By James Arthur, head of cyber consulting at Grant Thornton UK
There’s a saying in the cyber security industry about cyber attacks: “It’s not personal’’.
As the scale and maturity of cyber attacks grows, affecting businesses of all sizes across every industry, it’s tempting to ask: Why? Why now? Why us? Why this type of attack?
Questions that no one can definitively answer.
The reality is that cyber criminals look for low hanging fruit and can afford to launch attacks on anyone who looks vulnerable and so, to that extent, it’s true – it’s not personal.
Our recent research found that UK mid-market businesses lost around £30 billion in the last 12 months to cyber attacks.
Concerningly, of the 500 businesses we surveyed, 65% did not have a cyber security team.
But this is not unique to the mid-market, small businesses are also feeling the heat and are facing an increasing number of attacks.
The UK’s Federation of Small Businesses recently reported that small organisations are collectively subject to 10,000 attacks per day.
These findings are mirrored in the automotive sector.
A 2019 survey conducted by Synopsis and SAE International on current cyber security practices in the automotive industry found that 62% of respondents think it is likely or very likely that malicious attacks on their software or components will occur within the next 12 months.
Cyber attacks are no longer a matter of ‘if’ but ‘when’.
But where do these attacks originate from and why are attacks evolving in such a way that more businesses than ever before are facing such a substantial threat?
- There are a number of reasons for the exponential growth in cyber crime
- Very few barriers to entry: the technical skills required to become a cyber criminal are easy to acquire, with plenty of ‘know how’ available online
- It’s a highly lucrative industry: the global costs of cyber crime are predicted to hit $6 trillion annually by 2021
- There are very few successful prosecutions for cyber crime, particularly when conducted against international targets
- Increasing ‘trickle down’ of exploits: attackers can buy ever more sophisticated attacks that used to be reserved for nation states only
- Growth in available security credentials and personal information for sale: this enables easy targeting, particularly where there are other network vulnerabilities
Smaller to mid-sized businesses are now most likely to face attacks from opportunistic cyber criminals.
This type of approach is contributing greatly to the growth in cyber crime – volume attacks that seek to identify weaknesses to exploit, for example, unpatched software.
Why is the automotive industry attractive to cyber attackers?
As well as potentially falling victim to indiscriminate volume cyber attacks, there are groups of cyber criminals who do like to target specific industries that they think could be especially lucrative.
Reasons for specifically targeting the automotive sector might include:
- Data theft - for example access to apps and services that contain banking information, personal identification data, insurance and tax data, travel permits, licence plate and other vehicle registration data, lifestyle information e.g. club membership, medical records (a driver suffering from a health issue may have information about their condition accessible via the vehicle), vehicle location information and vehicle physical security data
- Extortion or a denial-of-service threat - for example, ransomware that denies drivers access to their vehicle (a car owner could find themselves in the predicament of having to pay a ransom to take back control of their own car from a cyber attack mid-journey)
- Fraud and deception – for example, altering or deleting schedule logs and records
- Freight and goods theft
The challenge of security
Cyber security in the automotive industry raises several distinct challenges at each stage of the vehicle lifecycle – at manufacturing plants, from third party suppliers, for enterprise IT systems and for fleet and leasing companies.
The sales distribution channel is very much open to abuse from cyber criminals.
Fleet and leasing companies store, and share, extensive amounts of data with details on the vehicles, personal data of the drivers and organisational and financial data on the companies, which either lease vehicles or use fleet management services.
Experiencing an incident such as a ransomware attack could prevent the fleet or leasing company from trading.
Experiencing a cyber attack where personal driver data or organisational data is breached could result in reputational damage.
Notable automotive cyber attacks include the 2017 Uber incident where cyber criminals downloaded names and license numbers of approximately 600,000 of their drivers in the US and personal information of more than 50 million Uber users globally.
Such a data breach will cause a breakdown of trust between the customer and service provider, meaning customers may look elsewhere for other providers where they believe their data and information will be more secure.
With this in mind, it is better to invest in pragmatic preventative measures to give your organisation the best chance of preventing a successful cyber attack.
Simple steps to mitigate against cyber attacks
We have identified six simple ways in which organisations in the automotive sector can start to recognise the cyber threat and put in place actions to mitigate against it:
- Establishing a cyber incident response plan: this sets out the various actions to be taken in the event of an incident, together with who has responsibility and accountability. It need not be overly formal but should include the different functions in the business that may be affected such as IT, HR, Finance and Legal
- Monitoring and managing the risk posed from your supply chain: businesses are increasingly aware of the threat posed by their supply chains. Take steps to understand how your data is handled by your suppliers and what cyber defences they have in place.
- Regular software patching: keeping software up-to-date is one of the easiest ways to close open doors
- Regular vulnerability scanning and security testing: put in place a regular scanning programme and perform penetration tests at least biannually to test security defences
- Understanding what ‘normal’ looks like for your business, in terms of application usage, so you can identify any unfamiliar patterns: take the steps to understand your environment and what behaviours and habits form a part of that on a day to day basis. This will help you to detect activity outside of the norm
- Investing in regular training and raising your people’s awareness of cyber security: your people are your strongest asset and weakest link when it comes to detecting cyber threats