Automotive retailers are becoming increasingly sophisticated and disciplined in the prevention and detection of traditional forms of fraud. However, cyber fraud is an emerging area of increasing risk, and deserves to be at the top of every business owner's agenda.
In this newsletter, we are delighted to interview Jean-Marie Abi-Ghanem, Head of Cyber Risk Services at Moore Stephens Melbourne. Jean-Marie provides an insight into key cyber risk areas that all business owners should be aware of and basic steps that can be implemented to strengthen existing controls and processes.
Is cyber fraud more difficult to detect than other forms
Unless you understand and actively monitor your systems and applications, sometimes it is months before an organisation is aware of a breach or a cyber incident. We have recently seen how many high profile organisations in the US and the UK lost millions of their client's personal and payment records and in many instances it was months before this was detected. Detection of fraud in a timely manner requires expertise and investment. Fraud in general, whether cyber or not, is difficult to detect.
How can automotive retailers minimise their risk
exposure to cyber fraud?
The key is to understand and identify what you are protecting and what needs to be secure. You will need to identify and clearly document critical assets (e.g. client databases).
Exposure to cyber fraud can be minimised by:
- Understanding how and where critical data is stored, how it is accessed and by whom.
- Being aware of the controls you have around protection of critical data and how to recover the data in the case of loss or data corruption.
- Controlling and limiting who has access to critical and sensitive data.
- Encrypting data when at rest and when in transit.
- Performing regular security testing of your online and mobile applications.
- Educating staff about key cyber threats (e.g. phishing emails).
Are dealership and franchisor websites and mobile phone
applications (e.g. service booking apps) a potential risk
If you are online, you are at risk. You want to avoid your application becoming a remote control that is used to communicate and expose your database behind these applications. A website or mobile application developed without security in mind becomes an easy door to your backend data.
Additionally, your systems could be open to defacement (eg. hijacking of website).
Automotive retailers operate many data-sharing platforms
with their key stakeholders (e.g. franchisors, distributors,
finance companies, independent online lead providers). Whose
responsibility is it to address the risk of cyber fraud that could
arise from using these systems?
Some of the key cyber incidents that have hit the retail market in the US and the UK involved instances where the company's business partner's site had been compromised in order to access the company's system. It is important when accessing or connecting with a third party environment to have in place the relevant controls to protect your environment from a potential breach of the partner's network. Additionally, organisations sometimes outsource certain business functions- this should not reduce their responsibility of protecting their systems and data or their compliance with privacy regulations.
In summary, each party should still ensure and monitor the protection of their systems and data.
In the situation where a dealership's systems have
been fraudulently accessed, are there any ways to assist in early
detection of this situation?
Based on recently discovered cyber breaches it is evident that most cases have been going on for many months or years without being detected. In many instances, the breach was detected by chance. To assist in early detection of fraudulent activities, it is crucial to actively monitor the systems that host your key assets. In conjunction, key forums and hacker sites should be monitored for leaked information about your organisation.
How can a dealership's employees be educated in
order to recognise and mitigate a dealership's risk
It is important for employees to understand and recognise the value of the data and information they handle in their day-to-day work. Sometimes, a small piece of information by itself is of little value but combined with other pieces of information can create significant risk if not protected.
Your employees should at least be educated about the following risk areas:
- Basic protocol regarding phishing emails or clicking on a link in an email received from an unknown sender. A lack of education in this area can place the whole organisation at risk.
- Carrying an un-encrypted USB stick with the company's sensitive or personal data about clients or employees is risky as this could be easily misplaced or lost.
- Providing third party access to your network without a proper assessment of that third party.
What basic steps can a dealership follow in order to minimise their risk of cyber fraud?
- Build secure applications (e.g. Mobile, Web).
- Perform regular testing of applications including internal, online and mobile applications. This is known as 'penetration testing'.
- Assess and secure the company's network, including the wireless
This publication is issued by Moore Stephens Australia Pty Limited ACN 062 181 846 (Moore Stephens Australia) exclusively for the general information of clients and staff of Moore Stephens Australia and the clients and staff of all affiliated independent accounting firms (and their related service entities) licensed to operate under the name Moore Stephens within Australia (Australian Member). The material contained in this publication is in the nature of general comment and information only and is not advice. The material should not be relied upon. Moore Stephens Australia, any Australian Member, any related entity of those persons, or any of their officers employees or representatives, will not be liable for any loss or damage arising out of or in connection with the material contained in this publication. Copyright © 2014 Moore Stephens Australia Pty Limited. All rights reserved.