Guest opinion by Derek Comestro and Craig Froelich from Bank of America
As the pandemic and remote work continues, this year again brings to focus the fast-growing threat of cyber attacks and the scale of damage they can do. Due to a perfect storm of factors, which includes handling sensitive customer data and processing high-value transactions, RV dealerships are particularly vulnerable.
The following explains some examples of threat vectors and cyber security best practices, which together can help RV dealers build a strong and holistic defense against cyber criminals.
Business Email Compromise
Business email compromise (BEC) relies on exploiting people’s impulsive actions and willingness to trust. The FBI reported that BEC losses to businesses in 2020 totaled $1.8 billion, up from $1.7 billion in 2019. To protect against BEC, RV dealers need to ensure that employees are familiar with the company’s cyber security policies and how to handle suspicious emails, including not opening links from an unknown sender’s email, carefully examining sender addresses and escalating the situation should they think they’ve been targeted.
RV dealers should also invest in training to help employees ward off social engineering attacks, which use a person’s digital footprint and their online presence to scam unsuspecting individuals out of money or sensitive data. Best practices include keeping personal information off social and digital channels, regularly reviewing privacy settings and verifying any requests for payment or personal information – even if it seems to come from someone you know.
Trainings should also cover “vishing,” through which cyber criminals use tactics such as spoofing trusted phone numbers or using robocalls with urgent messages, as well as “smishing,” a tactic that targets consumers via text message. More in-depth training should be provided for employees most likely to be targeted, like CEOs, CFOs, finance departments, human resources and payroll staff.
Connecting On the Go
Wi-Fi is available nearly everywhere, and it’s tempting to connect to free Wi-Fi for faster data speeds. However, using public or unsecured Wi-Fi can expose private information to cyber criminals who watch individuals’ keystrokes to uncover PINs and passwords or employ malware to do the same. Once these criminals have access to your device, they can access confidential personal and business information or perpetrate identity theft.
Employees can protect themselves and company information by minimizing the amount of personal and sensitive data stored on devices and by using a virtual private network (VPN) connection when possible. RV dealers should strongly discourage employees from using public Wi-Fi networks and disable remote and automatic connections to Wi-Fi or Bluetooth networks.
Protecting Home Networks
Wireless networks and connected devices are turning homes into digital hubs. Today, more employees are connecting work devices to their home networks, which can be more vulnerable to compromise, enabling cyber criminals to access both your personal and work data.
To minimize risks, employees should change the default network name and administrative password on their home routers and opt for names that don’t easily identify the employee or the company. Organizations should also encourage employees to use the strictest security settings and encryption on their router. It’s also critical that IT leaders keep antivirus and firewall software up to date on work devices and recommend that employees turn off routers if they are away from home for an extended period.
Managing Mobile Devices
Mobile devices are especially vulnerable to cyber threats because they are used in thousands of places. They make attractive targets because one phone, tablet or wearable device could help criminals access an employee’s financial, social and email accounts.
RV dealers should instruct employees to lock their mobile devices with a strong password of at least eight characters and use multifactor authentication if the device supports it. Anti-theft software can also locate mobile devices remotely if they are lost or stolen. Employees should only download apps from official app stores and alert IT immediately if they receive an unknown password reset alert.
Managing Third Parties
Enterprise connections to third-party suppliers are critical targets for cyber criminals. Utilizing common threat methods such as business email compromise, these criminals search for gaps within these supply chains in order to gain a foothold into their target’s operating processes. RV dealers can minimize these risks by establishing strict contracts that require third parties to maintain tight security policies and by developing key contact procedures to safeguard against criminals interfering with business processes. Effective third-party management should also extend to a company’s technology platforms. Once in place, these policies require continuous compliance monitoring and reporting, either through remote audits or automated, real-time inspections.
Awareness and comprehensive preparation are critical for RV dealers to mitigate the risks of cyber threats. While risks evolve, socialization and education of cyber security basics, both internally and with contracted third parties, can provide a strong layer of defense.
Authors: Derek Comestro, market executive, dealer financial services; and Craig Froelich, chief information security officer, Bank of America