Dealerships can fight work-from-home vulnerabilities

For Canadian auto retailer HGreg.com, setting up a cloud-based computer system was necessary to connect its dealerships across two nations. That initiative started around 2014, and it turned out to be a beneficial strategy during the current coronavirus pandemic.

The company uses a cloud-based phone system and Google technology for email and file-sharing across its 32 rooftops, including two Nissan stores and six used-car dealerships in Florida, CEO John Hairabedian said. When the coronavirus swept across North America in March and HGreg shifted non-customer-facing employees to work remotely, "we were pretty well prepared already," he said.

Companies have expanded remote work arrangements in recent weeks as governments have ordered nonessential businesses closed to keep people from congregating at offices, dealerships included.

Yet dealership consultants who specialize in information technology say retailers generally aren't familiar with having employees work remotely — and neither are their computer systems, which routinely handle customers' personal information. Home offices may keep the work pipeline from being entirely halted, but they pose new cybersecurity risks.

Perhaps the biggest risk to a dealership is allowing employees to use their home computers for work. That's because employees would not have corporate anti-virus protection, and that could create an unsecured opening for a cyberattacker to infiltrate the network and access data, according to Helion Technologies and Proton Technologies Inc., two IT consultants that work with dealerships. Dealerships have no way to monitor the activity on an employee's personal computer.

"Home PCs are inherently not secure," said Erik Nachbahr, president of Helion Technologies. "You could count on that they're compromised."

In April, Proton Technologies received an estimated 1,000 service ticket requests in the course of a week from dealerships needing access to a virtual private network, or VPN, CEO Brad Holton said. The networks allow employees to connect to the dealership's system through a virtual "tunnel" that is secure and encrypted.

An alternative is to use cloud software so an employee can use a personal device to remotely operate a work computer as if he or she were at the office, Holton said. Neither option eliminates risk, but they add a layer of security to dealership operations. Cloud-based software, such as that used by HGreg, reduces risk because it sidesteps the need to access the business network.

Multifactor authentication, a process that requires users to provide extra verification of their identity, also is a good idea, said John Rondini, an attorney and co-chairman of the cybersecurity and data privacy practice at Brooks Kushman law firm in Southfield, Mich. That could include an email or text message containing a code to enter when logging in.

The most secure action dealerships can take is to supply employees with individual work computers, consultants said. Yet that's rarely done.

Nachbahr said that historically, it has been difficult to get dealerships to spend money on technology. And that was before the cash crunch brought on by COVID-19.

But VPN access is "the kind of thing that costs thousands of dollars, not tens of thousands of dollars," Nachbahr said.

Consultants say dealerships should pay attention to another potential security risk: their employees.

Even before the coronavirus outbreak, cybercriminals exposed vulnerabilities in networks by using email phishing attempts and ransomware. Those attempts have increased during the pandemic, Holton said, as scammers prey on people's anxiety. Dealerships should keep up employee training to spot malicious email.

Dealerships also should disable network access for employees who have been furloughed or laid off, consultants said. That includes access to email and the dealership management and customer relationship management systems.

"A terminated employee who has access to the system is our most dangerous security threat," Nachbahr said.

Those who are out of work could be tempted to extract customer data from the DMS or CRM and take it to another dealership, consultants said. To combat that, their accounts could be suspended until they return to work.

Holton said he advises dealerships to limit employees' ability to run reports and build data sets.

Hairabedian, of HGreg.com, said his group disabled functions that allow employees to download customer lists for all but C-suite administrators. The system also logs records of large downloads.

"We've taken proper precautions to make sure that those things don't happen," he said.