Cyber Hygiene Isn’t Optional
By Cliff Bailey, Titan DMS
Earlier this year, Titan DMS achieved SOC 2 Type 2 approval, a rigorous, independent verification of how we manage data security, availability, and privacy. It’s a globally recognised standard, but more than a certification, it’s a mindset shift. It forced us to map every system we use, every workflow that touches customer or dealer data, and every way those systems could be vulnerable to exposure. The process was eye-opening - and it prompted this article.
Cybersecurity isn’t just a back-office IT concern. It’s a business continuity issue, a customer trust issue, and increasingly, a compliance issue. And for dealerships and distributors in New Zealand, the risk is more real than most realise.
The Scale of the Risk
According to data released in March 2025 by CERT NZ, the financial impact of cybercrime in New Zealand surged by 91% over the past year, reaching $39 million in direct losses. Of those, the majority were from scams or fraud, many leveraging email compromise or spoofed brands, and small and medium businesses are the most affected, with automotive squarely in that category.
Yet, the 2025 Datacom report, “State of Cybersecurity Index,” found that only 26% of New Zealand-based cybersecurity leaders reported having formal business continuity or resilience plans in place.
There’s a gap. And it’s growing.
Where the Vulnerabilities Lie
Modern dealership operations rely on dozens of interconnected systems: DMS, CRMs, inventory platforms, online booking portals, digital retail tools, finance pre-approvals, shared drives, and marketing automation stacks. Each one is a potential entry point.
Older technology is often the soft spot - systems not regularly updated, built on legacy architecture, or with unclear data access boundaries. Shadow IT (unauthorised apps and tools used by staff) compounds the risk.
It’s critical for any business to know:
- Where your customer and operational data live
- What software systems touch or transfer that data
- Who has access - both inside and outside your organisation
- What protections are in place if one of those systems is compromised
This isn’t about fear. It’s about visibility.
Cyber Hygiene Checklist
If you haven’t revisited your security protocols recently, start here:
- Conduct an audit of data systems, access, and permissions. Limit access to essential users only
- Ensure strong password rules and rotation processes are in place on critical systems (email, file storage, CRM)
- Build an incident response plan and contact list: who to call, what to isolate, and how to respond. After an incident, timing can be critical. www.business.govt.nz has some excellent information that could help.
Follow-up Actions
- Run a backup and restore test on your core data - don’t assume your backups work
- Schedule a tabletop exercise with senior leaders: walk through a ransomware or breach scenario
- Check vendor technology stacks and credentials (e.g., SOC 2, ISO 27001)
What Good Looks Like
Good cyber hygiene isn’t about bulletproofing every system. It’s about reducing risk intelligently, knowing your weak spots, and having a clear plan if something goes wrong.
It means:
- Teaching staff how to spot a suspicious link
- Systems that alert you when behaviour changes
- Vendors who take security seriously
- Leaders who’ve rehearsed what to do in the event of a hack
Cyber threats won’t slow down. But the good news is, many of the most important defences are low-cost, low-tech, and well within reach.
Final Thought
Getting SOC 2 certified is a long process, and it forced us to think deeply about what trust means in a data-driven world. Every business can benefit from asking the same questions, even if you never pursue formal certification.
Because the question isn’t if your business will be tested. It’s whether you’ll be ready when it is.
*Article published in AutoTalk NZ in August 2025
Published:
September 3, 2025
Updated:
September 3, 2025
