Cybersecurity culture start at the top of any business, panelists say
By onAnnouncements | Business Practices
Cybersecurity is a business risk that needs to be addressed at the top to protect employees, customers, and business interests, panelists on the Data Security, System Stability & The Current State of the Collision Repair Industry said during the 2024 MSO Symposium Monday.
This past summer, a ransomware attack on CDK rattled the dealership and collision repair industry. The attack caused the company to shut down its management system to 15,000 dealerships, which also caused disruptions to parts ordering and inventory management for collision businesses. The system remained shut down for nearly two weeks.
Ashley Denison, Caliber Collision Centers chief information officer, said the attack uncovered how connected every business is to others. She said CDK is a fifth-level supplier to Caliber.
“It was not on our radar but it had such a big impact,” Denison said.
The attack impacted the supply chain and forced the company to check its security for any risk of connectivity.
“We had to pull people off other projects,” Denison said. “It took us months to clean that up.”
Caliber has been reviewing its connectivity to other companies in each department, including revenue, parts, and labor.
Denison added, “What would we do if another CDK happened? What if some of the claims management systems went down?”
The review includes talking to other companies that Caliber is connected to, she said. For example, Denison said Caliber has asked CCC about its communication plan in the event of a cyber attack.
Denison said Caliber has also been creating its own communication plan in the event of different disruption scenarios and has discussed what steps would need to be taken to keep people working or completing tasks, such as payroll.
Preparation for a cyber attack is just as necessary as preparation for major weather events businesses could face, such as hurricanes or wildfires, Denison said.
“It’s not just about protecting Caliber but how do we react when something outside of Caliber happens?”
Every business should have a Business Continuity Plan (BCP) for when technology no longer works, according to Jerry Davis, Microsoft software and digital platforms security officer.
“When something happens, everybody’s going to get involved,” Davis said during the event. “The CEO’s involved, the board of directors is going to get involved; obviously legal, your communications team. There has to be a plan for how you communicate internally and to customers.”
Kyle Rankin, CCC Intelligent Solutions chief information security officer, said you want to go through exercises, such as tabletop exercises before something happens.
“One thing I’ve learned in cybersecurity is you never want to learn the lesson as something real is happening,” Rankin said.
A BCP is a playbook on what you are going to do in a cyber attack, he said.
“Obviously, you can’t account for everything,” Rankin said. “But if you can get 90% of the way there through exercising that thought process, that’s a huge thing.”
Rankin said that in a cybersecurity event, time is everything.
Those running a business have to take action to create cybersecurity, Davis said.
“Who owns security? “In the industry, we say it’s an everybody problem,” Davis said. “Or I like to say, it’s an everybody opportunity. In security, we have to look at it as a business risk. A CEO is managing a number of risks across the business. Cyber is another aspect of a business that needs to be managed.”
Davis said the chief information security officer is implementing and managing the day-to-day security activities on behalf of the business.
He said that the culture is set by global leadership. He said Microsoft has faced two recent cybersecurity breaches. One was made by the Chinese and affected a number of government customers and government emails. Russians completed the second attack.
“Microsoft started an initiative that’s called Security First and the CEO said that if it comes down to security or features in our products, we’re going to go with security first,” Davis said.
Davis said new security guidelines are being pushed across the culture but it starts at the top.
Spencer Colemere, Cisco’s leader of product management, said that at Cisco risk and security frameworks are the first priority.
“Part of our role here is building and providing services,” Colemere said. “We have to take a step back and make sure that we’re applying to a number of different risk and security frameworks and to the point where we will make sure that they’re all satisfied and miss a deadline to satisfy these requirements. It is more important for us to go into the market as a secure provider with no holes, no risks in our system than to make it there on time.”
While decisions must start at the top, the panelists said it takes a cybersecurity culture to keep businesses safe.
“Every single person has to be responsible,” Rankin said. “I’m a steward of fostering that culture, pushing it out into the environment, pushing it out into the company but at the end of the day, everybody has to be accountable.”
The industry had a lot of great tools up front, Rankin said. He said the industry started leaning on those tools and almost forgot about the human element.
“If you look at just statistics alone, anywhere from 60% to 90% of breaches are caused by compromised credentials,” Rankin said. “Culture is massively important.”
Colemere said even small businesses should have a password policy, such as requiring that passwords not be written down in a notepad. He said password management can be applied including multi-factor authentication.
Databases can be encrypted and back up information, he said.
“Another thing that we don’t talk a lot about is making sure that our software is up to date,” Colemere said. “There’s been a lot of exploits in the last couple years where people find their backdoor through a vulnerability that was fixed a year ago and that company didn’t do an update.”
Colemere said other complicated security measures require experts to come in to prevent attacks, such as building and installing firewalls.
Denison said there are a lot of free tools connected to Microsoft operating systems and machines that companies can utilize to make their business safer without investing in new products.
“We make sure that they are wearing their safety glasses and their masks correctly and we have dustless sanders and all of those things that protect them physically,” Denison said. “How do we help protect them virtually as well as our customers and our clients? How do we help them see that their bank accounts or addresses, all of those pieces are at risk.”
Davis said businesses should research resources provided by the Cybersecurity and Infrastructure Security Agency under the National Terrorism Advisory System.
“They do a lot of public-private partnerships and they create a lot of guidance for the public at large,” Davis said. “If you go to their website, there’s all sorts of information [and] tools that are specific for small businesses and medium businesses.
IMAGES
Feature photo of the Data Security, System Stability & The Current State of the Collision Repair Industry during the 2024 MSO Symposium on Nov. 6/Repairer Driven News.