If You’re Only Thinking of How to Prevent a Cyberattack, You’re Next
At the time of this writing, the CDK Global ransomware attack is still very much an active and ongoing cybersecurity incident. The perspectives drawn in this article are provided as commentary and shouldn’t be taken as guidance or conclusions.
Most organizations aren’t equipped to handle today’s volatile cybersecurity landscape. Between an acceleration in critical software vulnerabilities (on pace to break the annual record) and an onslaught of increasingly sophisticated attack patterns, organizations are having to redefine “security” in their IT.
But any concept of cybersecurity that positions it as a monolithic goal — to focus solely on prevention — isn’t prepared to address the short- or long-term implications of a cybersecurity incident. The recent attacks on automotive SaaS provider CDK Global are a prime example of the modern cybersecurity struggle. While it’s notable in several respects, the incident is far from unique. In fact, it follows a very familiar pattern — one that we’ll be able to chart when the next high-profile security incident follows in its wake.
What to Know About the CDK Global Cybersecurity Incident
CDK Global operates a software-as-a-service (SaaS) platform used by U.S. car dealerships. With some 15,000 dealerships using its platform (controlling an estimated 50 percent of the U.S. dealership software market), CDK Global is a cornerstone of American car dealership operations: CDK Global’s platform is used practically everywhere in the dealerships that use it, including sales, financing, website management, inventory, service, and back-office functions. Obviously, the company handles large volumes of data, including sensitive transactional customer information.
What happened
On June 18, systems critical to CDK Global’s dealer management system (DMS) were encrypted in an apparent ransomware incident, with Eastern European group BlackSuit suspected as the attacker. CDK Global shut down its IT systems to avoid further exposure and damage.
In the hours following the shutdown, and adding insult to injury, efforts to restore systems were thwarted by a second cyberattack. While the company has been able to bring systems back online over the course of the week for small groups of users, the company has provided no clear timeline for full restoration as of this writing.
The impact
The immediate impact of the CDK Global incident is apparent: Car dealerships and their customers are resorting to pen-and-paper deals, physical documentation, and manual processing for car sales across the country. For CDK Global itself, common symptoms like system downtime, regulatory fines, and SLA violations are likely already affecting the company’s bottom line. (And that’s not to mention a potential ransomware payout, which reports suggest reaches into the tens of millions of dollars.)
But in today’s cybersecurity landscape, no cybersecurity incident is totally isolated. In 2024, even a minor breach has a broader impact than in decades past, and the ripples of this one are likely to be felt far beyond the dealership:
While it’s hard to account for the long-term costs of a cybersecurity incident in any industry, the current outsized impact of the CDK Global incident is a signal that even though it happened in one day, it’ll take years to really play out for their business.
The Need for Cybersecurity Strategies that Look Beyond Prevention
The risks of insufficient cybersecurity measures are well-understood. The risks of slow restoration? Pointedly less so.
CDK Global’s own car dealership cybersecurity report (ironic to say the least!), most recently published in 2023, emphasizes protecting data and system uptime, but little about efficient restoration. In the current cybersecurity landscape, every incident underscores the need for not just strong prevention, but the ability to adapt, pivot, and respond quickly to preempt the scramble for security.
Recommended by LinkedIn
If your whole team is just firefighting, they’re not able to consider other important elements like:
Tools and software can only get you part of the way to that readiness. Being ready for what comes after a breach, vulnerability, leak, or attack means instituting a holistic cybersecurity strategy — one that includes both immediate response mechanisms and plans for the next step.
What IT Teams Can Do Now to Help Ensure Uptime After Their Own Incidents
To effectively respond to cybersecurity incidents like the one currently plaguing CDK Global, you need to map out strategies and tactics for both prevention and recovery. But as I mentioned above, the former is far better understood than the latter, meaning your recovery strategy is key for minimizing run-on incidents and indefinitely extended timelines.
Cybersecurity stakeholders in organizations the world over face daily threats with aplomb. They have a tendency to view every quiet day as a win (which, to be fair, it is). But focusing on preventative measures, especially the ones that work, makes us think that if we can prevent as many incidents as possible, we might be able to prevent them all — and so much time is spent thinking about those, that the question of fully restoring (which includes more than getting servers back online) tends to be underserved until the unthinkable happens.
CDK Global’s current struggle to repave its critical infrastructure is proof that if you’re only looking into ways to prevent cyberattacks, you’re planning for less than half the problem.
Sr. Account Executive - Fortra
5moGreat post Robin. Prevention is great but all too often it is addressed after the fact (aka attack) Being proactive may be a lot work. But I venture to guess being reactive is a lot more... and more costly.