protecting employee passwords and devices would be next among the top priorities as well. Data regarding product prices, employee compensation, emails, inventory and parts suppliers, etc. may seem crucially important on the surface, but a breach of this data likely will not cause substantial harm to your dealership. There are easier paths to recovery if they get breached.

What are your greatest vulnerabilities

The next step in an assessment is to look at where your dealership is most exposed — not only which types of attacks are most frequent, but which are the most likely to be successful.


A common fraud example we see in dealerships is where an attacker fakes an identity as one of your regular suppliers or contractors, then alters the payment information to redirect funds. Victims of this type of attack end up in double jeopardy — losing funds to a fraudster and becoming delinquent to their true vendor or supplier.

While this example may not be as frequent as an ordinary email phishing attempt, if it has a higher success rate, it can still be more dangerous.

Third parties

Another large area of exposure to cyber crime is through third parties you do business with, such as insurers. Sensitive information gets passed between your dealership and your vendors; one mistake can lead your data to be misplaced or downloaded incorrectly and leave your dealership open to a breach. At the same time, a weak cyber stance at your dealership can lead to your vendors’ data becoming compromised.

In your assessment, ensure you’re taking precautions to share data securely with third parties.

Internal staff

Finally, your staff can be a source of a cyber breach. Your assessment should include a review of the internal cyber awareness training your employees go through. We will discuss this more in the next section.

How you’re protecting yourself

During your assessment, look at the tools, systems, and processes you’re already using to protect yourself. Is there a gap between where you are and where you need to be?


As a dealership owner, you understand the importance of insurance better than almost anyone. The typical business insurance plan would protect your dealership from floods, hail, theft, and other common threats. But does it include provisions for cyber security?

Some dealerships are insured against cyber threats, others aren’t. If you haven’t recently looked at your policy for cyber coverage, your assessment is the perfect time to do so.

Cyber awareness training

The most cost-efficient cyber security investment you can make is simply ensuring your staff, at all levels, understand these fundamentals:

  • Understanding what constitutes a strong password, and using it
  • Recognizing email phish attempts
  • Securing hardware like company laptops and phones
  • Not downloading company data onto personal devices
  • Using secure wi-fi
  • Detecting and preventing various types of fraud

Rogue employees being the source of a breach at dealerships are rare; a breach is much more likely to result from an employee who is simply untrained or careless. Thus, a little training goes a very long way.

Incident response plan

Your assessment should include reviewing, or creating, a response plan.

If you are the victim of a cyber incident, a crisis response plan can be the difference between minimal damage and worst-case scenarios. Your plan should provide a step-by-step outline of how to react to a cyber incident: how to shut down devices, contact external counsel, and keep damage to a minimum.


Good technology is important, but it’s more important to have it in the right hands.

Part of your assessment should be to make sure you have the right cyber security tools for your dealership. That doesn’t always mean the most expensive or sophisticated; you can save money by having the appropriate software for your needs, and the right staff and processes behind it.

Connect with us to get started

Our team of dedicated professionals can help you determine which options are best for you and how adopting these kinds of solutions could transform the way your organization works. For more information, and for extra support along the way, contact our team.


Thompson, K. (2022, June 20). Canada’s new Federal Privacy Bill C-27 – summary of significant impacts and new proposals. Canada’s new federal privacy Bill C-27 – Summary of Significant Impacts and New Proposals. Retrieved from:

McCorkindale, V., & Williams, S. T. (2022, June 21). Modernizing Canada’s privacy laws: What employers need to know about Bill C-27. Modernizing Canada’s Privacy Laws: What Employers Need to Know About Bill C-27. Retrieved from:

Borden Ladner Gervais LLP. (June 2022). Canada’s Consumer Privacy Protection Act (Bill C-27): Impact for businesses. BLG LLP. Retrieved from:

Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. (2022). 1st Reading June 16, 2022, 44th Parliament, 1st session. Retrieved from the Parliament of Canada website: Government Bill (House of Commons) C-27 (44-1) – First Reading – Digital Charter Implementation Act, 2022 – Parliament of Canada