Stateside takes a look at some low-cost ways to prepare for or prevent cybersecurity disruptions to your collision business.
Collision repair shops of all sizes in the US last year likely felt the impact of a cyberattack – albeit indirectly. Two such attacks on CDK Global last summer hindered parts and body shop operations at thousands of new-car dealerships around the country – also affecting independent collision repairers trying to order parts from those dealers, a good example of how cybersecurity at shops goes beyond having your own systems and data secure.
“CDK was like a fifth level supplier to us. It was not on our radar, but it had such a big impact,” Ashley Denison, chief information officer for Caliber Collision, the largest repair chain in the United States, acknowledged during a recent panel discussion on data security. “Our shops couldn’t order parts. We had to make sure that [our systems] were safe and secure and had no direct connectivity, but our operations were stopped, and we had to pull people off of projects. And it took us months to clean that up.”
It demonstrated how deep the connection there is among shops and suppliers, she says, and it prompted Caliber to look more closely at all of its dependencies and planning what it would do “if another CDK happened.”
“It’s not just about protecting Caliber, but how do we react when something outside of Caliber happens,” Denison says.
Think about what your company would do, she suggested, if, say, your estimating system provider had a similar issue and went down for days or weeks.
“What would you do to continue to bring revenue into your locations,” Denison says. “So, thinking through all those pieces of the chain from revenue and suppliers, and either getting secondary suppliers, which is really hard, or thinking through: How do you keep people working? How do you keep getting people paid? Having transparency with your vendors becomes super important. That’s why we’re working with [our vendors] to understand their communication plan. Then, at the moment we hear something from them, what would then be our actions? How would we tell our stores? And then how do we tell operations: This is what our plan is. We’re going to have to go to paper and pencil for a while. And it’s hard to think through, but we prepare.”
She compared it to preparing for a hurricane or wildfire or other natural disaster.
“You know what you would do in that instance, and I think this is exactly the same,” she says. “What would it do to business continuity if something happened for your paint distributor or any of your vendors? How would you react? And do you have somebody next in line to take up that slack?”
Simple step could have sped up response
Denison recalled the first time Caliber had a third-party come in to run an exercise to assess the company’s plans and procedures for a hypothetical emergency.
“They tell us the scenario and they say, ‘What are you going to do,’” Denison says. “And all of us turned to our computers. They’re like, ‘You’ve already failed.’ All our communications plans, all our numbers, everything was stored in a document on the network. So we had failed from that very first line. So it’s about thinking through those things. Things as simple as: Do I have [Caliber CEO] David Simmon’s cell phone number saved in my phone so that if something happened, I could get in touch with him and I’m not reliant on the Caliber infrastructure to do it.”
The CDK cyberattacks taught the company it didn’t know which management system each of its dealer suppliers use.
“Our supply chain had a ton of work to get done immediately, and they did a phenomenal job, but we could have been 24 hours sooner to a solution if we’d just known that,” Denison says.
Basic protective steps don’t cost much
In terms of your own company’s cyber security, Spencer Colemere of Cisco says there are a few basic things to do that are free or inexpensive.
“The first is to have a password policy,” Colemere says. “Require passwords. Ask people not to write down their passwords on a notepad. Installing and using a password manager is a good idea. Another approach is multifactor authentication. Most applications now have multifactor authentication built in. So there’s a lot of easy, free things we can do that are built into applications today. We just we need to take the time to turn those switches on.”
Making sure all software is regularly updated is another good step, Colemere says.
“There are all these vulnerabilities in software that people can use and can exploit,” he says. “So we need to make sure we’re patching those, and keeping the software up-to-date. There have been a lot of exploits in the last couple years where people find a back door through a vulnerability [in software] that was fixed a year ago that the company didn’t ever update.”
Low-cost
Denison, too, pointed to low-cost steps collision repairers can take such as making sure they are using the built-in tool options within Microsoft products.
“We all have Windows machines, because that’s what our software runs on, so use all the tools [in that software] that you already have today, the tools Microsoft brings to the table that you’re already paying for but just might not know to use, before you start spending a ton of money,” Denison says. “Make sure that the investment you already have, you’re using to the fullest.”
Colemere also offered some precautions about artificial intelligence (AI) in the workplace.
“Are your employees going to third-party applications, like ChatGPT, as part of their work,” Colemere asked repairers to consider. “If you go to ChatGPT, if you’re exposing anything to OpenAI or ChatGPT, they can now see that and train on that data. So we have to be careful both in the AI we’re building for our business to make sure that’s safe and secure, but also about employee usage of third-party AI, making sure they aren’t exposing our intellectual property to these third-party applications.”
Call in the experts
Beyond all these basic steps, Colemere says, as a company gets larger, it likely will need to bring in experts to implement tools to help detect and prevent cyberattacks.
“I don’t know if I have the best answer in terms of when you make that next leap of investment,” Colemere says. “It’s really a risk decision that the organization needs to make: How much risk do you want to expose yourself to? And at what point do I start investing to mitigate or reduce that risk?”