Fending off cyberthreats: The aftermarket is not immune to cyberattacks

Bill
Updated Sep 21, 2018

The following comes from the September 2018 issue of Truck Parts & Service. To read a digital version of the magazine, please click the image below. 

Screen Shot 2018 09 14 At 10 36 58 AmSometimes a good defense makes for a good offense — such is the case when protecting yourself from the myriad ways hackers can disrupt your business. Attacks can range in maliciousness from simple malware that shuts down your website or wreaks havoc with your computer system to data theft or preventing access to your computer system until a ransom is paid.

Cybersecurity experts say hackers look for low-hanging fruit, which are companies with little to no protection. If hackers encounter any sort of resistance, they rarely try to circumvent it and will just move on to the “next guy” in search of a company with no protection. Don’t be that “next guy.”

For the aftermarket parts and service providers that are not taking steps to protect themselves against a cyber-attack, it’s not a matter of if they’re going to get hacked, it’s a matter of finding out they’ve been hacked, says Randy Goggans, cofounder and executive vice president at ThreatAdvice, a cybersecurity education provider.

“When we hear businesses say, ‘We don’t need [cybersecurity],’ what they’re basically saying is they don’t care about protecting their business. If you’re using the Internet to conduct business, it’s important you have proper security measures in place because you have people trying to beat down your door to steal from you,” Goggans says.

The reason cybersecurity is so important is because so much is at stake.

“Distributors need to be concerned about their cybersecurity because that’s their business, that’s their livelihood and if they’re breached, they’re going to lose customers,” says Mark Lanterman, chief technology officer at Computer Forensic Services, a cybersecurity services company.

“If you’re breached, competitors will say to your customers, ‘Look how they blew it. Your data is safe with us. Come and place your orders with us,’” Lanterman adds.

Goggans says 60 percent of small businesses that incur a cyberattack go out of business within six months because they can’t overcome the disruption to their businesses and the damage to their reputations, among other repercussions. “It’s a real epidemic and you will see more stats about businesses that are going out of business as a result of cyberattacks,” he says.

Cyberthreats and tactics

Assaults on companies’ computer systems can come in many different forms and not all hackers are driven by money.

Attackers can be as far away as a foreign country and as close as within a company’s own building. What’s more, not all attacks are perpetrated by hacking into a computer system; they can be executed by phone and an unwitting employee.

AutoPower, a software provider for the aftermarket distribution industry, provides protection from various forms of malware, which is short for malicious software and can include spyware, ransomware and viruses, as well as attacks where hackers attempt to break into a business’ network and take it over, according to Ray Quirindongo, senior network engineer.

“Hackers scan a company’s network and they look for … vulnerabilities. If there’s no firewall in place to stop them from doing that, that’s an entryway for them to get in. Every company has an external IP [address] and if hackers have that public IP, they can do scans from another country,” he says.

Erik Nachbahr, president at technology support fi rm Helion Trucking Technologies, says, “Cybercriminals are using a lot of different schemes, but the main way they’re going at businesses is by trying to trick employees into turning over information to expose their systems to get at their bank accounts or get them to willingly transfer money.” Helion is a partner of Karmak, provider of business management systems.

Typically, they’re doing it over email, Nachbahr says. For example, cybercriminals will pretend to be a principle of the company and send a spoof email to the controller saying he needs the controller to transfer money to a certain account or to pay an invoice, and the accounts belong to hackers.

More than 92 percent of cyberattacks begin with an unsuspecting employee clicking on a bogus or phishing email, according to Goggans. And, these emails have gotten cleverer than the Nigerian Prince who needs money to gain access to his riches that he is willing to share a percentage of if the target helps him.

“These [phishing emails] are com-ing from the [supposed] CEO of the company, people you receive emails from on a daily basis, Amazon, UPS and LinkedIn,” Goggans says, citing a few examples. “The ones we see frequently are for tracking UPS packages. You get an email from UPS, it has the UPS logo and it says ‘Click Here’ to track your package. Once you do, you don’t know that it’s gone to a different webpage and installed malware on your PC and is now running behind the scenes watching every click made, every site you go to and is allowing [hackers] access to your network.”

In addition to phishing, companies need to be aware of other methods of human manipulation. Vishing is a hacker spoofing a company’s phone number so it appears to be an internal call. Hackers might pose as a member of the IT department asking employees to verify their username and password, says Goggans. The use of smishing is similar to vishing, but in text message form.

The advent of bitcoin has created an uptick in ransomware attacks, in which cybercriminals will hack into a com-puter system and lock up its files until a ransom is paid in the decentralized digital currency that’s difficult to trace, Goggans says.

“The biggest takeaway is hackers need our help and we are the weakest link,” says Lanterman, adding that all it takes is for someone to click on a link or download and open an attachment, for example. He says companies “cannot be so arrogant as to think this would never happen to them and an employee will never be tricked — all it takes is one person.

“A lot of these attacks are financially motivated because it’s a hacker’s job,” says Lanterman. “But, the fact is, there are many motivations out there. Maybe a hacker just wants to be a gremlin and start messing with your inventory numbers or start shipping parts to different locations just for a laugh.”

And not every threat comes from a hacker, adds Matt Stea, IT director at CRW Parts. A disgruntled employee with a USB flash drive containing a virus can wreak havoc for a company not properly protected.

Security fundamentals

Given the damage hackers can do financially and reputationally, there’s no reason aftermarket operations shouldn’t be taking steps to protect themselves. A few basic measures recommended by several security experts can go a long way in protecting a company from cybercriminals.

Among those basic steps are making sure the computer network is protected by a firewall, which is designed to block unauthorized access; intrusion protection software to defend against malware, such as viruses, spyware and ransom-ware; and update software as soon as those updates, which not only improve performance but address any vulnerabilities, become available.

Several experts rank employee education as the most important means to prevent cyberattacks.

“Educating employees about what to look out for in suspicious emails and phone calls is important. That’s the No. 1 thing as far as security goes and that’s where a lot of companies fail,” says Stea.

Screen Shot 2018 09 14 At 10 38 54 AmHe educates CRW employees by in-forming them of security breaches mentioned in the news and showing them malicious emails currently in circulation. If employees receive an email they’re not sure about, he will review them and also advises employees not to click on anything or use the phone number in the suspect email. Instead, he tells employees to look up the phone number on the company’s website and call to confirm that the company sent the email.

“The more you teach people, the better off everyone is and so is the company,” Stea says.

According to Goggans, “It’s about security awareness training, which is the No. 1 best thing you can do to prevent a cyberattack on your company.”

To that end, ThreatAdvice offers companies training programs and phishing simulations, and Goggans has seen the number of client company employees clicking on these test emails decrease dramatically. “[The results] are not because you created a room full of cybersecurity experts. You’ve created a culture of security awareness where that employee knows what to look for and won’t be clicking on things allowing hackers direct access to the system,” Goggans says.

Helion offers ongoing online training sessions about phishing and other cyber-security threats. The company also will send test phishing emails to clients and any employees who fall for them receive additional training. The client receives feedback on how, over time, fewer of its employees are getting caught by these phishing tests, Nachbahr says.

Additional security measures

Along with the aforementioned steps companies should be taking, security experts offer additional ways to further bolster cybersecurity efforts.

One of the services AutoPower provides is daily and monthly server backups that are stored on its hosted facility in the cloud, which Quirindongo says is more effective than storing data on physical servers.

“No matter how much security you have, if you have a virus utilizing a new-found exploit, it’s going to get through because [the security on a physical server or firewall] is not aware of it,” Quirindongo says. “In our cloud environment, the customer will get two servers and one server gets replicated every 15 minutes. With replication and nightly backups, if something was compromised on a server, we can easily fl ip over or revert back to the other one.”

CRW’s main servers are housed at an off-site data center, and the data is backed up three times a day, says Stea. In addition, he downloads all the company’s information to a USB flash drive that he takes to an off-site location every night.

Another precaution CRW takes is requiring all salespeople to log into the company’s VPN to get on the network. If a laptop is lost or stolen, a hacker could try to figure out the password, but Stea can protect against that. “If someone calls and says, ‘I lost my laptop,’ I’m going to try to track it. If I can’t, I wipe it clean remotely,” he says.

The company also has a backup Internet service, so if there’s a problem with one, CRW can switch to the other. “We keep a 99 percent up-rate because if [the Internet service] goes down, it hurts business,” Stea says.

On the topic of the Internet, Nachbahr suggests limiting employees’ usage of the Internet to prevent them from visiting potentially unsafe sites. “It’s a really big issue companies run into — people have free rein to go anywhere they want on the Internet — so we put systems in place to control where they go online and what they’re able to do,” he says.

Nachbahr adds that companies’ wireless infrastructure “is usually really lacking in security,” so Helion shores up the defenses of wireless devices, such as laptop and tablet computers that connect to companies’ networks.

Goggans warns of the possible dangers when working with third parties. “Anytime you’re using third parties, you create more vulnerabilities for someone to access your operations.”

Goggans uses Target’s 2013 data breach as an example. He says the breach didn’t occur because the retailer didn’t have adequate cybersecurity measures; it occurred because a third-party contractor didn’t. Cybercriminals were able to gain access to Target’s information by hacking into the third-party contractor, which was connected to Target’s systems for billing and other purposes.

“With truck parts and service providers, there are so many third parties. The days of just validating a third-party vendor is in business is no longer applicable,” he says. “You should go through a thorough third-party vendor evaluation process to ensure that they, too, are protecting your information in a way they cannot be breached, providing access directly to your critical infrastructure.”

Goggans urges companies to carry a cybersecurity insurance policy that includes third parties. The policy covers the company if it gets sued because it or a third party was breached, and also enables the company to sue a third party if it was negligent in protecting company information.

He’s also a proponent of two-factor authentication. When logging in, not only do users have to enter their pass-word, but also enter a code that has been emailed or texted to them. “It makes it more complicated for someone to steal your information,” Goggans says.

Another way companies can protect themselves is using software that encrypts their data, especially for laptop computers, Lanterman says. He recommends Bit-Locker full-disk encryption, which comes with most Microsoft operating systems. If a laptop is stolen, all of the data is worth-less because it’s encrypted.

Just as cybercriminals have a number of ways to get at companies’ important data or bring a business to a grind-ing halt, there also are several ways aftermarket parts and service providers can protect themselves.

“Businesses large and small can no longer afford to stick their head in the sand and ignore their security. We need to stop looking at security as a necessary evil,” says Lanterman. “You need to edu-cate yourself, understand what criminals are doing and proactively take steps to make sure you’re not the next victim.”

Learn how to move your used trucks faster
With unsold used inventory depreciating at a rate of more than 2% monthly, efficient inventory turnover is a must for dealers. Download this eBook to access proven strategies for selling used trucks faster.
Download
Used Truck Guide Cover