Shelly Automotive Group

Bringing world-class security to a world-class automotive retail experience

Shelly Automotive Group

Shelly Automotive Group is a Southern California-based network of car dealerships providing world-class automotive retail experiences and specializing in renowned brands such as Lexus, BMW, and Rolls-Royce.

Industry: Retail
Location: California, United States
Size: 800 Employees



  • FTC and CCPA regulations required increased data protections
  • Cyber insurance providers also required added protections to keep users and data safe
  • Employee-owned devices introduced higher potential cybersecurity risk 
  • Breaches needed to be prevented without compromising employee productivity


  • Multi-factor authentication (MFA) for all end users helped to meet security mandates
  • Strengthened cybersecurity posture to comply with CCPA, FTC, and cyber insurance standards
  • One of every 25 website requests was identified as malicious and blocked
  • Time and resources spent on what matters versus security measures and processes

Since 1990, Shelly Automotive Group has crafted world-class automotive retail experiences for customers seeking luxury vehicles in Southern California. The company operates a network of car dealerships that offers automotive services and specializes in renowned brands such as Lexus, BMW, Rolls-Royce, Mercedes-Benz, and Toyota. With approximately 800 employees and partners accessing its infrastructure and applications, the organization faced the critical task of building a robust security infrastructure for protection against cyber threats while also meeting compliance regulations.

Michael Price, the chief technology officer (CTO) at Shelly Automotive Group, has played a pivotal role in architecting that infrastructure. When Price joined Shelly Automotive in 2007, he brought his experience as a Microsoft-certified systems engineer and a Cisco Certified Network Professional. He quickly became responsible for not only the company's entire IT infrastructure, but for securing it as well.

His hands-on approach allows him to navigate the complexities of the IT landscape and select best-in-class security solutions tailored to the company's industry-specific needs. "I've been fighting hackers my whole career, since the '90s," says Price. "For me, security has always been important."

A call to action—and compliance

In response to the increasing prevalence and rising stakes of cyberattacks, strict security regulations emerged — including those imposed by cyber insurance providers, the California Consumer Privacy Act (CCPA), and the Federal Trade Commission (FTC). Shelly Automotive faced the critical task of fortifying their security infrastructure to comply with these regulations and to bolster its defenses against emerging threats.

Price recognizes the challenging and ever-evolving cybersecurity environment. "It's just unfortunately the world we live in," he says. "We're doing business in a war zone." Despite persistent threats, the organization's employees remain focused on doing their jobs, typically unaware of the potential risks lurking in the digital landscape. "They just want to do their job, but they don't even realize that we're under constant attack, or the potential of attack."

In response to the reality of operating in an always-connected world—as well as running a business that regularly processes large transactions—Price sought a robust and proactive security approach to protect sensitive customer data, help ensure operational continuity, and achieve regulatory compliance. "To meet those requirements," Price says, "I had to beef up our security structure with products to provide multi-factor authentication." Recognizing the critical role of multi-factor authentication (MFA) in thwarting unauthorized access attempts, Price sought a reliable solution that could protect against potential security breaches without placing an undue burden on IT and security staff.

I feel comfortable with our security stack because I know that I'm using the best products available for each job.

Michael Price, Chief Technology Officer

Choosing the right security provider

When it came to selecting security solutions that would align with Shelly Automotive's security goals, Price approached the decision-making process with a discerning eye. After an extensive search, Price identified Cisco Duo and Cisco Umbrella solutions as the ideal fit. "I knew Cisco's a huge company and they would make a very reliable product," he says. Price also notes the need for a frictionless solution that would allow him and Shelly Automotive Group's employees to focus on their job without having to contact IT constantly or slog through multiple time-consuming steps just to log on. Duo's strong MFA, Price learned, would frustrate attackers rather than users, which aligned with the business's goal for a positive user experience.

Rolling out with users in mind

To promote an easy, user-centric deployment, Price and the IT team opted for a gradual, monthlong rollout of Duo's authenticator mobile app, Duo Mobile. This approach allowed Shelly Automotive to educate employees at its different locations. "It was a pretty simple rollout," recalls Price. "It was very easy for me and my IT team." 

Price saw similar success with Umbrella, which the team deployed when it was still an OpenDNS enterprise security product. "It was the easiest rollout of any IT product I've ever had," Price says. "It was definitely a no-brainer."

Meeting goals and compliance

Duo's strong MFA added an essential layer of security, requiring employees to verify their identities through their mobile devices to help ensure that only authorized users could access critical systems and sensitive data. By implementing MFA, Shelly Automotive Group was able to demonstrate compliance with the FTC Safeguards Rule, which explicitly mandates MFA as a technical requirement.

Umbrella had already helped safeguard the auto group's network and data for nearly a decade. Its DNS-layer security, which blocks malicious domains, IP addresses, and cloud applications before a connection is ever established, proves its value daily. Enhanced with Cisco Talos advanced threat intelligence—supplied by the world's largest nongovernmental threat intelligence team—Umbrella has enabled Price's team to block one out of every 25 website requests, effectively blocking potential security threats like malware, phishing, trojans, and other DNS layer attacks. The scale of Umbrella's protection is vast, processing more than 620 billion web requests and blocking more than 170 million malicious DNS queries every day. This extensive coverage fortifies Shelly Automotive's defenses against a wide array of cyber threats, allowing the company to navigate the digital landscape more confidently.

Together, Duo and Umbrella have bolstered the security and confidentiality of Shelly Automotive Group's customer information, safeguarded it against threats that could put information at risk, and prevented unauthorized access to applications and data. "I feel comfortable with our security stack," says Price, "because I know that I'm using the best products available for each job."

What was once a compliance requirement for Shelly Automotive Group has become a business imperative—creating a resilient and protected environment for employees, partners, and customers. The result: Everybody wins (except for attackers).