Executive Summary
Car dealerships handle sensitive financial data, personal customer information, and interconnected systems across multiple locations every day. That combination makes them a high-value target for cyberattacks. For auto groups operating 20 to 250 employees across several rooftops, the challenge is not just protecting one site. It is building a security posture that holds up across every location, every system, and every employee.
This article breaks down why dealerships face elevated cyber risk, what leaders can do about it, and how a structured IT partnership helps close the gaps.
Why Dealership Data Is a High-Value Target
Modern dealerships collect and store a significant volume of sensitive data:
- Social Security numbers and credit applications
- Driver’s license copies and proof of insurance
- Bank account and financing details
- Vehicle identification numbers tied to ownership records
- Service history and warranty information
Unlike many industries, dealerships process this data at high volume and across multiple touchpoints. A single location might handle dozens of credit applications in a day, each containing enough personally identifiable information (PII) to make identity theft straightforward.
When a dealership group operates multiple rooftops, the risk multiplies. Each location is an entry point. Each employee with system access is a potential vulnerability. And each third-party integration, from DMS platforms to lender portals, introduces shared risk.
The 2024 CDK Global attack demonstrated this clearly. A single vendor compromise disrupted thousands of dealerships nationwide, freezing operations for weeks in some cases. That incident was not a one-off. It was a signal.
How Cyber Risk Impacts Multi-Location Dealerships
Cybersecurity failures at dealerships do not stay contained. The effects spread quickly across operations, finances, and reputation.
Operational Disruption
Dealership management systems (DMS) connect inventory, financing, service scheduling, and CRM functions. When those systems go down, sales stall, service bays sit idle, and customer communication breaks. For multi-location groups, a breach at one site can cascade through shared infrastructure and shut down operations across the board.
Financial Exposure
Ransomware demands, forensic investigation costs, regulatory fines, and lost revenue add up fast. The average cost of a data breach in 2024 exceeded $4.8 million, and dealerships face additional risk through FTC Safeguards Rule penalties and state-level consumer protection enforcement.
Regulatory Consequences
The FTC Safeguards Rule requires dealerships to implement specific data security measures. Non-compliance is not theoretical. The FTC has pursued enforcement actions against auto dealers, and the updated rule (effective since June 2023) includes requirements for encryption, access controls, risk assessments, and incident response planning.
Reputation and Trust
Customers hand over their most sensitive personal and financial information during the buying process. A breach erodes that trust immediately. For dealership groups competing on service and relationships, the long-term brand damage can outweigh the direct financial cost.
What Auto Groups Can Do to Harden IT Security
Securing a multi-location dealership does not require building a Fortune 500 security operation. It requires consistent execution of proven fundamentals across every site.
Conduct a Risk Assessment at Every Location
Each rooftop has its own network, devices, and staff. A risk assessment should evaluate:
- Network architecture and segmentation
- Endpoint protection across desktops, tablets, and mobile devices
- Physical security of servers and network hardware
- Employee access levels and credential management
- Third-party integrations and data flows
A single corporate assessment is not enough. Each location has unique risk factors that require individual evaluation.
Segment Networks Across Locations
Flat networks are the most common enabler of lateral movement during a breach. If a compromised device in the service department can reach the finance office server, the blast radius of any incident expands dramatically.
Network segmentation separates critical systems from general traffic. Guest Wi-Fi, employee devices, DMS platforms, and security cameras should all operate on isolated network segments. For multi-location groups, network redundancy between sites ensures that a disruption at one location does not take down connectivity elsewhere. [How MSPs make network redundancy work for multi-location businesses](https://coremanaged.com/how-msps-make-network-redundancy-work-for-multi-location-businesses/) covers this in detail.
Enforce Multi-Factor Authentication Everywhere
Stolen credentials remain one of the most common entry points for attackers. Multi-factor authentication (MFA) adds a second layer of verification that blocks the majority of credential-based attacks.
MFA should be enforced on:
- DMS and CRM platforms
- Email accounts
- VPN and remote access tools
- Financial and lending portals
- Any cloud-based application with access to customer data
Standardize Endpoint Protection
Every device that touches dealership systems needs consistent protection. That includes desktops in the finance office, tablets on the sales floor, laptops used by managers off-site, and mobile devices connected to company email.
Endpoint detection and response (EDR) tools provide visibility into threats at the device level and enable rapid containment when something is detected. Standardizing protection across all locations prevents the weakest-link problem where one under-protected site compromises the group.
Train Employees Continuously
Phishing remains the top attack vector across industries, and dealerships are no exception. Employees handling customer data, processing transactions, and communicating with vendors are targeted regularly.
Effective training is not a one-time event. It includes:
- Regular phishing simulations
- Role-specific training for finance, service, and sales teams
- Clear escalation procedures for suspicious activity
- Updated training when new threats emerge
Build and Test an Incident Response Plan
An incident response plan defines who does what when a breach or attack occurs. Without one, the first hours of a security event are chaotic, and that chaos increases damage.
The plan should include:
- Defined roles and responsibilities
- Communication protocols for leadership, staff, customers, and regulators
- Containment and recovery procedures
- Documentation requirements for compliance and insurance
- Regular tabletop exercises to test readiness
How an MSP Supports Dealership Cybersecurity
Most multi-location dealerships do not have dedicated cybersecurity teams. Even groups with internal IT staff often lack the specialized expertise needed to manage evolving threats across distributed environments.
A Managed Service Provider fills that gap by providing:
- Risk assessments tailored to each location’s infrastructure and operations
- Network design and segmentation that isolates critical systems and limits breach exposure
- 24/7 monitoring across all endpoints, networks, and cloud platforms
- Endpoint protection management with consistent deployment and rapid response
- Backup and disaster recovery validation to ensure systems can be restored quickly
- Compliance support aligned with FTC Safeguards Rule requirements
- Ongoing security awareness training customized for dealership roles and workflows
- Vendor risk management to evaluate and monitor DMS providers, lender portals, and other third-party integrations
The value of an MSP is not just technical. It is operational. A strategic IT partner aligns security with how the dealership actually runs, supporting speed and customer experience without creating friction.
Best Practices and Key Takeaways
- Dealerships are high-value targets because of the volume and sensitivity of data they handle daily.
- Multi-location operations amplify risk through shared systems, distributed endpoints, and varied staff training levels.
- Network segmentation and MFA are foundational controls that reduce breach impact significantly.
- The FTC Safeguards Rule creates real compliance obligations with real enforcement consequences.
- Endpoint protection must be standardized across every location, not managed site by site.
- Employee training is a continuous investment, not a checkbox.
- An incident response plan tested regularly is the difference between a contained event and a crisis.
- A strategic MSP partnership provides the expertise and consistency that most dealership groups cannot build internally.
Frequently Asked Questions
Are car dealerships required to comply with specific cybersecurity regulations?
Yes. The FTC Safeguards Rule applies to auto dealers as financial institutions. It requires written information security programs, risk assessments, encryption, access controls, and incident response capabilities. Non-compliance can result in enforcement actions and significant fines.
What made the CDK Global attack so damaging for dealerships?
CDK Global provides dealership management software used by thousands of dealers. When CDK’s systems were compromised, dealerships lost access to inventory, financing, service scheduling, and CRM tools simultaneously. The attack highlighted the risk of heavy reliance on a single vendor without contingency planning.
How can a dealership group with limited IT staff improve cybersecurity?
Start with a risk assessment at each location, enforce MFA across all systems, segment networks, and partner with an MSP that specializes in multi-location environments. These steps provide meaningful protection without requiring a large internal security team.
How often should dealerships test their incident response plans?
At least twice a year through tabletop exercises, and after any significant system change or security event. Regular testing ensures the plan reflects current infrastructure, staff, and threat conditions.
Closing
Dealership data is valuable, and attackers know it. For auto groups running multiple locations, security cannot be treated as a single-site concern or an afterthought delegated to a vendor. It requires consistent standards, continuous monitoring, and a partner who understands both the technology and the business.
For more insights into how MSPs turn IT challenges into strengths, check out our article in the Indiana Business Journal here.
Every business faces IT challenges, but you don’t have to navigate them alone. Core Managed helps businesses secure their data, scale efficiently, and stay compliant. If you’re struggling with any of the issues discussed in this blog, let’s talk. Give us a call today at 888-890-2673 or contact us here to schedule a chat.