Collision repair shops of all sizes in 2024 likely felt the impact of a cyberattack, albeit indirectly. Two such attacks on CDK Global over the summer hindered parts departments and body shop operations at thousands of dealerships around the country.
The disruption also affected independent collision repairers who order parts from those dealers -- a good example of how cybersecurity at shops goes beyond securing their own systems and data.
Ashley Denison.
“CDK was like a fifth-level supplier to us. It was not on our radar, but it had such a big impact,” Ashley Denison, chief information officer for Caliber Collision, acknowledged during a panel discussion on data security at the MSO Symposium in Las Vegas. “Our shops couldn’t order parts. We had to make sure that [our systems] were safe and secure and had no direct connectivity, but our operations were stopped and we had to pull people off of projects. And it took us months to clean that up.”
It demonstrated how deep the connection is among shops and suppliers, she said, and it prompted Caliber to look more closely at all of its dependencies and planning what it would do “if another CDK happened.”
“It’s not just about protecting Caliber, but how do we react when something outside of Caliber happens,” Denison said.
Think about what your company would do, she suggested, if, say, CCC Intelligent Solutions had a similar issue and went down for days or weeks.
“What would you do to continue to bring revenue into your locations?” Denison asked. “So thinking through all those pieces of the chain from revenue and suppliers, and either getting secondary suppliers, which is really hard, or thinking through: How do you keep people working? How do you keep getting people paid?
“Having transparency with your vendors becomes super important, CCC being one of the big ones out there,” Denison said. “That’s why we’re working with them to understand their communication plan. Then, the moment we hear something from them, what would then be our actions? How would we tell our stores? And then how do we tell operations: This is what our plan is. We’re going to have to go to paper and pencil for a while. And it’s hard to think through, but we prepare.”
She compared it to preparing for a hurricane, wildfire or other natural disaster.
“You know what you would do in that instance, and I think this is exactly the same,” she said. “What would it do to business continuity if something happened for your paint distributor or any of your vendors? How would you react? And do you have somebody next in line to take up that slack?”
Simple Step Could Have Sped Response
Denison recalled the first time the company had a third party come in to run an exercise to assess the company’s plans and procedures for a hypothetical emergency.
“They tell us the scenario and they said, ‘What are you going to do,’” Denison said. “And all of us turned to our computers. They’re like, ‘You’ve already failed.’ All our communications plans, all our numbers, everything was stored in a document on the network. So we had failed from that very first line. So it’s about thinking through those things.
“Things as simple as: Do I have [Caliber CEO] David Simmons’ cell phone number saved in my phone so that if something happened, I can get in touch with him and I’m not reliant on the Caliber infrastructure to do it.”
The CDK cyberattacks taught the company it didn’t know which management system each of its dealer suppliers use.
“Our supply chain had a ton of work to get done immediately, and they did a phenomenal job, but we could have been 24 hours sooner to a solution if we’d just known that,” Denison said.
Basic Protective Steps Don’t Cost Much
In terms of your own company’s cyber security, Spencer Colemere of Cisco said there are a few basic things to do that are free or inexpensive.
Spencer Colemere.
“The first is to have a password policy,” Colemere said. “Require passwords. Ask people not to write down their passwords on a notepad. Installing and using a password manager is a good idea.
“Another approach is multifactor authentication,” Colemere said. “Most applications now have multifactor authentication built in. So there’s a lot of easy, free things we can do that are built into applications today. We just we need to take the time to turn those switches on.”
Making sure all software is regularly updated is another good step, Colemere said.
“There are all these vulnerabilities in software that people can use and can exploit,” he said. “So we need to make sure we’re patching those, and keeping the software up to date. There have been a lot of exploits in the last couple years where people find a back door through a vulnerability [in software] that was fixed a year ago that the company didn’t ever update.”
Denison, too, pointed to low-cost steps collision repairers can take, such as making sure they are using the built-in tool options within Microsoft products.
Jerry Davis.
“We all have Windows machines, because that’s what our software runs on, so use all the tools [in that software] that you already have today, the tools Microsoft brings to the table that you’re already paying for but just might not know to use, before you start spending a ton of money,” Denison said. “Make sure that the investment you already have, you’re using to the fullest.”
Jerry Davis, customer security officer for Microsoft, said there is help available through the federal government.
“There’s an organization called the Cybersecurity and Infrastructure Security Agency (CISA),” Davis said. “It’s part of Homeland Security, and they’re responsible for cybersecurity of the nation. They do a lot of public-private partnerships, and they create a lot of guidance for the public at large. And if you go to their website there’s all sorts of information, tools and guidance, specifically for small and medium-sized businesses. It’s free. So if you don’t know how to get started, CISA is a great place.”
Colemere offered precautions about artificial intelligence (AI) in the workplace.
“Are your employees going to third-party applications, like ChatGPT, as part of their work?” Colemere asked repairers to consider. “If you go to ChatGPT, if you’re exposing anything to OpenAI or ChatGPT, they can now see that and train on that data. So we have to be careful both in the AI we’re building for our business to make sure that’s safe and secure, but also about employee usage of third-party AI, making sure they aren’t exposing our intellectual property to these third-party applications.”
Beyond all these basic steps, Colmere said, as a company gets larger, it likely will need to bring in experts to implement tools to help detect and prevent cyberattacks.
“I don’t know if I have the best answer in terms of when you make that next leap of investment,” Colemere said. “It’s really a risk decision that the organization needs to make: How much risk do you want to expose yourself to? And at what point do I start investing to mitigate or reduce that risk?”
John Yoswick