Another month brings another massive supply chain hack. This time, the impacted technology was SaaS, or Software-as-a-Service, a cloud-based platform created by CDK Global and used, according to some reports, by as many as 50% of US car dealerships. Of chief concern is the fact the software provides dealerships a platform to manage documents, customer relationships, and financial transactions: amassing a trove of data within a single repository.
While details continue to emerge, we know that most dealerships embraced all three uses, increasing the severity of the incident.
This is a stark reminder that, while a supply chain vendor may provide efficiencies, such as single-source software, choosing convenience over security can produce a catastrophe.
Industries like automotive sales should raise security standards, institute regular assessment of IT infrastructure, and adopt prospective security measures like penetration testing. The finance industry which has focused on supply chain security for decades can serve as a model for best practices.
With this incident firmly in mind, dealers should demand more from their supply chain, including ISO certifications, penetration testing, and air gapped IT infrastructure to separate financial systems from customer relationship management systems and, in this instance, the distribution management system. Lateral movement across those systems needs to be much more difficult, if not next to impossible.
The fallout does not stop when the systems come back online. Regulatory scrutiny may follow - in most instances, the dealers are considered financial institutions and breach notification may be required. This poses significant challenges for small businesses and dealers that have already been crippled by the breach.
In ramping up its cyber defenses and incident response readiness, dealers are well advised to work with subject matter experts to navigate the complex terrain ahead.