Comment: Ian Gillott, CIO Titan DMS.
Cybersecurity threats are top of mind for many in the automotive industry as we head into 2024. The high-profile attack on Eagers Ltd that put them into a trading halt in December is making OEM and dealership stakeholders extremely nervous.
These nerves are a good thing.
The threat is real, it needs to be taken seriously, and if you are nervous about it, you are probably also pro-active about it which lessens the chance of you being on the receiving end. Note that I said “lessens” the chance. With the tools available to threat actors, social engineering, and the complexity of today’s IT environments, organisations are encouraged to take the view that they just need to make their houses more difficult to break into than the neighbours. Making it impervious to attacks is something that even mega-corporations such as banking institutions and the military have been unable to achieve.
Since the cyber incident with Eagers, many of our customers have contacted us to ask how they can avoid the same fate. Short of hiring cyber specialists who can do a full review and hardening of your systems and IT environment, there are a few basic steps that can be taken to make you less susceptible than the business next door. Protection starts with understanding that cybercriminals operate on a similar principle to a standard business – maximising ROI. The time invested in accessing a system vs the value of the data taken or locked out from the business directly affects the profit (ransom) on their investment (time).
The greatest protection you can offer your business is to ensure that anything of value, requires significant time and dedication to access, making other targets more appealing. Technology still needs to be the enabler, and when it comes to how far you can go, the answer is forever. But there is a sensible limit. Protections can make technology more difficult to break through, but also remove convenience for you as a business. Determine your risk profile, and set a sensible limit. In short, your security should be aligned with your business to allow it to be protected but not overburdened. Here’s where to start:
Basics of protection:
Taking it further:
I understand “Investment” in cyber defence can feel like a sunk cost and when budgets are tight, the temptation to invest in margin assets rather than defence is high. But, as with other forms of insurance, there is a level appropriate for every business and those businesses with a consistent approach to improvement will be the toughest prospects for the criminals to target.
The recent breaches within the automotive industry are a stark reminder of the potential cyber-attacks have to cause enormous disruption and cost to an organisation. We should all use it as a valuable reminder to ensure data security is a business priority in the new year.
May you all have a safe, enjoyable, and prosperous 2024.
Bio: Ian has spent the last 20 years between Australia and the US in senior IT and CIO/ CTO roles across large-scale global businesses. Much of this time has been providing cybersecurity enterprise solutions for customers such as the Pentagon, US Military, Microsoft, British Telecom, Amex, and American Airlines.