Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hello, everybody welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very excited to have you today.
And so today I have a few things to go over. It's been a massively busy week. If you're not in the auto industry, you may not be aware of a major data breach to CDK.
CDK is a platform that supports a lot of auto dealerships. If you are in the auto industry, you have definitely heard about it and are probably affected. I believe more than 50% of all auto dealerships utilize CDK.
So today I want to dive into that, what it is, and then what that means for incident response, business continuity, some lessons that we can learn from that. Then actually go into some things you want to consider in your incident response plan that would tie directly into this CDK impact because it's a really good case study. And finally, just some good things, best practices to try to prevent a data breach.
Definitely, I'm sure you've heard of all of these, probably ad nauseum. But still, they're good to bring up. So getting into CDK, real quick background.
CDK Global, they basically provide the software to manage auto dealerships, trucking industry, and that goes not just for selling vehicles or logistics, but also payroll, service, managing the warranty integrations between the dealerships and the manufacturers. And just all of those different moving parts is conveniently all in one nice package and all in one place. It makes it considerably easier to manage a dealership, which if you've never managed one, there's a lot that goes into it, kind of like a restaurant.
Just what you see on the floor is maybe like 25% of the battle, and then everything else that's going on, there's a lot of work being done. So CDK helps make that easier, except when they don't. And that right there is not a jab at CDK.
That's more of kind of what we've talked about before, our overall reliance on single systems. And assuming that this system will never go down, we're always going to have access to this. We'll have plans for everything else, but we're operating under the assumption that our main platform's always working or akin to Microsoft.
I'm assuming that Microsoft's always going to work or Google Suite. That's always going to be there working. It may just be the other things.
But when these main critical suppliers get hit, it causes a massive, massive impact. And it's not just a thing of the dealership having difficulty selling a vehicle. The ripple effects are enormous, and we do not have enough time to go into all of them here.
But to give an idea of how a single platform can impact, with CDK being offline, a lot of dealerships, they can't sell a vehicle. One, because they don't have any backup paper process. That actually goes to making sure that you have a good continuity plan.
And if you don't, this is some of the trouble you can get in. But some don't have a paper process to know how to sell a vehicle, record it, manage the title, manage the inventory update with the manufacturer, because that's a big thing. They don't know how to do all of those steps manually.
And in some cases, there's not a method to do that, to manage that. So they just can't sell a vehicle. But it goes a step further than that, because a platform like CDK, which is a DMS, a dealer management system, a platform like CDK also manages a lot of the service departments for auto dealerships.
So a lot of their inventories are in there, the tickets, who's getting what, who has a warranty, who's covered, who isn't, who's paid, who hasn't paid. And just all of those pieces that go into running a service shop, which is a completely different animal than just running a sales side. Now the service department perhaps can't operate.
And what's actually happened with a lot of service departments is a lot have just stopped operating completely. Others have still been doing minor work, maybe oil changes, tire rotations, things like that, things they can easily manage and document. But anything that would have to, say, validate to the manufacturer, or with certain parts, or with big ticket items, they're not doing those because they don't have the confidence that when the platform comes back online that they'll be able to properly integrate that information and keep everything straight.
The worry is that it's just going to throw everything off. And especially on the sales side, it's very, very important that they have an accurate inventory at all times, not just for the dealership, that's good practice, but also it's a requirement of the manufacturers. The manufacturer calls up and says, hey, how many of our vehicles do you have on the lot? You need to be able to tell them right then and there.
And if you can't, that causes some big issues. And you don't want to have issues with the manufacturers because then you could lose your authorization or license to be able to sell those type of vehicles. So it could literally put you out of business.
So the inventory management is a major, major issue. So here we have primary platform offline. We have the sales department being hit.
We have our servicing department being hit. Those are typically our primary income generators. So essentially the dealership, we're not pulling in any money and we're now pushing people away.
Here's some additional considerations to that though. Our expenses don't just stop when we stop making money, which a lot of you that are in business probably know that all too well. Even when you're not pulling anything in, you've still got to pay the bills, which sucks, but that's how it is.
But all of the salespeople, well, now they're not selling vehicles. A lot of them are on a commission base, so they're not making any type of commission. On the service side, if we're not performing services on vehicles, if we're not performing the major services, maybe we're just doing small things, but now a lot of people are getting turned away, our people in our service department may not be getting their hours or may have just forced, what am I trying to say here? Forced, not retirement, but vacation.
A lot of places have actually made employees take their vacation time to be able to continue to get paid. Well, just with these kind of frontline workers, everybody that could be affected by that, that could be a major impact, especially when you consider a lot of people are one or two paychecks away from serious financial trouble. We're putting all of our salespeople in our service department and everybody else potentially in a very bad position.
So we initially look at it and it's, oh, my God, this is a big impact to CDK. Oh, well, it's also a big impact to these dealerships, but it's not just the man getting hit. It's, wow, everybody that's supporting the dealerships, everybody in there, those that have families, those that are supporting people, they've got dependents, they're being impacted too.
This also hits on the people that, well, they need their car to be able to get to work. They need their car to operate. If my car breaks down, now I can't get it serviced.
So I'm not even directly related to this dealership. I have no payment tie. I'm not W-2 anything.
And now my income's being affected as kind of a third tier impact. So these major data breaches have incredible ripple effects. So here we've got the sales department hit.
We've got the servicing department hit. We've got our clients hit. And all of this also considering that we've paid all of this money for marketing, which typically the marketing is only good for a couple of days.
If that may be up to a week to where if we don't contact those leads within that time, they're going to go somewhere else. So all of that money that we've already spent to get those leads, now we can't even do anything with those because we can't sell a car. We can't perform service.
And without spending a lot more time on specifically this section, it's also going to have an impact if your customers now come into your dealership, into your location, and you can't do anything for them. That impacts trust. It impacts confidence that maybe we shouldn't be working with this dealership.
And not to say that that's not misplaced because if one of the other DMS solutions goes offline, it's the same type of impact. But as far as my relationship right now with that dealership, anybody that's coming in, we're potentially losing customers. And the lifetime value of a lot of customers with all the service and everything that's performed for them is massive.
So that can be a significant income hit to the dealership. And large dealerships may fare better, but those that don't have a lot of reserves, this could be a very significant problem. So not diving into that anymore, but I think we can really see how serious of an issue our primary system going offline.
And just to tie that maybe to something that's a little bit closer to home, consider Microsoft just for a week. Said, we're offline. We're not going to give you any update, which CDK hasn't.
And here's a little bit of an issue because they haven't provided any type of real updates. There's nothing on their website. And it's making it very difficult for the cybersecurity professionals, the IT departments, everybody in the dealerships.
It's making it hard for them to know what do we do next? What do we do now? Are we going to be off for two or three weeks and we need to engage our insurance? Or is this just going to be are we expecting another 12 hours? Okay, we'll just hold our breath and we'll get there. That'll be okay. Where are we at? And there's no information.
And imagine if it was that way with Microsoft. Just we're dealing with an issue at an abundance of caution. We want to make sure that we do everything right, and we will be online when we feel confident that our systems are secure.
In the meantime, all right, I don't get emails. I guess my contact list that was all there, I can't access that because the platform's down. If I didn't sync it locally, anything that I'm doing locally may not work, depending on the product I have because it wants to check the license and it can't communicate.
Or I do things locally with a team, and now we're all making different changes, and when things come back online, that's going to be a mess. Just the ability to be able to access any documents, to be able to do anything would be completely hindered, and that would be a major impact to any business. And that's what the dealerships are dealing with.
So this takes us to really the next topic, which is related, but your incident response plan. And I want to keep tying it back to this CDK incident because, well, it's happening right now, and it hits very close to home. But there's a few things to consider in your incident response plan that at first look are typically overlooked.
With a lot of incident response plans, it's listed, okay, who are we going to contact? Who's going to engage? Where's our insurance company? What are the phone numbers? Okay, great, we've got everything covered. But when you're actually in the trenches, when you're really getting fired at, when you're on the battlefield, that's a completely different emotional position than it is when you're just developing everything. So one thing to consider is really understanding the insurance policies that you have.
You want to take a look at what is required to make a claim, say how many days do we need to be offline or what do we need to be able to provide. Obviously, what's our deductible. This will tie back.
I'm going to do a sidestep real quick. This will tie back to some of our other conversations with us doing our risk assessments where we identify how much basically we're making per day, our average lifetime value of clients, the hourly income that each employee generates. That's really important because we can look at, all right, if we're going to be down for just a few hours, that's not going to have a major financial impact.
If we're going to be down for three, four, five days or more, that's going to be a substantial impact. We need to engage our insurance at that time. Let's pay the deductible, whatever that is, $75,000, $100,000 if you're a much larger dealership.
Let's pay the deductible and get the coverage. Part of that coverage we want to be able to identify. Some policies do cover interruption of business.
We want to understand what that means. Is that going to pay our employees, all of our employees? Is that going to provide a payment to commissioned employees or is the insurance company going to look at it as, well, they're commissioned, they don't actually have a set salary so there's nothing we can pay them. Are they going to be left out in the cold? Is this going to support the entire dealership, all of the service areas? Are there any, I don't want to say gotchas because it's a contract, but are there any other special considerations that we need to know if we enact this policy? And then also really understanding what the steps are, what evidence or what information the insurance company is going to want to be able to engage these.
So it can be annoying to go through all of that, but it really doesn't take too long. It's a significant issue if you're in the midst of a data breach. And from experience in dealing with a lot of different organizations, a lot of different data breaches, what tends to happen is baby steps.
If we don't already have the plan identified that at this many days we're going to do this or at this amount of impact we're going to do this, if it's a thing of we're going to see what happens and then engage resources as necessary, appropriate to the, to what's going on, it turns into baby steps of, well, we've come this far already. Let's see what happens, say, in the next hour or in the next day. Well, man, we've already come this far.
Let's give it another hour, another day. And let's just see what the next step looks like. Well, we've got a little bit working now.
Let's see what happens tomorrow. When you really look at it, all of those little baby steps have turned into pretty big strides to where if you were looking at it objectively, say, from the outside or looking at a test scenario, a tabletop, you would say, no, I would, we absolutely want to engage insurance or we want to engage these resources at this point rather than where our baby steps took us over here. That has also created issues for some organizations where those little baby steps turned into a thing to where they pass their notification requirement windows.
If you know or you suspect that your client data has been impacted, you have a legal obligation to reach out to them to let them know. So you want to make sure that you create plans to manage those baby steps. You also want to identify what is it we're going to do with our employees.
So let's assume our systems are offline. Are we just sending everybody home? Are we going to continue to pay them? How's that going to impact them if there's a data incident? What type of trust is that going to instill in our clients? Not our clients, our employees. If we get hit with a data breach, now we're having to send everybody home.
Well, we're going to get our insurance to get paid back. Nobody else is getting paid. We were all in this together.
Is that going to foster a good relationship between you and your employees? And is that going to create some underlying issues perhaps that surface in a myriad of ways that you can't really tie to this? That's something to consider. We'll also want to put some language in place regarding who's going to make statements about this? Who can talk about it? And if somebody calls in with a question or anything related to this, who do we send that person to and how do we do that? Because what you definitely don't want to do is have somebody call in, God forbid the press, and just any employee says, I can't talk to you right now. We're having a major data breach.
We don't have access to any systems, and we lost our customer data. So, yeah, I can't talk about anything right now, but we should be up in a few days. The press could definitely fill in a lot of details there and definitely speculate as to what was not said.
That could also be, God forbid, a pretty big impact to, say, a major client. Maybe you have a major client, and they haven't heard about anything yet. Wait, this has been going on for a week, and I'm just now hearing about it when I call in to the receptionist? Why wasn't I notified about this before? Things can really go sideways if you don't manage the communications that your employees are having.
So part of your incident plan, have a statement that employees need to say. At this time, I'm not able to provide any information. Let me transfer you to a better resource.
It can be anything very benign that doesn't say anything, but then instruct them how to transfer and who to transfer to. So basically explain to your employees how to professionally hot potato anything that comes in because you don't want to deal with the stress of them sharing any incorrect information. That's not a stab at any employees.
They're not part of everything going on in the incident response team. They shouldn't be. They don't need to be.
So they just don't need to be making any type of comments about it. It's also important in your incident response planning to identify when are we going to enact our business continuity plans, and what do those look like, and at what level? Maybe if this goes on for four hours, we're going to start recording things on paper just to make sure we have a backup. If this is going on for a day, two days, or it looks like it'll be that long, we're going to engage our backup system or we're just going to start doing everything on paper.
If this looks like it'll be more than two days, we're going to reach out to insurance and perhaps at that time close the dealership, close our organization and let the insurance company pay us for that downtime rather than provide substandard service or things that could negatively impact our customers. So whichever way you go is completely okay. You just want to make sure that that's relevant to your organization.
So those are good things to consider as part of your incident response planning. Please don't take this as a thing of me saying that this is what you do to create an incident response plan. There's a lot more to it just bringing these up because they're often overlooked and a lot of companies that have their plans sitting there, these are questions that come up pretty consistently that in the midst of things we're having to find answers to.
So best practice, learn from my experience, from my customers' skin knees, make sure that's part of your incident response planning. As part of, because definitely a data breach sucks, we don't want to have those. We want to prevent them as much as we can.
Some things we want to consider before an incident happens, obviously creating our incident plan. But just like we discussed on our risk management discussions, answer the question, what would happen if this system is unavailable? Not if it gets a data breach, not if it is disrupted. If it's unavailable, let's just assume that the universe came in and made it poof be gone.
There is no way we can access it. What are we going to do? And I doubt that the answer to that would be, well, we just close our company. We stop operating.
That's not going to be the answer. There's going to be an answer that follows that. So when you ask that question in that way, you can start really building out your continuity plan that's relevant to keep the business operating, keep everything running.
When you look at it as far as a, if there's a data breach or if it's offline, the thought process just, it's like trying to conceptualize infinity, I think. We just, I just can't conceptualize that it would go down in a way that we completely can't operate. So the suggestions and the recommendations I'm going to have are going to be tied to that, that, well, we need to make sure we have the system online.
If we go into the conversation, however, with the premise and the understanding that this system is not available, it's not going to be available. It's not going to work a little bit. It's completely gone.
How do we, how do we stay viable? That can also lead you without going too far into the risk side, opportunity management. Because if we look at all of these things, over 50% of dealerships right now are having trouble operating or are not operating at all. What if you were one of the dealerships that either was on a different system or you had a process that even with the system offline, you can, we can work.
It's fine. The system makes it easier, but it doesn't keep us running. It just makes it easier.
So when it's not there, the day's a little bit more tedious, but we still get things done. How much business could you capture just putting some things out, saying, Hey, you need your car worked on. We can actually do it.
We're not shut down. That's not even a big marketing message. So when we're looking at these, these risk assessments, when we're creating these incident response plans, always have the idea in mind that if we're going through this, somebody else, our competitors probably are as well.
They might be. And if they are, how could we capture some of that market position? How could we, how could we be a leg up on them? And that's, that's really opportunity management, which is a completely different conversation, but getting into the things that we want to make sure we have in place to prevent serious negative impacts from a data breach or prevent them from happening entirely or reduce how many we have, that's a better way to say it because you will have a data incident. How severe it is really depends on how you have everything set up.
So this is talked about all the time, but have multi-factor setup, multi-factor authentication that should go to like an authenticator app if, if possible. If you can use a key card or something like a YubiKey, those are great. Use some other form of authentication, multi-factor and make sure you save the backup codes when you set it up and make sure you have another way into the system.
That could be another user, another admin. Maybe you have a break glass admin that can, that can get in, but you want to make sure that as you're setting up these security features, you don't lock yourself out or create a situation to where, let's say you've got all of your authenticators on your phone. Now you lose your phone.
Well, now you've lost access to everything. It's a bad position to be in, especially if you're an administrator. So have multi-factor authentication.
Just do it safely. You also want to make sure you have logging. Logging is not so much going to typically prevent a, a data breach, but what it can do is definitely help you identify when one is, when one is happening and jump on it faster so you can contain it.
It's not as big of an issue, but what it also does and what's I think significantly more important is that when you're doing an analysis, when you bring in a forensic team and they're looking to see, okay, what happened? What did they access? What we really want to know is what didn't they access? If we can, if we've got good logs and we can show all the logins, all the file access, who did what? And there is nothing from a, from a bad actor. There's nothing from a compromised account on any of our client files, any of our client databases or systems. We can show that, listen, our client data wasn't impacted.
You know, they got into some of our stuff. They saw our financials. They saw our, our business plans, our new marketing, but they actually didn't get into the customer database.
If we can prove that with logs, then we can, we don't have to do all of the notifications that absolves us of having to one spend the expense to send that to all of our clients, which is very expensive. It also, it, it also prevents us from having to assume that they had a data breach and now respond as such. Because if I can't prove that my customer data wasn't impacted, I have to assume that it was, and now I have to notify them.
Typically I've got to do some sort of remediation, which that typically works out to purchasing something like LifeLock. And that can be a major expense. So if we can avoid that, that's, that's a preferable method.
Saves us a lot of money, saves us a lot of face, prevents the degradation and trust. It's infinitely better. So I'm a big proponent of logging for that reason because it, it really impacts the ROI.
It, it really impacts the financials of an organization. And you really see that during the data breach. Those with really good logs typically don't really spend that much.
Those without it can just climb to ridiculous levels. The next thing is strong passwords. And I would recommend getting a password manager that is zero trust, something like Keeper Security.
You can store all your passwords in there. You can lock that down with good two factor authentication. And that way I can have a strong password, 20, 25, 50 characters on sites that allow it and have a different one for each site.
And it's not a big issue because I'm just pulling it from the password manager and putting it into the platform. That, that can go a long way in preventing people from using the same password on multiple systems because that's a major way that data breaches spread like crazy. You compromise one set of passwords.
And now I'm just going to try it on every other system this dealership uses. And Hey, look at that. Now I can get into all of these other systems and it just, it spreads like wildfire.
The one of the biggest reasons that happens is the reuse of passwords. If you're using a password manager that helps eliminate that. What I would recommend is if using a password manager and it supports its own authentic authenticator like keeper security, you can do the authenticator.
So it gives you the six digits right, right within the platform. That's very cool. Cause it can also auto fill, but God forbid your, uh, keeper or any of your other password managers gets compromised.
Now they've got your password and your two factor authentication. They can get into everything. If you have your authenticator on a different device or even with something like a UB key, even if somebody gets all of your passwords in your password manager, well, they still don't have your multifactor.
So they can't get in. I'm not saying that's not devastating. If somebody gets into your password manager, but it's a lot less of an impact if they don't have every single key to get into every single thing.
The next thing. And I think this is really one of the most important is stick to your SOP, your standard operating procedures. And if you don't have those, make sure you get those in place.
They don't need to be extensive or crazy, but there should be a standard way that we transfer money. There should be a standard way that we ask for additional funds. There should be a standard structured way that say, we do a wire transfer or perform a purchase or do a title transfer.
Any of those things. Some of the major things, especially tied to data access and financial transactions, have a structured way that you do it and don't deviate from that. That way, if somebody calls in where you get a fish or there's some sort of request that's asking an associate employee to do something outside of that SOP, they can just immediately dismiss it.
Nope. That's not how we do things. I can ignore this because if it was somebody in my organization, one, they wouldn't go around SOP two, perhaps we had the SOP to get around the SOP and they didn't do that.
You know, I didn't hear this. I didn't hear the secret word. They didn't say pineapple when they called in.
So I'm ignoring it. Sticking to the SOP can, can save considerable amounts of money. It's also what I always like to, what I always like to bring up is if we're spending enough time to put those in place, we're probably going to identify ways that we can be more efficient, that we can be more productive and we can get those put into place at that time so that these exercises aren't just a thing that's costing us money and time.
It's actually helping us refine our business and find ways to make it better. So with that, I am going to close this out for today. I do want to, well, I want to thank you for listening, for, for jumping in, but please hit that subscribe button on whatever platform you're on and leave some comments.
If there's some areas that you want to dive into, if you want to discuss some of this further, I'm always more than happy to dive into it. And absolutely if you're needing help with your incident response planning, your business continuity planning, more than happy to connect with you and also connect you some to some great resources that we have that can, that can help you get that set up. So thank you for listening to cash in the cyber sheets and I will see you next week, 10 a.m. Thursday.
Thanks for listening.
