A single-rooftop dealership that gets breached has one bad day. A multi-rooftop group with a flat, interconnected network that gets breached at onestore can have a very bad week — across every store at once. The difference isn't the attacker. It's the architecture.
Dealer groups almost always grow by acquisition. Each new rooftop gets connected into the group's systems for sensible business reasons: shared DMS access, centralised accounting, one email tenant, group-wide reporting. Convenient — and, from a security standpoint, a set of highways an attacker can drive down.
The Blast Radius Problem
In security terms, "blast radius" is how far the damage from a single compromise can spread. For a connected dealer group, the blast radius is often the entire group. Here's where the connections that widen it usually live:
Shared DMS access
Group-wide Dealer Management System logins mean credentials stolen at one rooftop often work across all of them.
Flat network links
Site-to-site VPNs or MPLS links that connect rooftops for convenience also give an attacker a path between them.
Group-wide email tenant
One Microsoft 365 or Google Workspace tenant for the whole group: compromise one mailbox, and the attacker is inside the group's identity system.
Shared accounting & F&I systems
Centralised accounting is efficient — and a single high-value target whose compromise touches every store's finances.
Common admin accounts
Reused local admin or service-account passwords across rooftops let an attacker pivot store to store in minutes.
Inconsistent endpoint coverage
Acquired rooftops often arrive with their own (weaker) IT setup; one unprotected store becomes the entry point for the group.
How an Attack Spreads Across Rooftops
A realistic group-wide incident rarely starts with a sophisticated attack on headquarters. It starts small: a service advisor at the smallest, most recently acquired rooftop clicks a phishing link. That store arrived with its own weaker IT setup and never got brought up to the group standard.
From that one foothold, the attacker finds a flat VPN link to the next rooftop. They find a local-admin password reused across every store. They find the shared DMS credentials. Within hours, what began as one compromised laptop at one store is an attacker with a presence in every rooftop's network — and the group's accounting system in their sights.
The CDK Global attack of 2024 showed the industry what group-wide downtime looks like when a shared dependency goes down. An internal breach that spreads across your own connected rooftops produces a similar result — without a third party to blame.
Containing the Blast Radius
The goal isn't only to keep attackers out — it's to ensure that ifone rooftop is compromised, the incident stays at that rooftop. That's an architecture and operations problem, and it's solved with a clear sequence:
- 1Map the group network — find every flat connection between rooftops
- 2Segment by rooftop so a breach at one store cannot reach another
- 3Segment within each rooftop by function (sales, service, F&I, accounting)
- 4Eliminate shared local-admin and service-account passwords across stores
- 5Deploy consistent EDR and MFA on every device at every rooftop
- 6Centralise 24/7 monitoring so the whole group is watched from one place
- 7Maintain a group WISP with one Qualified Individual overseeing all rooftops
- 8Run an incident response plan that can isolate a single store fast
Centralised Security, Segmented Network
The strongest model for a dealer group sounds contradictory but isn't: centralise the security, segment the network.
Centralise the operations— one security team, one set of policies, consistent EDR and MFA on every device, one 24/7 monitoring view across all rooftops. That gives you consistency and eliminates the "weak rooftop" problem where an acquired store stays below standard.
Segment the network — so the convenience connections between rooftops become controlled gates rather than open highways. An attacker who gets into one store hits a wall instead of a path.
Done together, these two changes mean a breach is an isolated incident at one rooftop — recoverable in hours — rather than a group-wide crisis.
The Compliance Angle
Each rooftop that arranges financing is independently covered by the FTC Safeguards Rule. A group needs a written information security program (WISP) that addresses every store — though it can be administered centrally under a single Qualified Individual. Segmentation and consistent controls aren't just good security; they're part of a defensible compliance posture.
The Bottom Line
For a multi-rooftop group, the question isn't whether one store will eventually have an incident — it's whether that incident stays at one store. Flat, interconnected networks guarantee it won't. Centralised security with a properly segmented network guarantees it will. The architecture choice is the security outcome.
Related reading: network segmentation for SMBs, F&I BEC fraud at dealerships, and cybersecurity for auto dealerships.
Frequently Asked Questions
Why is a multi-rooftop dealer group at higher cyber risk?
Dealer groups often grow by acquisition and connect each new rooftop into a shared network for convenience — common DMS access, shared accounting, group-wide email. That interconnection means an attacker who compromises one store frequently has a path to all of them. The blast radius of a single breach is the whole group.
What is network segmentation for dealer groups?
Segmentation divides the group network into isolated zones — by rooftop, by function (sales, service, F&I, accounting), and by device type — so that a compromise in one zone cannot move freely into others. It's the single most effective architectural control for limiting how far a breach can spread.
Should each rooftop have its own security, or should it be centralised?
Centralised security with per-rooftop segmentation is the strongest model. You get one team, one set of policies, and one pane of glass across every store — while the network itself is segmented so an incident stays contained. Decentralised, store-by-store security creates inconsistency and gaps.
Does the FTC Safeguards Rule apply to each rooftop or the group?
Each dealership that arranges financing is a covered 'financial institution' under the Rule. A group needs a written information security program (WISP) that covers every rooftop — though it can be administered centrally with a single Qualified Individual overseeing the group.
What's the first thing a dealer group should fix?
Map the network and identify where rooftops are flatly connected. Most groups are surprised how much lateral path exists between stores. Segmenting those connections — and putting consistent EDR, MFA, and monitoring across every rooftop — is the priority sequence.
Map Your Group's Blast Radius
Free 30-minute assessment. We'll review how your rooftops are connected and where a single breach could spread.
Get Free Assessment