The CDK shutdown underscored not only how dependent dealerships are on their dealer management system (DMS) providers but also how vulnerable dealers and their software providers are to cyberattack. As Justin Shanken said, “The CDK attack showed the cybercriminal syndicate that dealers can be attractive, potentially lucrative targets. Those guys who perpetrated the CDK attack (BlackSuit) got approximately $25 million. They found a vulnerability, and now every bad guy is smelling money.”

The CDK outage forced dealers to quickly shift to manual operations—unfamiliar territory in today’s technology-dependent world. Erik Nachbahr noted, “You can’t just switch to a different DMS overnight, so the only backup plan was pen and paper.” Without a DMS to place orders, process sales, and record parts and service orders, dealerships ground to a halt. Nachbahr continued, “The CDK breach was debilitating, and it reminded the entire dealership community of what happens when cybercriminals come calling. Business was interrupted, and sales were delayed or even lost. In addition to ransom, there were legal costs and IT fixes that needed to be made, and as always with cyberattacks, the potential for reputational risk. No business ever wants to see its name at the top of a Google search for ‘cyber breach’.”

The financial hit doesn’t simply stop once a ransom is paid. Breaches fuel class action lawsuits that target dealerships. In some cases, attorneys buy the list of compromised client accounts for a class action suit on the dark web.  Shanken, currently working with general counsel on such suits, stated, “Class action suits—that’s the real financial threat at this point. Dealers following the Federal Trade Commission (FTC) guidelines as a compliance standard aren’t absolved of liability in the event of a breach that releases sensitive customer personal and financial data, particularly now that the possibility of a CDK-type breach is the new threat standard.” For dealers paying attention to emerging risks, the message is clear—don’t wait for another catastrophic cyberbreach to enact stronger protections against attack.

The scale of the cybercrime threat can be hard to grasp. Nachbahr shared, “If you look at cybercrime as a national economy, it’d be the fourth largest nation in the world. Many of the operations selling dealers’ critical data on the dark web are highly structured. Criminals run cyberattacks using sophisticated project management. They have developers, data centers, social engineers—all of it.” That doesn’t mean they only prey on large companies. “No business is too small or ordinary to avoid being targeted,” added Shanken. In some cases, less well-recognized businesses that have significant scale and financial flows—like auto dealers—are the ideal target for professional cyber criminals.

While ransomware attacks like the one on CDK gather headlines, a wide variety of social engineering and invoice fraud are also on the rise. “Many dealers are falling victim to schemes that have nothing to do with ransomware,” Shanken explained. “Cybercriminals send an email that looks like it comes from a vendor, and while it mostly looks real, something will be off. Maybe they’ll request you change the payment type to a different one than you normally use. Perhaps they call to offer instructions when they never have before. Those are red flags.”

Nachbahr added, “As soon as a particular cyber scheme is understood and defended against, cybercriminals move on to developing novel attacks. I had a client who was ‘phished’ into giving up their Microsoft username, password and multi-factor authorization. With access to their email, the hackers discovered the company was switching to a new payroll system. The hackers used the disruption of switching payroll systems to direct the finance team to a new, fake payroll website built to intercept the wired payroll funds. The dealer was one click away from a multi-hundred-thousand-dollar loss.”

“One of the most common mistakes is dealers confusing compliance checklists with true cybersecurity preparedness. Checking the FTC’s boxes—antivirus, multi-factor authentication, backups, security software—might satisfy regulatory requirements, but it doesn’t guarantee a dealership is secure. Without experienced leaders and technical staff who know how defenses really work, and where the gaps are, a dealership can remain dangerously exposed. Effective cybersecurity comes from expertise, not just checklists,” said Nachbahr.  “Dealers need to evaluate their information security operations with security experts weighing in. Where are my major risks? Where are there gaps? What am I doing to address them?”

Shanken added, “Dealers depend on closely aligned partners and vendors, and their vulnerabilities and security gaps can become yours. Take a close look at your vendors, including your DMS provider, and the defenses they have in place. Vendors are the spinal cord of a dealership but can often be the weakest link.”

“Cyber and digital safety is complicated. Its complexity sometimes makes people uncomfortable, which can make it a lower priority,” said Shanken, “Most dealership leaders are naturally more comfortable with real property—land and buildings. Protecting data and digital assets is a new discipline for them. The latest generation of younger owners tend to be more proactive in taking compliance and cybersecurity seriously.”

Completing a baseline assessment is a great starting place when formulating a cybersecurity road map. Shanken explained, “You need to consult professionals. We’re seeing more groups bringing in third-party experts to run penetration tests, manage security operations centers (SOCs), and provide 24/7 monitoring.” Nachbahr added, “Hire an organization to perform an assessment that understands the automotive industry and knows where typical security gaps are found. A proper baseline will show you what you have and where your greatest risks lie.”

Protect your business from lawsuits that arise from mishandling clients’ financial data. Shanken noted, “The FTC mandates dealerships have a “qualified individual” to oversee information security.” Nachbahr continued, “Dealers don’t usually have someone on staff capable of filling this role. Most IT departments lack this expertise.” In the event of an outage, ensure continuous operations with a plan for off-line processes. Train employees so they know what to do when systems go down. Maintain regular communication with staff, keeping them updated, even if nothing has changed. Conduct scheduled assessments of cybersecurity procedures and protocols.

Breaches may still happen, and systems may still go down. Use these eight strategies to avoid a complete shutdown:

1. Invest in qualified cybersecurity expertise — IT operations are not cybersecurity.
2. Don’t rely on compliance checklists alone — they’re only a start toward protection.
3. Have analog backups — plan for pen-and-paper continuity if core systems fail.
4. Scrutinize vendor security — as extensions of your business, make sure they don’t make you more vulnerable.
5. Use banking tools to monitor financial transactions and fraud —  Payee Positive Pay, ACH Fraud Control or ACH Block, and Check Block offer key controls to uncover or block irregular activity. Shift to tokenization and virtual cards for enhanced transaction protection.
6. Implement & manage an employee cybersecurity awareness program — inform and engage your team about the cyberattack threat to help them avoid falling victim to a phishing scam.
7. Expect litigation over a breach — lawsuits can be your greatest financial risk.
8. Recognize cybercrime as an organized business — attackers see dealerships as attractive targets.

Shanken offers one final piece of advice, “You can’t be too vigilant in your efforts to thwart cyberattacks. Hackers are always on the lookout for the low-hanging fruit—the business that didn’t think it would ever happen to them. They always choose the easier target. You don’t want to be the easier target!”