Ransomware, where hackers hold hostage a company’s IT system and data, is top-of-mind in the auto industry right now. But simple human error with business emails still is the biggest vulnerability in cybersecurity, and employee training still is the first line of defense.

"Ransomware is a huge, huge issue," said Benjamin Tweel, senior cybercrime specialist within Bank of America’s Global Information Security team. However, even the more sophisticated threats including ransomware often get their foot in the door via common, everyday threats such as phony, "phishing" business emails.

Tweel provided some tips and best practices for combating cybercrooks in "The Auto Industry Under Cyber Attack," a recent webinar hosted by the American International Automobile Dealers Association. 

It’s estimated that 90% of phishing incidents are caused by "human error," when someone clicks or downloads something they shouldn’t have, Tweel said. If there’s a single most important tip from Tweel’s presentation, it might be, "Don’t reply to an email requesting a change in payment instructions!"

Once an intruder gets into a company’s IT system, it takes an average of 280 days to identify the intrusion, he said. "Let me say that again: 280 days. That’s a long time not to know somebody could be doing something suspicious on your network," Tweel said.

Scammers may use that time to learn the ropes in an organization. The goal is to create an email which may even come from an actual executive’s own email account, ordering a subordinate to make an immediate payment outside the usual channels, typically under unusual circumstances.

For example, the executive is overseas — and in fact may be overseas. There’s some plausible-sounding reason why the payment has to be kept confidential. Above all, it has to be done quickly, before anyone has a chance to think it over, Tweel noted.

Companies need to train employees to recognize fishy circumstances in the first place, and "empower employees to slow down the process without pressure" when they see warning signs, he said. It’s also a good idea to create a requirement that at least two people need to sign off on a payment.

The coronavirus pandemic has raised the threat level by forcing companies to switch to multiple, interconnected digital channels faster than they normally would have done, Tweel said.

Before COVID, corporations saw digital adoption as "a cost-saving investment, for the next three to five years." With COVID, that timeline is compressed to one or two years, and the focus no longer is just on cost savings; it’s on simply staying in business at all, he said.

In employee training, it’s important to make the training relevant and "engaging," Tweel said. Rather than making employees feel like "the weakest link," trainers need to make employees feel like "our strongest defender," he said. "They’ve got to understand why it’s important."