Arrow back

What are the cyber risks in the automotive industry?

23 February, 2023

The automotive industry is, at once, both at the forefront of technological innovation and wedded to old ways of working.

There has been a tremendous transformation over recent years, with rapid advancements in technology bringing about connected cars, electric vehicles, and autonomous driving.

However, as an industry, many classic ways of working are still in place - leaving the sector particularly vulnerable to cyber-attacks.

As such, one of the biggest risks facing the automotive industry today is cybersecurity.

Cybercriminals are increasingly targeting the industry, taking advantage of the high staff turnover, large amounts of data collected, and high-value assets.

In this blog, we will explore the cyber risks in the automotive industry, why the sector needs a solid cybersecurity programme, and how your automotive organisation can protect itself.

Let’s dive in.

Why is the automotive industry so at risk?

Collection of sensitive data

As previously mentioned, the automotive industry collects significant sensitive data from its customers, including personal and financial information. This makes it an attractive target for cybercriminals who seek to steal and sell this information on the dark web or use it for identity theft.

For example, car manufacturers collect customer data such as name, address, phone number, credit card details, and personal health information. Dealerships, leasing companies, and rental firms collect driver’s licence information, insurance data, and credit card details - in many cases, these are maintained in databases with shared passwords.

Additionally, cars have become more connected, with many new vehicles equipped with advanced infotainment systems, GPS trackers, and other technology vulnerable to cyberattacks. Such valuable data is a highly attractive target if not properly protected at every level.

Rapidly evolving technology

The automotive industry is constantly evolving, with new technologies being introduced regularly. However, this can also make it difficult for organisations to keep up with the latest security measures and stay protected against new cyber threats.

Connected vehicles

The automotive industry deals with high-value assets such as cars, which can be targeted by cybercriminals seeking to steal or damage them. In addition, connected cars with advanced technology can be remotely hacked, potentially risking lives.

High staff turnover

The automotive industry - particularly customer-facing roles, such as those in dealerships - often experiences high staff turnover, leaving organisations vulnerable to cyber attacks due to lost knowledge and experience.

Additionally, employees leaving without properly securing their devices or changing their passwords creates opportunities for cybercriminals to gain unauthorised access to sensitive data or systems.

Protect your organisation with truly effective training

Join the thousands who've discovered how Bob's Business' security and compliance awareness training reduces risk, demonstrates improvement and builds cultures.

Why does the automotive sector need a cybersecurity programme in place?

As we’ve established, it’s clear that the automotive industry is a high-risk sector for cyber attacks, given the sensitive data it collects, the rapidly evolving technology it uses, the high-value assets it deals with, and the high staff turnover rates it experiences.

Therefore, every automotive sector organisation needs a robust cybersecurity programme in place to protect itself from these threats. Here are some reasons why:

  • Protection of sensitive data: A cybersecurity programme can help protect sensitive data such as customer information and financial records. Organisations can prevent unauthorised access, theft, or misuse of sensitive data by implementing proper security measures such as firewalls, encryption, and access controls.
  • Minimisation of cyber attacks: A cybersecurity programme can help detect and mitigate cyber attacks, minimising the impact of a potential breach. Organisations can identify and address vulnerabilities in their systems by conducting regular vulnerability assessments and penetration testing, before attackers can exploit them.
  • Compliance with regulations: The automotive industry is subject to various data privacy and security regulations, such as the General Data Protection Regulation (GDPR); a cybersecurity programme can help organisations comply with these regulations, avoiding costly fines and legal penalties.
  • Protection of reputation: A cyber attack can damage an organisation's reputation, erode customer trust, and lead to a loss of business. By implementing a cybersecurity programme, organisations can demonstrate their commitment to protecting customer data and maintaining a secure online presence, enhancing their reputation in the market.
  • Prevention of financial loss: Cyber attacks can lead to financial losses for organisations, including the cost of investigating and remediating the attack, legal fees, and compensation for affected customers. A cybersecurity programme can help prevent these losses by reducing the risk of a successful attack, minimising the damage in case of a breach, while also providing insurance coverage for cyber incidents.

The Arnold Clark data breach

UK car dealership Arnold Clark suffered a data breach in December 2022, which led to the company bringing its systems offline, including dealerships and third-party connections. The company has confirmed that specific customer details had been compromised in the breach, including names, contact details, dates of birth, vehicle details, ID documents, National Insurance numbers, and bank account details.

The incident highlighted the importance of protecting customer data in the automotive industry, which collects sensitive, personally identifiable information that threat actors target.

Companies in the automotive industry must implement suitable methods to guard sensitive data, such as data-centric security like format-preserving encryption.

Small or medium-sized organisations are just as vulnerable to large-scale attacks on their data. A smart, data-centric security strategy is critical to mitigating the devastating consequences of such attacks.

Arnold Clark has warned its customers of potential phishing attacks as it continues investigating the breach.

This attack against Arnold Clark is not the first one targeting the automotive industry. General Motors suffered a credential-stuffing attack in May 2022, and Holdcroft Motor Group was presented with a ransom demand after hackers stole two years' worth of data.

How can your automotive organisation protect itself?

There are several steps your automotive organisation can take to protect itself from cyber risks:

  • Prioritise cybersecurity training for all employees: From top-level executives to entry-level staff, ensure that they understand the importance of cybersecurity and their role in protecting the organisation. Cybersecurity awareness training should include awareness of common cyber threats, such as phishing attacks and malware, and best practices for password management, data protection, and incident response.
  • Implement a strong password policy: A strong password policy can help prevent unauthorised access to sensitive information. Passwords should be complex, unique, and changed regularly. Read our blog on creating strong passwords here.
  • Use multi-factor authentication (MFA): MFA provides an additional layer of security by requiring users to provide two or more forms of authentication, such as a password and a fingerprint or facial recognition scan.
  • Limit access to sensitive information: Access to sensitive information should be limited to only those who require it to perform their job functions. This can help prevent accidental or intentional data breaches.
  • Regularly update software: Regular updates can help ensure that software is up-to-date and free of known vulnerabilities.
  • Implement data encryption: Data encryption can help protect sensitive information from unauthorised access.
  • Have a cybersecurity incident response plan: A cybersecurity incident response plan should be in place in case of a cyber attack. This can help mitigate the damage and minimise downtime.

How can Bob’s Business help your automotive organisation reduce its cyber risk?

At Bob’s Business, we understand the importance of cybersecurity for all industries, including the automotive sector.

That's why we offer unique and engaging online cybersecurity training designed to empower everyone in your team to identify and respond to cyber threats, protecting your business from the 90% of breaches that occur due to human error.

Our training is bite-sized, interactive, and easily fits your busy schedule. Plus, it's engaging, ensuring your team stays motivated and focused throughout the process.

With over 14 years of experience deploying cybersecurity training and policy compliance solutions across various automotive sector organisations, including Motability, FixAuto and SMH Fleets, Bob’s Business is uniquely positioned to help you stop cyber attacks.

Take action now to protect your business and your customers from cyber threats. Click here to discover our range of cybersecurity awareness training products and start reducing your risk today.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance