Automotive News - September 23, 2019 - Best Practices Supplement - A24

24 | SEPTEMBER 23, 2019
Z I M B R I C K I N C . , M I LWA U K E E A N D M A D I S O N , W I S .

DATA SECURITY FIRST

Email testing, firewalls
and more fight threats
Published in Automotive News April 1, 2019

Hannah Lutz
hlutz@crain.com

uch of dealership group Zimbrick
Inc.'s effective cybersecurity strategy comes down to vetting vendors.
"We are not necessarily the vendors' best friend in this world. We make sure
that they can meet our security requirements
or have some compensating controls in place
before we'll sign up with that service," said
Tom Zimbrick, CEO of Zimbrick Inc., a
15-store dealership group in Madison, Wis.,
and Milwaukee. "That
helps us confidently grow
the business because ... we
know the data is secure."
Zimbrick's stringent vendor standards are part of its
broader effort to stay ahead
of data security threats.
The strategy includes installing sophisticated fireZimbrick: Data
"a sacred trust" walls, sending regular
phishing email tests and
limiting network access.
"We implement security not just to protect
customer data; it's also to keep our systems running," said Ryan Horstmann, the group's information technology director. "It's the easiest way
for us to keep our uptime as high as possible."
Some of Zimbrick's toughest battles are with
providers of dealership management systems
that don't meet security requirements, said
Horstmann.
"It is a never-ending battle with all vendors.
The DMS providers are really important to our
business, so in my world, they get the most attention."
Usually, Zimbrick and its vendors come to
an agreement that solves the concern, but the
dealership group has to be persistent, Horstmann said.
In at least one case, a vendor rolled out a security standard developed for Zimbrick to all of its
dealership clients using the Internet-facing
product in question. Zimbrick declined to identify the company.
"We firmly believe that this is our data. We hold
customer data in a sacred trust. We are very uncompromising in that way," Tom Zimbrick said.
Zimbrick, which sold 9,336 new vehicles and

Employees can report a phishing email. If they fall for it, they are routed to a cybersecurity video.

Zimbrick Inc. in Wisconsin strives to
stay ahead of data security threats by
implementing stringent vendor
standards, installing sophisticated
firewalls, sending regular phishing email
tests and limiting network access.

7,855 used retail vehicles last year, has a
three-person IT team, led by Horstmann, that
oversees cybersecurity and other IT tasks. The
dealership group also works with an outside
firm that handles simpler IT issues. Horstmann
was a software developer for a payroll and timekeeping company for 10 years before joining
Zimbrick in 2007. Much of his responsibility in
his previous role centered on protecting data.

Phishing test
Once a month, Zimbrick sends its employees a
phishing email. The subject line may say something like "Donald Trump has a heart attack" or
"One of your employees was behaving badly."
If employees click on the email link, open the
attachment or enter their username and password when prompted, they will automatically
be routed to a video on cybersecurity training.
"If there is going to be a breach or a break-in,
it is most likely going to happen accidentally
through an employee [when] a customer or
an outside person sends a request [and] the
employee forwards it, answers it, opens the
message," said Tom Zimbrick. Phishing is the
primary source of attack, he said.
The phishing tool, a Cofense product called

PhishMe, creates awareness, added Horstmann.
The videos are short and to the point, he said.
PhishMe costs about $8 per user per year,
but "The real question is, how much does it
cost if you don't have it?" said Tom Zimbrick.
In February, about half of employees reported the email as phishing, while 35 percent deleted or ignored it, thus passing the test. About
15 percent clicked the link in the email.

Fear of the unknown
Zimbrick built its systems with security in
mind from the start and has a reliable backup
system, said Horstmann. Since 2015, the group
has run a firewall with 24/7 monitoring to
block threats. Zimbrick's firewall is more cutting-edge than others, Horstmann said, because it identifies not only verified attacks but
what could turn into one.
Zimbrick also has separate networks for
customers and employees and requires twostep authentication for employees entering
the network remotely.
The company has leadership meetings every month with general managers and other
high-level staff. At those meetings, Horstmann "has a seat at the table," Tom Zimbrick
said. "So we're all up to speed."
There was no single event that prompted Zimbrick's commitment to cybersecurity. The group
was motivated by a fear of the unknown.
"Whether it's our business or someone
else's business, we know the attacks are increasing. We know they're getting more sophisticated," Tom Zimbrick said. "We're just
trying to get ahead of them." a

Automotive News - September 23, 2019 - Best Practices Supplement

Table of Contents for the Digital Edition of Automotive News - September 23, 2019 - Best Practices Supplement