Hit the brakes: How safe is your data in a company car?

Published on Thursday, July 4, 2019 - 16:19 by Camilla Winlo

Cars have always had a certain amount of risk associated with them – speed limits and airbags were invented for a reason, and crashes, breakdowns, unmaintained streets and pedestrian accidents all spring to mind when you think about what could go wrong on the road.

However, usually you don’t look at a moving vehicle and think that’s a data security accident waiting to happen. But this risk may well be the case if your organisation offers connected cars as an employee perk.  

These cars are often an overlooked – and huge – security vulnerability.

People share considerable amounts of personal information about themselves and other individuals with their cars, and usually don’t realise the potential consequences of their actions.

It would be less of a challenge if the security measures were anywhere near as advanced as those we use for computers and other connected devices in the workplace, but cybersecurity and data protection practices in cars are not mature.

For example, there is no current consensus on how software and security updates are communicated by the car manufacturer to the car owners, even if they’ve found vulnerabilities in the software. And obsolete software poses a huge risk to a driver’s data security.

According to a February 2019 survey of automotive professionals[1]:

  • 84% are concerned that their organisations’ cybersecurity practices are not keeping pace with evolving technologies
  • 30% have no established cybersecurity programme
  • 63% test less than half of the automotive technology they develop for security vulnerabilities.

An April 2019 quiz also found low levels of knowledge of automotive data security among drivers. Overall, respondents scored an average of 49%, rising to 53% among owners of connected car owners[2].

If you want to see if you can beat that average, you can take the quiz yourself here.

This is crazy when you consider how much personal data a smartphone houses, and how much protection is placed on it. But when that smartphone is connected to a car, the car often downloads and stores significant amounts of its personal information.

Messages, emails, contact lists, geolocation and location search history, home addresses and more can all be stored in the on-board computer. This even includes special category personal data that should receive enhanced protection under data protection legislation.

So, whilst this becomes useful when you want to use the handsfree to call someone in your phone’s contacts list, it also means the data is downloaded onto the car’s system. A system which may not have any advanced security measures in place.

With over 125 million connected cars shipments set to take place by 2022[3], chances are this will become an even more prevalent problem for information security teams.

However, some positive steps are being taken by car manufactures looking to improve their cybersecurity practices. Most notably, Toyota have released PASTA: an open-source testing platform which was designed specifically for hacking cars and helps to test cybersecurity features in modern vehicles. The company also envisages the platform being used for R&D purposes: for example, a manufacturer could test the impact of a third-party component on the car's security.

There are also things information security teams can do now to mitigate some of the risks and ensure data is protected in company cars. These include:  

  • Consider information security in the car procurement process. Ensure that data protection and cybersecurity issues are included when new cars are acquired for staff, such as by completing a Vendor Security Assessment.
  • Consider personal data in the Starters/Movers/Leavers process and asset disposal procedures. Ensure that personal data is effectively erased from company cars before they are passed to new owners. Connected company cars should be treated as information storage devices, and asset disposal procedures should follow a similar process as when company computer equipment reaches the end of its life.  
  • Ensure security updates are applied regularly. Automotive manufacturers may not advise owners when new software security updates become available. These are not usually applied ‘over-the-air’ and may only be applied when the vehicle is taken to a main dealer. Information Security teams should implement a process to ensure that security updates are applied promptly - at least every time the car is serviced.
  • Include personal cars in the BYOD policy and training. Non-company cars should be considered as ‘own devices’, and information security teams should produce appropriate policies and training to cover acceptable use, similar to those used for company smartphones and software.
 

[1] 2019, Synopsys and SAE International, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices. The survey of 593 professionals from global automotive manufacturers, suppliers and service providers was conducted by the Ponemon Institute. All respondents were involved in assessing or contributing to the security of automotive technologies.

[2] 2019, CarGurus, Data Security in Connected Cars Pop Quiz. The survey was completed by 1,020 drivers of which 264 owned a connected car. Questions covered general awareness and security best practices.

[3] 2018, Counterpoint Research, Global Connected Car Tracker 2018. The research is based on total shipments estimates based on company’s IR results, vendor polling triangulated with sell-through (sales), supply chain checks and secondary research.

 

Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail