What are an automotive repair shop’s high-value assets and critical dependencies necessary to run the shop? What tranche of digital data should they prioritize for protection?
These are among the questions that independent repair businesses should ask themselves when deciding how to increase their cybersecurity, according to Daniel Eliot, lead for small business engagement at the National Institute of Standards and Technology’s (NIST’s) Applied Cybersecurity Division.
Asked during an Auto Care Association cybersecurity webinar how automotive repair shops can protect themselves from a cybersecurity standpoint, Eliot said companies often get overwhelmed when they start considering cybersecurity.
“We start saying, ‘Oh my God, I need to protect everything,’” he said during his presentation. “And yes, it's great to protect everything, but you really need to, with limited resources, take a strategic approach and prioritize your resources. And so I always start with that and just synthesize that cybersecurity is continuous improvement.”
Additionally, shops should educate their employees in terms unladen with technical jargon, Eliot added.
Small businesses can check the NIST Small Business Quick-Start Guide for tips on how they can implement cybersecurity best practices. That framework breaks out key components of cybersecurity into a circle with “Govern” on an inner ring, and the prongs of “Identify,” “Protect,” “Detect,” “Respond” and “Recover” on an outer ring.
The “Govern” component directs small businesses to take actions like understanding how cybersecurity risks can disrupt achievement of a business mission and internally communicating leadership’s support of a “risk-aware, ethical and continually improving culture.”
“Identify” means assessing information technology (IT) and other assets for potential vulnerabilities, among other things. “Protect” translates to actions like prioritizing multifactor authentication on all possible accounts, as well as full-disk encryption on all tablets and laptops to safeguard data. More information on the other aspects of the framework can be found on the webpage linked above.
Though auto care companies may not suspect a cyberattack would ever happen to them, it’s very possible one may happen anywhere at any time, and repair shops should start implementing cybersecurity best practices right now, Anthony Keith, vice president of IT for Austin-based Arnold Oil Co., said during the Auto Care webinar.
The firm dealt with a ransomware attack in May 2023. Systems went offline. Upon investigation, employees could see that visible commands were being run on the company’s system, and proprietary data was being encrypted by the hackers.
Arnold Oil first pulled the plugs out of its walls to manually take the system offline, then made sure the hackers were not still in their system after catching them three hours after they broke in. The company reached out to insurance providers, who told the firm a Russian hacking network had sliced into the system.
The system was down three days before the company started bringing it back up, Keith said. It took a full month to get everything back online, and there are still lingering effects.
The company took a hard look at its cybersecurity practices. Arnold had a toolset of cybersecurity principles it was already following, but it’s being more deliberate, even if it risks slight, short-term productivity losses, Keith said.
“Maybe it's OK if it takes you an extra click to do something, or if you have to enter your password one extra time, or the fact that you have to change your password periodically,” he added. Those are things that … definitely made people question, ‘Why are we doing this?’ Well, now we all know why we're doing this, right? We know that those little things make a big difference in the end.”
Automotive repair companies can follow this model of simple security improvements to beef up their cybersecurity defenses, Keith said.
“Take those small steps towards securing yourself, because it is a whole lot less painful to do it on the front end than to have to go through what we went through,” Arnold Vice President Ashlee Arnold said during the webinar. “It's amazing how many others have come forward since then saying, ‘Yeah, we went through it, too.’ You just don't know about it until after the fact.”
Brian Bradley