If You’re Only Thinking of How to Prevent a Cyberattack, You’re Next

If You’re Only Thinking of How to Prevent a Cyberattack, You’re Next

At the time of this writing, the CDK Global ransomware attack is still very much an active and ongoing cybersecurity incident. The perspectives drawn in this article are provided as commentary and shouldn’t be taken as guidance or conclusions.   

Most organizations aren’t equipped to handle today’s volatile cybersecurity landscape. Between an acceleration in critical software vulnerabilities (on pace to break the annual record) and an onslaught of increasingly sophisticated attack patterns, organizations are having to redefine “security” in their IT

But any concept of cybersecurity that positions it as a monolithic goal — to focus solely on prevention — isn’t prepared to address the short- or long-term implications of a cybersecurity incident.  The recent attacks on automotive SaaS provider CDK Global are a prime example of the modern cybersecurity struggle. While it’s notable in several respects, the incident is far from unique. In fact, it follows a very familiar pattern — one that we’ll be able to chart when the next high-profile security incident follows in its wake. 

What to Know About the CDK Global Cybersecurity Incident 

CDK Global operates a software-as-a-service (SaaS) platform used by U.S. car dealerships. With some 15,000 dealerships using its platform (controlling an estimated 50 percent of the U.S. dealership software market), CDK Global is a cornerstone of American car dealership operations: CDK Global’s platform is used practically everywhere in the dealerships that use it, including sales, financing, website management, inventory, service, and back-office functions. Obviously, the company handles large volumes of data, including sensitive transactional customer information.  

What happened 

On June 18, systems critical to CDK Global’s dealer management system (DMS) were encrypted in an apparent ransomware incident, with Eastern European group BlackSuit suspected as the attacker. CDK Global shut down its IT systems to avoid further exposure and damage. 

In the hours following the shutdown, and adding insult to injury, efforts to restore systems were thwarted by a second cyberattack. While the company has been able to bring systems back online over the course of the week for small groups of users, the company has provided no clear timeline for full restoration as of this writing. 

The impact 

The immediate impact of the CDK Global incident is apparent: Car dealerships and their customers are resorting to pen-and-paper deals, physical documentation, and manual processing for car sales across the country. For CDK Global itself, common symptoms like system downtime, regulatory fines, and SLA violations are likely already affecting the company’s bottom line. (And that’s not to mention a potential ransomware payout, which reports suggest reaches into the tens of millions of dollars.) 

But in today’s cybersecurity landscape, no cybersecurity incident is totally isolated. In 2024, even a minor breach has a broader impact than in decades past, and the ripples of this one are likely to be felt far beyond the dealership: 

  • Legal action is likely to be taken by consumer advocacy groups and regulatory bodies alike. Customers of CDK Global are already joining a class action lawsuit against the SaaS provider, claiming damages as a result of system downtime and potential exposure of their (and their customers’) personally identifiable information. 

  • The stock price of the largest car dealership SaaS provider is in the balance. Splunk’s report on the hidden costs of downtime found that Global 2000 companies can expect their stock price to drop anywhere from 1 percent to 9 percent — and take an average of 79 days to recover — after a single downtime event. 

  • U.S. GDP could suffer the longer the downtime affects the car dealership market. Roughly half of the U.S. car dealership market relies on CDK Global’s SaaS offering, meaning prolonged impact could affect other related industries essential to the U.S. GDP, like finance, insurance, and supply chains. 

While it’s hard to account for the long-term costs of a cybersecurity incident in any industry, the current outsized impact of the CDK Global incident is a signal that even though it happened in one day, it’ll take years to really play out for their business. 

The Need for Cybersecurity Strategies that Look Beyond Prevention 

The risks of insufficient cybersecurity measures are well-understood. The risks of slow restoration? Pointedly less so. 

CDK Global’s own car dealership cybersecurity report (ironic to say the least!), most recently published in 2023, emphasizes protecting data and system uptime, but little about efficient restoration. In the current cybersecurity landscape, every incident underscores the need for not just strong prevention, but the ability to adapt, pivot, and respond quickly to preempt the scramble for security. 

If your whole team is just firefighting, they’re not able to consider other important elements like: 

  • Investigative efforts to identify how the penetration occurred and ensuring that the bad actors are no longer inside 

  • Protecting sensitive information that may have been exposed  

  • Rebuilding hardened systems and restoring service quickly  

  • Repopulating affected systems and storage 

  • Documenting and communicating remediation efforts with customers, vendors, investors, and auditors for compliance  

Tools and software can only get you part of the way to that readiness. Being ready for what comes after a breach, vulnerability, leak, or attack means instituting a holistic cybersecurity strategy — one that includes both immediate response mechanisms and plans for the next step. 

What IT Teams Can Do Now to Help Ensure Uptime After Their Own Incidents 

To effectively respond to cybersecurity incidents like the one currently plaguing CDK Global, you need to map out strategies and tactics for both prevention and recovery. But as I mentioned above, the former is far better understood than the latter, meaning your recovery strategy is key for minimizing run-on incidents and indefinitely extended timelines. 

  • Define your recovery time objectives (RTOs) and recovery point objectives (RPOs). In the wake of an incident, what would you like to be able to do about it? How long should it take to identify, rebuild, restore, and secure affected systems? How about the days? Weeks? What is the acceptable amount of data loss for your organization? No incident lasts exactly as long as you think, so look beyond “just trying to get the servers back online” and account for full rebuilding, testing, and recovery. Plan around being able to restore data quickly and with little or no loss of recent transactions. 

  • Work backwards. Set a clear goal for when systems need to be fully operational again, then plot the steps necessary to hitting that date. Work with stakeholders from across your organization to coordinate when you’ll be communicating with law enforcement, customers, auditors, and investors to maintain compliance expectations and minimize brand impact. 

  • Harden systems with a clear checklist. Establish clear expectations for configuring systems to a hardened security standard, with roles and access — like zero trust, multi-factor authentication (MFA), role-based access control (RBAC) — defined for servers, operating systems, applications, networks, and databases. Incorporate the compliance standards that make most sense (or are required) for your organization, like CIS Benchmarks, DISA STIGs, PCI-DSS, NIST, and more into your baselines. 

  • Build an auditable, restorable state with automation. When an incident happens, every minute is a liability. Desired state management through policy as code (PaC) lets you take that hardening checklist and repeat it across huge infrastructure to provision servers, software, and storage and bring it all back to a desired state quickly. 

  • Shrink the footprint of sensitive data. While we don’t know if CDK Global’s lower-tier or non-production systems were compromised in the attack, it’s common to store and use sensitive data in those environments. Techniques like data masking can reduce the footprint of sensitive data to make it less of a liability in the event of an incident. Masking also preserves the utility of the data, making sure it’s still usable for software development, testing, analytics, and data science. 

  • Test, test, and test again. You wouldn’t release software without testing it, would you? The same should be true of your recovery strategy. While many businesses build and test their ability to recover from non-ransomware incidents, it is less common for them to do so for ransomware attacks. They can be hard to simulate, but the key is rooting out where an attacker has installed “hooks” into your network and eliminating those during your recovery. This is where the use of red teams (i.e., white hat hackers) and blue teams comes into play. 

  • Educate your entire user community – not just IT teams – on a recurring basis regarding best practices for recognizing social engineered attacks. Technology will be far more effective in coordination with human-powered defenses. 

Cybersecurity stakeholders in organizations the world over face daily threats with aplomb. They have a tendency to view every quiet day as a win (which, to be fair, it is). But focusing on preventative measures, especially the ones that work, makes us think that if we can prevent as many incidents as possible, we might be able to prevent them all — and so much time is spent thinking about those, that the question of fully restoring (which includes more than getting servers back online) tends to be underserved until the unthinkable happens. 

CDK Global’s current struggle to repave its critical infrastructure is proof that if you’re only looking into ways to prevent cyberattacks, you’re planning for less than half the problem. 

Scott Nelson

Sr. Account Executive - Fortra

5mo

Great post Robin. Prevention is great but all too often it is addressed after the fact (aka attack) Being proactive may be a lot work. But I venture to guess being reactive is a lot more... and more costly.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics