Auto Dealership Cybersecurity: Ransomware Response Plan

Auto dealerships are facing an increasing number of cyberthreats that can debilitate operations and compromise customer and financial data.
Creating a ransomware response plan is a critical piece of any dealership’s preparedness.
By implementing basic controls and best practices, an incident response plan can improve security for dealerships, even those with limited IT and cyber defense budgets.

When a software and applications vendor was compromised by ransomware in June 2024, thousands of auto dealerships felt the effects. Essential management systems became inaccessible, sales and financing transactions went manual or stopped, and sensitive customer and business data was compromised. By one estimate, auto dealerships lost over 50,000 new vehicle sales and suffered over $1 billion in damages in the month after the incident was reported.¹

Although this was an “upstream” incident that began with a critical service provider, the ransomware event highlighted the elevated risk auto dealerships face. A 2024 study found that 35% of surveyed dealers had dealt with some type of cyber incident in the past year. What’s more, ransomware was rated as the most serious cyberthreat these businesses face.²

In this environment, every dealership needs a plan for what they must do if they’re targeted.

Even dealerships that lack the resources to hire security professionals or invest in advanced controls can greatly improve their defenses by constructing a response plan that includes proactive measures such as data protection, raising employee awareness and implementing core best practices.

A plan that outlines how a business can prepare against cybersecurity threats and respond to incidents can help limit the damages related to loss of data and operations. It can also improve the chances of avoiding many types of incidents, including ransomware.

The guidelines below can help dealerships create a response framework that can be tailored to their specific organization and capacity for planning.

Ransomware response depends on a timely assessment of a live incident’s severity and impact, clearly defined roles and reactions and a thorough investigation to ensure the threat is neutralized and operations can be brought back to a secure state. To be effective, your strategy must be in place before an incident occurs. Here’s how to get started.

1. Prepare

Educate key personnel regarding current cyber-risks and objectives of cybercriminals.
Appoint the most qualified individual to lead the creation, implementation and updating of the response plan. Alternatively, you can supervise a contract with a professional security vendor that creates the response plan.
Conduct a company risk assessment and be sure to include data inventory.
Create and maintain encrypted, offline or immutable backups of essential company and customer data.
Implement strong protections around identity and access management, such as multifactor authentication on all devices that can access company networks.
Formulate, test and continuously evolve the response plan. It should identify stakeholders and their roles, communication tactics and off-network channels, reporting procedures required by regulatory bodies or local law enforcement, and criteria for restoration of safe states.

2. Back up and test

Regularly confirm the integrity of backups.
Do not look at backups as the “last line of defense.” No backup method is 100% cybersecure, and stealthy bad actors can corrupt backups even before they launch ransomware.

3. Detection and assessment

Use security tools to monitor network traffic for evidence of an adversary’s presence or movement, and issue alerts.
Assess which systems are easily compromised by ransomware and isolate them. Coordinate shutdown of all devices that cannot disconnect from affected systems.
Reset all credentials and passwords connected to affected systems.

4. Communication and reporting

Inform all internal teams and stakeholders on a preselected communication channel to ensure individuals essential to the response are engaged.
As needed, report the incident to affected third parties or vendors that assist your dealership with security and incident response.
Notify cybersecurity agencies and/or local law enforcement to maintain regulatory compliance and to receive additional assistance or guidance.
Communicate with third parties and clients to ensure they have not experienced financial impacts after the incident.

5. Containment and remediation

Disable any system involved in the initial breach, as well as connected systems that malicious actors could use to access other parts of the company network or data systems.
Analyze network traffic and endpoints for evidence of the malicious actors’ persistence. Remediate vulnerabilities.
Rebuild the systems that are most critical to business operations.
Reset passwords and permissions.

6. Recovery and response plan update

Complete a thorough forensic analysis of the incident and document all steps taken to eliminate the ransomware or remove footholds the threat actor established.
Confirm that backups remain uncorrupted and don’t contain malicious payloads. Restore affected systems.
Inform all relevant third parties and oversight agencies of the steps taken and removal of the threat.
Make improvements to company systems based on forensics.
Continue to maintain vigilance. Update security systems regularly and adapt employee training to reflect lessons learned.

¹Anderson Economic Group, “Dealer Losses Due to CDK Cyberattack Reach $1.02 Billion.”

²CDK Global, “The State of Dealership Cybersecurity 2024.”

New threats emerge every day that can negatively impact transactions and businesses. Explore the latest insights and resources to help prepare and protect you and your business.

This increasingly common scam can be costly for you or your company. Here’s how to spot the five telltale signs of a phishing email.

The growth of cloud environments and artificial intelligence has vastly increased the collection and storage of data. Consider these eight strategies to minimize external and internal data-security threats.

3 min read

Dealers face complex challenges and we deliver specialized auto industry expertise and solutions to help you succeed.

A ransomware response plan is essential for auto dealers

High-profile cyber incidents have highlighted the need for auto dealerships to prepare for the impacts due to loss of critical services and theft of sensitive data. Here are some factors to consider when creating an incident response plan.

Key takeaways

Why a ransomware response plan is essential

Key elements of a ransomware response plan

Fraud & Cybersecurity

Explore More

How to detect – and avoid — phishing scams

Is it time to refresh your data protection program?

Dealer Financial Services