As the collision repair industry increasingly relies on digital information, it’s crucial for repair shops to take steps to protect their data against hackers, Brandon Laur, vice president of CCi Global Technologies, told an audience at the 2021 IDEAS Collide Showcase at the 2021 SEMA Show.

“What we need to start to do is hold this industry accountable to being able to take data security a lot more seriously than what we have,” said Laur, one of nine presenters at IDEAS Collide.

Collision shops and their third-party partners store all sorts of repair-related data — personal identifiable data such as names, phones numbers, addresses and vehicle identification numbers (VINs) — and that data is only as secure as the weakest point in the system, Laur said.

Within the collision repair industry, “there’s not too many breaches, but we hear about people getting taken advantage of through ransomware and different attacks like that,” Laur said. “We as an industry have to protect ourselves.”

“Data security is a really interesting topic and one that I think I never 10 years ago would have found myself speaking about regularly with collision repair shops, but do often today,” said Aaron Schulenburg, executive director of the Society of Collision Repair Specialists, in introducing Laur. “And it is a big concern and it is something that we need to be vigilant about.”

The first step in cyber security is to thwart would-be hackers by decentralizing information. “Data can’t be in one place. It needs to be stored in decentralized environments,” Laur said. He encouraged shops to have their customers give authorization to having their data “moving around between third party systems in the industry.”

“With 36,000 collision centers out there, not all of them are operating the same way. What that means is we’re only as strong as our weakest link,” Laur said. “So if not everybody is getting those authorization agreements complete, we’re in trouble.”

Shops should also be able to talk with their vendors about how data is being stored, where it may move to, and how easily it can be completely deleted, if necessary. He noted that California has adopted the California Consumer Privacy Act, which gives state residents the right to tell companies to delete their data about them.

“Well, that has to go across all your vendor partners as well. So just because you deleted it from your management system doesn’t mean it’s deleted from all the tables out there that are part of these third-party systems that you work with,” Laur said.

He also encouraged shops to consider an approach called “zero trust,” in which “nobody within your collision center or any vendor that you work with has access to all of the data. What we call that is having ‘God permission.’ If somebody has access to all of that data, that means they are the vulnerability point where you can be hacked.”

Typically, devices such as technicians’ cell phones and unsecured WiFi systems are weak links that hackers exploit, Laur said. “How many of you make sure their phones are encrypted so they’re not your entry point?” he said, asking for a show of hands. “Not too many. One.

“The number one area where people are going to get into your system is through your technicians’ phones. So you want to be able to make sure that you have that taken care of so that nobody is going to be coming into your system and taking your data hostage from you.”

Ransomware is a growing problem. According to PBS, a recent report from the Institute for Security and Technology found that “the amount of victims paying the ransom increased more than 300 percent from 2019 to 2020. Experts say the attacks act in a vicious cycle: a company is hit and pays the ransom, the attack is widely publicized, more hackers see the attack’s success and want to do it themselves, with increasing stakes for steeper payouts.”

One prudent step for repair shops is to look into buying a cyber insurance policy, Laur said.

“A lot of our businesses won’t even qualify for cyber insurance. So that’s one of the things you want to start to apply for, to make sure you have it for your business,” he said. “So if you do ever have a breach, or if anybody ever gets into your system, you have an insurance policy and somebody that’ll take over for you and handling the damage control.”

Finally, he said, if a business does have a data breach, it stands a better chance of avoiding damage by being transparent in its communications. “You want to tell the people exactly what happened, where the breach was, how many tables were affected in any of your solutions, and be able to be 100 percent transparent with the market.”

Laur encouraged shop owners and managers to work in concert to protect the industry from cyber crime.

“It’s up to everybody in this room to hold each other accountable, as well and think of ways to continue to move this industry forward as we look at solutions … [being] better connected and making sure they’re doing everything they can to protect the data as well.”

CCi is an information management platform that provides data and intelligence-based tools, solutions and services.

Images

Featured image: Brandon Laur, vice president of CCi Global Technologies. (Provided by CCi Global Technologies)

More information

California Consumer Privacy Act

https://oag.ca.gov/privacy/ccpa

Combatting Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force

Auto body shop cyberattack vectors can include employees, IT remote access