Nobody Is Immune
The world of cybercrime is ever-evolving, as is the world of technology seen at the modern car wash.
By Nicole Nelson
As a general rule, John Stengel isn’t one to make generalized statements. However, this cybersecurity veteran doesn’t mince words when he addresses car washes and the potential calamity that is constantly lurking from the ever-evolving world of cybercrime.
“I will tell you that most car washes do not have adequate protections in place,” said Stengel, the president and CEO of the premier cybersecurity consulting, management and training firm JSCM Group. “People often mistake ‘nothing has happened to me’ for ‘it is working.’ And it really isn't an accurate way to look at it. The fact of the matter is that cyber criminals just haven't gotten to you yet.”
Stengel said car wash operators should especially take note as smaller to mid-sized businesses are increasingly being targeted for cyberattacks due to such susceptibilities.
“Threat actors realize it is much too hard to take on bigger organizations that are much more difficult, and require a different type of attack,” said Stengel, referring to very specific and sophisticated cybercrime bad actors that make hits on large organizations such as the May 2021 ransomware cyberattack on Colonial Pipeline. “The bulk of what we’re seeing in small- and medium-sized businesses and governments are more smaller players that are just going for the fast volume.”
These “smaller players” are gaming the business world to see just how many networks they can take down and score on over any given weekend, Stengel said. Come Monday morning, you could easily find your computer hardware and software inaccessible and data compromised.
“Besides showing up at your business and finding that your office is burned down, I don’t know if there is a more unsettling feeling than showing up and finding all of your computers locked with a ransom demand and a thousand pages printed off on a printer,” Stengel said.
Unfortunately, such scenarios are no longer the exception to the rule. Since the beginning of the calendar year, Stengel said he has never seen such an extent of sophisticated cybercrime activity, with targets ranging from mom-and-pop shops to multi-state, multi-million-dollar organizations. On the dark web, the size or volume of a business doesn’t matter, Stengel said.
“It is just about getting money, a pure shakedown for money,” he said. “Understand that each of us exists on the internet as just an IP address. If there is a vulnerability, you will become a victim of a ransom scam and they will take advantage of you.”
Given this ominous threat, how can car washes mitigate the risk of vulnerability against a cyberattack and ransomware?
Anoop Kanthan, CEO of omniX labs, said the best avenue is to take a well-rounded, universal approach.
“While information security technology solutions and approaches are available from a point-to-point or asset-to-asset perspective, it really is about tackling this in a more holistic way,” Kanthan said. “That doesn’t necessarily mean spending huge amounts of capital though, as much of this is about good policies, standards and procedures for your organization.”
In addition to personally identifiable information, payment card industry data and their equivalents, Kanthan highly recommends system and organization control compliance.
“It approaches this challenge from an across-all-parts-of-the-business perspective and allows you to follow a well-trodden path to managing it well as an ongoing concern rather than just a point in time, ‘pass the exam’ mentality,” Kanthan said. “You will be able to also layer in technology-based solutions in a digestible way to include spending proportionately as you scale in size and complexity.”
Kanthan suggested car washes approach the mitigation process by identifying top-down influences in terms of risk factors.
“Starting with the highest risks is a great way to get into it and not get overwhelmed by the acronyms and jargon,” Kanthan said. “Start with the basics like credit card information storage and contact details of your customers.”
Opt In, Opt Out
In terms of the customer base, Soapy Joe’s Vice President of Marketing Anne Mauler concurs and recommends focusing on improving data hygiene. Good first steps include understanding the legalities surrounding marketing communications on both state and federal levels, she said.
“From a marketing perspective, two areas that are crucial to understand include the CAN-SPAM and CCPA regulations, and list management,” Mauler said. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) regulates commercial email practices nationwide, and the California Consumer Privacy Act (CCPA) offers further consumer privacy protections.
While the CAN-SPAM Act regulates the sending of commercial electronic mail messages and the harvesting of email addresses from websites on a federal level, the CCPA regulations are state-specific. Regardless of state and federal regulations, Mauler suggests straightforward subscription directives.
Mauler said she advises car washes to avoid emailing someone who has not opted in. Similarly, she suggests making it easy for folks to opt out.
“Two things car wash operators can act on right away is to ensure their email lists are composed solely of people who have opted in to receive emails and to include an unsubscribe method within each email sent,” Mauler said. “Admittedly, it may be painful to see your longstanding email list shrink, but it is worth it to clean up the list now.”
Behind the scenes, ensure there is a process in place to act on any ‘unsubscribes,’ and to keep it simple if you are just getting started, Mauler said.
Mauler reminds car washes that it is important to ensure your systems can handle customers wanting to opt out and then later opt back in.
“This is especially relevant in the car wash space as seasonality can factor into when communications are desired,” Mauler said.
While having list management, systems, tools and content aligned is a great way to get started on a marketing data hygiene journey, car washes must also be mindful of internal systems, processes and access.
Most car washes do not have a dedicated IT staff or line-item in their budget to refresh their IT equipment. As a result, DRB System’s director of IT and cybersecurity Vince Scovern said systems age out and become more vulnerable.
“Take time to get to know your vendors and have established relationships with reputable companies,” Scovern said. “Many providers will release software or hardware updates that may patch vulnerabilities but also provide new functionality that could benefit your business, and it is important to stay current on these updates where you can.”
Scovern also advises using systems in the way the vendor intended.
“If you have a point-of-sale (POS) system, use it for its intended POS functions,” Scovern said. Isolating POS terminals from being used to browse the web, run camera systems, or any other unintended purpose will protect against breaches. “By keeping these functions separate, your systems are going to run smoother, and you will have less potential for a full-business disruption.”
As hardware and software also need regular upgrades, Scovern said funds should be allocated in annual budgets for the express purpose of replacing aging equipment.
“The goal is to replace the equipment before it fails or becomes unsupported by the vendor,” Scovern said, noting that technology partners should be able to help car washes determine which items are most at risk. “Swapping in a replacement piece of equipment early is easier and less stressful than being forced to do so on a busy Saturday.”
Ultimately, any cyber event is going to be disruptive to your business, but the level of disruption depends on how much you’ve protected and prepared your business, including your employee base.
omniX labs’ Kanthan said car washes need to think long and hard about which systems access is necessary for a role in the organization and is adamant car washes implement good access procedures when both onboarding and offboarding staff.
Use the principle of least privilege – granting only the absolute necessary level of systems access for the employee to fulfill their role, Kanthan said.
In protecting technology assets, he estimates a 90-plus percent effectiveness in terms of protection by immediately applying patches, firmware and software updates as soon as they are released. In addition, he advocates for using the Cloud to avert potential risk.
“It is probably time to get rid of that server sitting under your desk and migrate your system to the Cloud,” Kanthan said. “Cloud providers have hundreds of analysts thinking about security 24/7 and are likely doing a much better job than you ever could.” He recommends you complete your Cloud migration by implementing protective cybersecurity measures.
Cybersecurity and other information security threats will continue to evolve and become ever more sophisticated, but a cybersecurity mindset begins from the ground up, Kanthan said.
“This is more of a cultural adjustment and a ‘way of being’ for the organization,” he said. “If your leadership team instills a cybersecurity mindset – just like it probably already is doing for workers’ physical safety at your locations – then you are well on your way.”
In addition to the attention devoted to the front-end applications of credit cards, payment security, cameras and the overall systems necessary to keep car washes running, JSCM Group’s Stengel said the average car wash business needs to be mindful to protect the backend systems as well.
“We are all guilty of making mistakes in our setups and having weaknesses and car washes are not immune to that,” Stengel said, noting that in most cases, those ransom-seeking criminals bypass the front steps.
“(Cybercriminals) don’t care about the point-of-sale terminal and the kiosk,” Stengel said. “What these attackers go after is the financial database. They go after the backend computers – and the things that keep payroll moving and that keep the time sheets moving – and they keep that HR information they are going after in those systems.”
Stengel equates taking a minimal security approach to securing your front door, but not your windows.
“You still have to do these other things,” Stengel said. “Don’t make an argument to me that your house was secure just because your front door is locked when all your windows are open.”
Stengel said he advises car washes to think about the all-encompassing big picture by first conducting a security assessment every year. Secondly, he suggests an immediate move to implement a modern endpoint detection response system that can monitor for risks and threats across each car wash’s network.
As a tertiary step, he suggests multi-factor authentication to ensure passwords can’t be stolen and used by cybercriminals to gain access to your network.
This triangulation of security measures obviously comes at a cost, but a necessary one that in the short-term will save you money in the long-run.
“These three things need to be in every budget,” Stengel said, noting that these security ingredients are as vital as insurance – or as water is to a car wash. “It is necessary to keep yourself functional because it is going to be very costly if you are unable to operate.”
Stengel said he wants to alter the thought process that “no one cares about us because we’re small,” or “no one cares about a car wash” – washes should take note as the cybersecurity threat is essentially the same across the board.
“Car washes aren’t subject to hacktivism,” Stengels said, referencing oil companies such as Colonial Pipeline. “Nobody thinks car washes are the devil of the world. Car washes simply fall under the risk from criminals in organized cybercrime looking for an opportunity.
“Every business will get hit,” he said. “It isn’t a matter of ‘if’ but ‘when.’”
Ensuring You Have Insurance Coverage in Cybersecurity Claims
Requested cyber ransom sums have marked an unexpected trend: demand amounts are significantly lower now than in years past.
As recently as five years ago, JSCM Group’s John Stengel said that it was common for a small business to see ransom demands as high as $2 million, whereas today’s shift in the threat marketplace has brought ransomware demands down to as low as $250K.
“The threat actors have gotten the ransom down to the point where it is low enough for organizations to actually pay it,” Stengel said. “It is a volume game and they are trying to make it more affordable for the average business.”
Despite this trend, operators may be wondering whether their insurance pay the cybersecurity claim, no matter the amount.
There is no easy answer. Stengel said that there has been a lot of change in the cyber insurance market within the past two years – change that doesn’t always work in the favor of small businesses such as car washes.
“We are seeing increased scrutiny on paying for claims, increased premiums for cyber, and we are seeing the insurers require certain technologies in place, such as multifactor authentication (MFA), to even cover the business,” Stengel said. “That said, the cost of a breach is far greater and can easily put you out of business. The premiums, while they may be higher than previous years, are a necessary component to business. And requiring use of MFA is a step in the right direction for overall security.”
To avoid negligence and bare minimums while ensuring car washes are up to current coverage standards, Stengel suggests an annual audit.
“The easiest way is to complete an annual audit by a third party,” he said. “This is a minimum every business needs to hit because it will tell you what you need to be changing in your environment from year to year.”
DRB’s Scovern agrees, noting that most car washes will need to perform an annual Payment Credit Industry audit.
While smaller operations often fall into a self-audit category, Scovern said it is oftentimes advisable to hire a reputable third party to properly conduct the audit.
“Just because you may not be required to bring a QSA (Qualified Security Assessor) onsite to perform the audit doesn’t mean that you shouldn’t take it seriously,” Scovern said. “Make sure that you understand what the audit is asking and ensure you are meeting the PCI DSS requirements. Meeting the requirements of PCI not only helps protect your business from credit card theft, but also from attacks like ransomware and viruses. Many of the same principles are going to apply across multiple functions.”
Soapy Joe’s Anne Mauler said she suggests regular check-ins with your car wash’s insurer.
“One budget-friendly way to get started is to check with your current insurance provider,” Mauler said. “Many carriers offer a cybersecurity module or provide checklists and toolkits for disaster recovery and business continuity. Others offer hands-on simulations and annual check-ins.”
Another idea is to check for reputable free courses, such as those previously offered by digital security provider ESET via its free, comprehensive Cybersecurity Awareness Training.
“To operate a car wash in today’s world we have to change how we think,” Stengel said, noting that from an insurance perspective, “A car wash is far more likely to go out of business as the result of a cyberattack than by fire, flood, or a natural event.”