Planning For The Worst: Securing Your Shop From Digital Attacks
We’re big proponents of shop safety—we preach about it pretty routinely on the blog!—but today we’d like to discuss a different, but no less important type of safety: cybersecurity.
At first thought, a diesel repair shop doesn’t seem like a candidate for a hacker’s list of “Places To Hit.” But your shop still collects plenty of valuable information from customers, and that data is immensely appealing to scammers and hackers of all stripes, from the lone wolf who wants to drain your bank account to the shadowy groups that steal massive amounts of information to hold for ransom or to sell on the Dark Web.
How do these groups manage to access this information from a business? A surprising percentage—the exact count varies by source—begin, accidentally, from errors made by internal employees.
That’s why we’ve put together this guide. After all, you likely have a safety program in your shop to keep staff and customers safe from physical danger; you should also have a digital safety program in place to keep staff and customers’ data safe from scammers and thieves.
Often an attack begins with phishing, or fooling employees into providing their credentials. Sometimes a data breach starts from a simple malware infection. And sometimes scammers will go right into your place of business and snag valuable information while acting like a customer.
So what can you do?
While we would very much prefer to live in a world where such attacks did not happen, the reality is they are becoming more frequent. As a business owner, you have a responsibility to your customers and your staff to keep their data as safe as you can. That may mean investing in software or other cybersecurity measures, but it also means training your employees—from the kid sweeping the floor to your office manager to your techs—to be on the lookout for attack attempts.
This is by no means an exhaustive look at modern cybersecurity. We are not the people to offer you extensive cybersecurity advice, although we do take it very seriously: Fullbay’s staff engages in year-round training on how to spot phishing attempts and other cybersecurity threats. We believe in education.
Because that’s where cybersecurity really starts: education.
Treat this guide as a starting point—a place to begin while you implement stronger measures.
THE PRECURSOR ATTACK: PHISHING
First, make sure your employees know what phishing is.
Phishing got its name because those deploying it are “fishing” for information. This is one of the most common avenues a hacker can take to enter your system; they will send a very legitimate-looking email from an entity you do business with or have done business with in the past. Think your bank, your favorite parts house, or your health insurance company, to name a few.
The email may warn of an overdue bill, a bounced card, a canceled shipment, or a failed login. You’ll be prompted to click a link and visit the website—which is also often well-spoofed—and enter your login credentials to gain access. Depending on the scam, they may also ask you to update a credit card or personal information (which can include Social Security numbers and addresses).
Scammers will then have all that information. They can log in to the actual website using those credentials. And because a good portion of the population reuses passwords across platforms and websites, scammers can now log in to many other things, too.
You can see how phishing can rapidly lead to a data breach. That’s why training your employees to recognize phishing efforts is an important line of defense.
Have your people ask themselves the following questions whenever they open an email:
- Does the email appear to be from a reputable source? Often, scammers will not match their email’s domain name to the company they’re attempting to spoof. This generally is easy to spot if you know what to look for, like extra numbers and/or misspellings in the domain name. If you’re using Gmail, clicking on the triangle directly underneath the “From” field will show you the email address in its entirety (which often will not match the email displayed). Below, you can see a screencap of an actual scam email purported to be from SiriusXM (as you can tell, it’s not).
- Where does the link go? Employees should NOT immediately click on a link. Most web browsers allow you to “hover” over a link to see where it will take you. Often, the domain name will give it away. You can also copy and paste a link into a safety checker (Google has a free one) to see if it raises any alarms.
- Is it well-written? Scam emails are often—but not always—full of errors. Random capitalizations, spacing, misspellings, typos, and so on are all signs to look for.
- Does the email feel urgent? Scammers are successful in part because they make their emails seem very important. They may include threats like “FINAL WARNING” and “Your Account Is Suspended” to scare people. If your employees are receiving emails with messaging like this, have them bring it to your attention. Here’s a real-life example of falsified urgency, complete with warnings and spelling/grammar errors: Understanding and avoiding phishing emails are just one component of a digital safety plan. Up next: Passwords.
PASSWORD SECURITY IS SHOP SECURITY
Your employees probably use more passwords for work than they realize. Sure, there’s computer logins, but they may also have profiles and passwords for parts houses, vehicle manufacturers, and shop management software, among other things. As we learned from the phishing discussion above, a password can give a scammer access to a lot of information.
Encourage your staff to follow these password best practices to keep themselves, your shop, and your customers safe and secure:
- Create a strong password for each site or platform you use. Do not use “12345” or “heyitsmypassword.” You want it to be long, with many letters, numbers, and symbols—something not easily guessed and not easily remembered. You may also consider stringing together a short sentence or two that you will remember but no one else will. In addition, most web browsers will create a password for you.
- Change your password frequently. McAfee suggests changing your password every three months.
- Don’t reuse passwords! Too often, scammers gain access to information because people use the same email login and password across multiple platforms. Instruct your employees to create a different password for each platform or service they’re logging on to.
- Get a password manager. We understand: it’s tempting to just use one or a handful of passwords because everything requires a password these days. Consider purchasing a password manager which can create and remember your passwords and login information—for all your websites and platforms—for you. You’ll only need to remember the master password to get into the manager itself, and the manager will store all your passwords in the cloud. Incidentally, having your data—whether it is your password manager or your shop’s information—in the cloud will offer you another layer of security.
WATCH OUT FOR LINKS & ATTACHMENTS
We discussed being vigilant about links in potential phishing attacks earlier, but links and attachments can also be used to download malware to a device and allow scammers to hijack it. This is another common way criminals crack open the door to a data breach.
Teach your staff to look critically at any attachment they’re asked to download. Have them ask themselves the following questions:
- Is this an attachment I was expecting? In our line of work, we may receive photographs of vehicle damage or PDFs of estimates and invoices. Does the document appear to be a PDF or a JPG? Keep an eye out for .EXE (executable files) or ZIP (compressed) files, as these may signal something that will be installed on your computer.
- Is it from a legitimate email address? Look carefully at the email itself. Does the presented domain match the actual domain? Do you know this person? Are you expecting an email from them at all? As an aside, instruct your staff to ask customers who want to email something what their email addresses are before the item is sent. If you are uncertain whether an email is from a customer, pick up the phone and call or text them: “Did you just email this to me?”
- Is it from a phone number I recognize? Malware (and phishing) can come through text messages, too. Is the phone number the message is coming from the one you have on file for your customer? If not, call the one you have on file to make sure—don’t click on anything in the body of a text without verification.
KEEP YOUR PHYSICAL LOCATION SECURE
We often picture massive data breaches and hacks originating from a darkened server room on the other side of the world. While this is sometimes the case, hacks and breaches can and do occur via social engineering: someone goes into your shop and gains access to your system via just being in the right place at the right time. Maybe they’ve seen a login and password written on a Post-It note. Maybe they’ve been asked to type in their information themselves to spare an employee their long, difficult-to-spell name.
In both cases, you’ve just given someone access to your system.
The first—and easiest—way to combat this situation is to not keep Post-Its or scrap paper with passwords on them. If you must keep physical copies of passwords, place them in a secure location (in a notebook that resides in a locked drawer, for example). Your staff should not be tempted to hand over a device for a customer to use unless it’s the end of the process and they’re signing something—in other words, they aren’t to enter their own information, no matter how difficult their name is to spell.
In addition, your employees should never—ever—take a flash drive from someone they don’t trust and put it into a shop computer. That’s a very, very easy way for someone to hijack your machinery.
KEEP YOUR SOFTWARE SECURE, TOO
The modern diesel repair shop often utilizes a lot of different technologies—and there’s likely more to come. Every piece of software you purchase or platform you use should have best-in-class technology to safeguard your data and your customers’ data (yes, Fullbay does this).
Look for Secure Sockets Layer (SSL) encryption on all the platforms you use—this is easily spotted by a little padlock and “https” at the beginning of a website URL. If you only see an “http” address in the URL, then the site is not as secure as it should be.
Other things to consider are a company’s reputation and focus on security. If they’re not making it a priority, or their track record is less than ideal, that’s never a good sign.
PROPER EDUCATION IS ESSENTIAL
The guide above can get you started with shop security—but you’ll want to look into further measures. There are plenty of programs out there that can provide a more comprehensive education to your entire shop; often, they provide a mix of in-person, hands-on training and subsequent refreshes as needed.
You may also look into additional protective measures for your shop’s digital security, including a firewall and powerful antivirus software (if you don’t have one already).
The road to a secure repair shop begins with educating yourself and your employees. Treat it as an investment in both your people and the customers you serve—keeping them safe isn’t just about hanging on to their business, it’s also just the right thing to do.
If you’d like to continue your own education in cybersecurity, we recommend starting with Cybersecurity & Infrastructure Security Agency if you’re in the United States, or the Canadian Center for Cyber Security for those in the north. Both agencies will give you good jumping-off points for learning more and keeping your shop’s data safe.