Automotive retailers are becoming increasingly sophisticated and disciplined in the prevention and detection of traditional forms of fraud. However, cyber fraud is an emerging area of increasing risk, and deserves to be at the top of every business owner's agenda.
In this newsletter, we are delighted to interview Jean-Marie Abi-Ghanem, Head of Cyber Risk Services at Moore Stephens Melbourne. Jean-Marie provides an insight into key cyber risk areas that all business owners should be aware of and basic steps that can be implemented to strengthen existing controls and processes.
Is cyber fraud more difficult to detect than other forms
of fraud?
Unless you understand and actively monitor your systems and
applications, sometimes it is months before an organisation is
aware of a breach or a cyber incident. We have recently seen how
many high profile organisations in the US and the UK lost millions
of their client's personal and payment records and in many
instances it was months before this was detected. Detection of
fraud in a timely manner requires expertise and investment. Fraud
in general, whether cyber or not, is difficult to detect.
How can automotive retailers minimise their risk
exposure to cyber fraud?
The key is to understand and identify what you are protecting and
what needs to be secure. You will need to identify and clearly
document critical assets (e.g. client databases).
Exposure to cyber fraud can be minimised by:
- Understanding how and where critical data is stored, how it is accessed and by whom.
- Being aware of the controls you have around protection of critical data and how to recover the data in the case of loss or data corruption.
- Controlling and limiting who has access to critical and sensitive data.
- Encrypting data when at rest and when in transit.
- Performing regular security testing of your online and mobile applications.
- Educating staff about key cyber threats (e.g. phishing emails).
Are dealership and franchisor websites and mobile phone
applications (e.g. service booking apps) a potential risk
area?
If you are online, you are at risk. You want to avoid your
application becoming a remote control that is used to communicate
and expose your database behind these applications. A website or
mobile application developed without security in mind becomes an
easy door to your backend data.
Additionally, your systems could be open to defacement (eg.
hijacking of website).
Automotive retailers operate many data-sharing platforms
with their key stakeholders (e.g. franchisors, distributors,
finance companies, independent online lead providers). Whose
responsibility is it to address the risk of cyber fraud that could
arise from using these systems?
Some of the key cyber incidents that have hit the retail market in
the US and the UK involved instances where the company's
business partner's site had been compromised in order to access
the company's system. It is important when accessing or
connecting with a third party environment to have in place the
relevant controls to protect your environment from a potential
breach of the partner's network. Additionally, organisations
sometimes outsource certain business functions- this should not
reduce their responsibility of protecting their systems and data or
their compliance with privacy regulations.
In summary, each party should still ensure and monitor the protection of their systems and data.
In the situation where a dealership's systems have
been fraudulently accessed, are there any ways to assist in early
detection of this situation?
Based on recently discovered cyber breaches it is evident that
most cases have been going on for many months or years without
being detected. In many instances, the breach was detected by
chance. To assist in early detection of fraudulent activities, it
is crucial to actively monitor the systems that host your key
assets. In conjunction, key forums and hacker sites should be
monitored for leaked information about your organisation.
How can a dealership's employees be educated in
order to recognise and mitigate a dealership's risk
exposure?
It is important for employees to understand and recognise the
value of the data and information they handle in their day-to-day
work. Sometimes, a small piece of information by itself is of
little value but combined with other pieces of information can
create significant risk if not protected.
Your employees should at least be educated about the following risk areas:
- Basic protocol regarding phishing emails or clicking on a link in an email received from an unknown sender. A lack of education in this area can place the whole organisation at risk.
- Carrying an un-encrypted USB stick with the company's sensitive or personal data about clients or employees is risky as this could be easily misplaced or lost.
- Providing third party access to your network without a proper assessment of that third party.
What basic steps can a dealership follow in order to minimise their risk of cyber fraud?
- Build secure applications (e.g. Mobile, Web).
- Perform regular testing of applications including internal, online and mobile applications. This is known as 'penetration testing'.
- Assess and secure the company's network, including the wireless
This publication is issued by Moore Stephens Australia Pty Limited ACN 062 181 846 (Moore Stephens Australia) exclusively for the general information of clients and staff of Moore Stephens Australia and the clients and staff of all affiliated independent accounting firms (and their related service entities) licensed to operate under the name Moore Stephens within Australia (Australian Member). The material contained in this publication is in the nature of general comment and information only and is not advice. The material should not be relied upon. Moore Stephens Australia, any Australian Member, any related entity of those persons, or any of their officers employees or representatives, will not be liable for any loss or damage arising out of or in connection with the material contained in this publication. Copyright © 2014 Moore Stephens Australia Pty Limited. All rights reserved.