From Ransomware to Audits: A Cyber Playbook for Auto Dealership Leaders

December 1, 2025

By Fulton May Solutions

Dealerships operate like financial institutions and retailers at once—handling PII, payment data, and manufacturer systems under tight margins and daily volume. That makes cyber hygiene a business imperative. Use this playbook to reduce breach likelihood, prove compliance, and keep operations moving, even when a critical vendor goes down.

Why Dealership Cyber Risk Is Different

Complex tech stack: DMS, CRM, F&I menus, lender portals, parts networks, and service tools—often with shared credentials.
High transaction velocity: Fast-moving sales and service increase susceptibility to phishing, misdirected payments, and rushed approvals.
Regulatory expectations: Data protection and safeguards require documented controls, monitoring, and evidence.

The Control Stack That Protects Trust

Governance First

Define risk appetite, approve security policies, and set incident roles. Review annually.
Run quarterly board/owner updates on security posture, incidents, and remediation.

People and Process

Mandatory quarterly training focused on payment fraud and data handling in F&I.
Clear joiner/mover/leaver workflow with 24-hour deprovisioning.
Documented DMS-down procedures for sales, service, and accounting (how to quote, deliver, invoice, and reconcile offline).
Out-of-band vendor verification process before acting on phone/email requests (no changes based on a single inbound message).

Technology Layers

Email security: DMARC, impersonation protection, and attachment sandboxing.
Identity: MFA everywhere; SSO where possible; conditional access for risky logins.
Endpoints: EDR/XDR on all devices, application allow-listing for F&I machines, automatic patching.
Network: Segmentation (guest vs. business vs. service bays), DNS filtering, and restricted admin protocols.
Applications and data: Role-based access in DMS/CRM, encryption at rest and in transit, audit logging for admin changes.

Backup and Recovery You Can Prove

Ransomware response is only as strong as yesterday’s clean backup and today’s practiced restore.

Maintain immutable, offsite copies; protect backup consoles with MFA and separate credentials.
Document RPO/RTO per system; test restores quarterly and capture screenshots/logs as evidence.
Stage an isolated recovery network to validate clean systems before reconnecting.
Schedule regular data exports (e.g., customer appointments, inventory, open ROs) from critical SaaS tools so you can operate during a vendor outage.

Be Ready for the Auditor

Create a living “audit binder” (digital) so you can pass audits with confidence.

Policies: Access Control, Incident Response, Business Continuity, Vendor Risk—signed and dated.
Access reviews: Quarterly recertifications by department heads; list of terminations and deprovisioning timestamps.
Security monitoring: EDR summaries, blocked phishing reports, firewall/VPN logs.
Vulnerability management: Scan results with remediation timelines and change tickets.
Backup evidence: Immutable configuration, last successful test restore, and recovery runbooks.
Training records: Completion logs and phishing simulation outcomes.
Vendors: Security attestations, data maps, and incident notification clauses; business continuity commitments and SOC 2 reports where available.

Recent Breaches Dealers Can Learn From

CDK Global ransomware outage (2024): A ransomware attack forced CDK to shut down key DMS services, causing a multi-day outage that disrupted sales, service scheduling, and accounting for dealerships across North America. Many stores shifted to manual paperwork, experienced delivery delays, and faced increased phishing and impersonation attempts during the downtime.
Group 1 Automotive cyber incident (2021): The dealer group reported a cyber attack and proactively took systems offline, causing operational disruption across stores while recovery and containment were executed over several days.
DriveSure data exposure (2021): A misconfigured database associated with dealership customer programs exposed millions of records containing contact and vehicle service information, underscoring third-party and vendor data risks.
DealerBuilt (LightYear Dealer Technologies) breach (2019): Weak security controls at a DMS provider led to customer PII exposure and subsequent regulatory action, highlighting the need for vendor due diligence and secure development practices.

How This Playbook Would Have Mitigated a CDK-Style Outage

Governance and Communications

Defined incident roles ensure sales, service, accounting, and IT know who authorizes downtime workarounds and when to pause deliveries.
Owner/board updates provide clear decision criteria for extended outages (e.g., when to shift to manual contracts, how to prioritize high-margin deals, and when to reschedule service).
Customer communication templates reduce churn by setting expectations on scheduling, delivery timelines, and data protection posture.

People and Process Controls

DMS-down runbooks enable quoting, desking, write-ups, RO creation, and end-of-day reconciliation without core systems.
Out-of-band vendor verification blocks social-engineering calls or emails impersonating support during the chaos of an outage.
Payment fraud training reduces risk of misdirected wires and credit card scams that often spike during major incidents.

Technology Safeguards

Email impersonation protection and conditional access help stop spoofed vendor messages and suspicious logins.
Least-privilege access and audit logging minimize blast radius if credentials are phished during the event.
Network segmentation limits lateral movement if a vendor tool or remote support agent becomes a pathway into your environment.

Backup, Continuity, and Evidence

Immutable backups protect local data and servers so stores can continue essential operations even if ransomware spreads.
Quarterly restore tests give confidence in recovery time and create evidence for auditors and insurers.
Scheduled exports of critical SaaS data (appointments, inventory, lender stips, open ROs) enable same-day operations while the DMS is offline.

Vendor and Third-Party Risk

Critical vendor inventory identifies which store functions depend on each provider and the acceptable outage window.
Contractual requirements for incident notification, recovery objectives, and security attestations (e.g., SOC 2) improve resilience and transparency.
Alternate workflows and temporary providers (e.g., standalone scheduling or payment tools) are pre-approved for use during a prolonged outage.

Quick-Start Checklist: Prepare Before the Next Outage

Run a 60–90 minute tabletop on a DMS outage and capture decisions, gaps, and owners.
Publish a one-page DMS-down cheat sheet for each department (sales, F&I, service, parts, accounting).
Enable MFA and impersonation protection on email; enforce out-of-band verification for vendor requests.
Schedule weekly exports of appointments, inventory, open ROs, lender stip checklists, and essential contact lists.
Stage an isolated recovery network and test restores of key servers or file shares quarterly.
Document vendor RPO/RTOs and escalation contacts; store contracts and SOC reports in your audit binder.
Stock offline kits: pre-printed RO forms, buyer’s orders, inventory sheets, and manual credit card imprinters where appropriate.

Tabletop Exercise Kit (60–90 Minutes)

Use this agenda to surface control gaps before attackers do.

Setup (10): Roles, comms channels, objectives.
Scenario (20): Choose one—ransomware in F&I, DMS outage, or wire fraud attempt.
Decisions (25): Containment steps, downtime approvals, customer communications, regulator notifications.
Recovery (20): Restore order, evidence collection, vendor coordination.
Debrief (10): Top 5 gaps, owners, deadlines; update policies and runbooks.

Facilitator Pointers

Pre-print network diagram and application inventory to guide decisions.
Inject time pressure and conflicting information to test escalation protocols.
Record actions and timestamps to create real evidence of due diligence.

Put the Playbook to Work

Ready to benchmark your controls against this checklist and close the gaps? Connect with Fulton May Solutions for a tailored dealership cyber risk review and the complete playbook kit, including a DMS-outage tabletop, department cheat sheets, and vendor risk templates.

Corporate team strategizing in a collaborative meeting with digital technology tools

From Showroom to Service Bay: A Zero‑Downtime IT Blueprint for Multi‑Rooftop Dealerships

Downtime in a dealership network is more than an IT problem — it directly reduces revenue, extends repair cycles, and damages customer trust.

Fulton May Expands TAM Team: Welcoming Technical Account Manager Michael Wayne

At Fulton May Solutions, our mission has always been simple: make technology an engine for operational efficiency, security, and growth for small and mid-sized businesses.

diverse coworkers working together in boardroom, brainstorming, discussing and analyzing and planning business strategy.

From Finger-Pointing to Flow: Governing Dealership Integrations Without Disrupting the Floor

When a customer says “the system is slow,” what they experience is a loss of control behind the scenes.

Why 2026 Security Budgets Rise (and How I Keep Them Under Control)

I walk through a practical approach to security budgeting for 2026: build a one-page control map, sequence work into 90/180/270 day phases, and budget the invisible costs that break plans.