Data Breach in the Bay

Automotive service shops often must remind customers that being proactive about maintenance is the key to keeping a vehicle on the road. Unfortunately, many shop owners need to be reminded of the importance of taking preventative measures to protect their shop data.

Beyond the fear of a system crash or a hacker attack, small businesses must also comply with ever-evolving data privacy laws, including new state regulations that went into effect last year. California led the way with its California Consumer Privacy Act (CCPA). Still, several other states, including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, and Minnesota, have also enacted similar laws. For businesses, it is increasingly important to know what data you collect from clients and employees, where it is stored, and with whom it is shared. Experts advise collecting only the necessary data and implementing strong, up-to-date security measures to prevent breaches.

You’re Never Too Small

Too often, shop owners—especially those with just a location or two—wrongly assume that they’re not affected by these laws. However, that’s not the case when it comes to cybersecurity and data protection concerns, explains Nick Mo, CEO and co-founder of Ridge Security Technology Inc.

“A lot of small automotive service shops figure they’re too small to show up on anyone’s radar,” says Mo.

He tells National Oil and Lube News that attackers aren’t just going after big brands.

“They’re looking for easy targets, and they absolutely think about their own return on investment,” Mo suggests. “Running regular, automated security checkups works a lot like routine vehicle maintenance: catch the small stuff early before it turns into a catastrophic engine failure. Even a basic simulated attack can turn up weak passwords, exposed services, or gaps that could shut your operation down for days. So, either bring in a security service provider to handle it on a regular basis, think of it like scheduling oil changes, or put a security validation tool in place that someone with a general IT background can run and act on.”

Michael Bell, CEO of cybersecurity and data protection provider Suzu Labs, emphasizes that small businesses are the preferred targets because attackers know defenses aren’t in place.

“Automated attacks in use today will find you if you have two locations or two thousand. They scan the internet looking for exposed systems, weak passwords, and unpatched software,” warns Bell. “A lube shop with a point-of-sale system connected to the internet and no firewall rules looks the same as a bank with no vault door.”

The average cost of a cyberattack on a small business ranges from $120,000 to $200,000, including downtime, forensic investigation, customer notification, and lost revenue while your systems are offline.

“For a shop doing a million a year, that’s potentially a quarter of your annual revenue gone in a week,” says Bell. “Most cyber insurance policies for small businesses have deductibles and exclusions that can leave owners covering more of the bill than they expected, especially if there are gaps in minimum cyber protections. Some shops never reopen. The National Cyber Security Alliance found that 60% of small businesses that suffer a significant cyberattack close within six months.”

The Cybersecurity Basics

Cybersecurity experts keep reminding consumers and business owners to back up their data and employ strong security measures. The reason these warnings keep being made is that the attacks keep coming.

As a reminder, data protection begins with limiting access. If it isn’t in someone’s job description to have access to customer or employee data, they shouldn’t have access under any circumstances.

For the owner, manager, accountants, and others, strong protection must be in place.

“Every account that touches money, customer data, or vendor systems needs a unique password and multi-factor authentication turned on,” says Bell. “When an employee leaves, their access to everything gets turned off that day. Not next week. That day. Former employees with active credentials are one of the most common entry points we see in incident response.”

Employees at all levels can often be the weakest link. That means anyone who does have access to crucial data needs to be reminded to always be vigilant. The cybercriminals have upped their game, and that means shops need to up theirs as well.

“Phishing attacks that hit shops don’t look like Nigerian prince emails anymore. They look like invoices from your parts distributor, with slightly different banking details. They look like an email from your POS vendor saying your account needs to be verified. They look like a text message from the ‘owner’ asking the office manager to buy gift cards for a customer appreciation event,” Bell warns. “Tell your staff: If any message asks you to send money, change payment details, or enter a password somewhere new, verify it by calling the person directly using a number you already have. Not the number in the email.”

It bears repeating that everything should be updated and patched. Managers and those with access to any computer or other device should regularly check for updates. That should include all vendor-connected devices.

Bell also suggests that all shops should utilize at least two separate wireless networks: one for business operations and one for customer or guest use.

“The business network should not be visible to customers,” says Bell. “Change the default admin password on every router and access point. If the wi-fi password hasn’t changed since the router was installed, change it today. Use WPA3 encryption if your hardware supports it, WPA2 at minimum.”

Back up everything and do it often. Spending a few minutes on a Friday near closing time is better than spending days recovering from a system crash or a ransomware attack. And finally, have a plan in place in case of a cybersecurity incident.

“If you suspect a breach or ransomware infection, disconnect the affected computer from the network immediately. Do not turn it off. Call your IT security support (not your cousin who set up the wi-fi) and your bank to freeze transactions,” says Bell. “If customer payment data may be compromised, your credit card processor needs to know quickly. Document what happened and when. Keep the compromised equipment untouched for the investigation. Depending on the severity, you may want to file a report with law enforcement or the FBI’s IC3, but your first calls should be to the people who can help you stop the bleeding, assess the damage, and provide legal support.”

Bell tells NOLN that having these steps written down and posted in the office before an incident happens is the difference between a controlled response and a panic.