Take steps to deter both hackers and burglars, and prepare an incident plan in case of a breach. BY ERIK NACHBAHR
Auto dealerships are inviting to data thieves, given the consumer identities, financials and credit card data they store. The predator might be a sophisticated hacker or a burglar who gains access to the server room or file drawers.
Many dealerships have been slow to adopt the security technology and best practices to thwart hackers. Plus, many dealerships still use Windows XP, which is no longer supported with security updates from Microsoft.
So, experts in cybercrime believe it’s not a matter of if, but rather when, your dealership will be hacked. The consequences could be especially costly for a dealership — not only in money but also in loss of consumer trust and confidence.
One of the biggest potential expenses is in the need to contact all customers about a security breach, then monitor their credit for months to make sure they are not victimized. Typically, the cost can run around $3 million per 100,000 customers. Even if the CRM is outsourced was outsourced and the cloud provider handles customer contact, the blame still will come back to the dealership. Will customers likely do business going forward with a dealership that’s been hacked?
Or, suppose an employee unintentionally downloads malware the dealership’s antivirus software does not recognize (this happens frequently, as new malware is continually being deployed). The malware pulls the credit of several hundred customers before it is discovered and stopped. An insurance claim must be filed, and a security company is brought in to investigate. The dealership is shut down from pulling credit for several weeks, which ends up costing it close to $50,000.
Protective Shields You Need
To protect itself, it is critical that your dealership have in place:
- Sufficient cyber liability insurance
- Excellent business practices
- Technology to prevent or at least deter hacking
- Plans/programs for recovery/remediation after a breach
Cyber liability coverage is an emerging insurance category in which coverage types and levels may be difficult to determine. However, given the monetary and time costs of a mitigating a security breach, it is becoming a business imperative.
Next, your dealership must establish a security policy and best practices that not only thwart hacking but also ensure that if you are hacked, any claims you make against insurance coverage are valid and substantiated. Your well-documented and scrupulously implemented security policies should be:
- Approved by senior management
- Published or otherwise communicated to both current and new employees, who must agree to abide by them
- Readily available for reference and use
- Assigned to a manager who is responsible for adding updates
- Complete with provisions for disciplinary actions for non-compliance.
- Reviewed annually
Physical Access Is Another Issue
Next, the physical security of both the dealership’s accounting offices and all the customer jackets within them, and of computer rooms must be made a priority. Some dealerships are going so far as to restrict physical access to sensitive facilities with security guards, access cards and even biometric devices. It is a good idea to deploy CCTV cameras not just on the lots but also in the accounting offices and computer rooms, and to store that security video for 90 days or more.
Your security policy also must address employees’ use of physical media such as USB thumb drives, DVDs and back-up tapes that are used to store or transfer computer files. Employees should not be allowed to copy customer data onto physical media.
As for access to the network, employees and vendors should be given only unique login IDs and prohibited from sharing them. A strong password policy is another critical cornerstone, and it should include:
- A prohibition against sharing passwords
- A requirement that passwords be changed at the initial log-on
- An insistence on periodic password revisions
Another important component for ensuring a strong security system is a periodic, comprehensive vulnerability assessment. While time-consuming, it is important in that it identifies possible exposures. It should be performed by a qualified, independent security auditor who knows how dealerships operate and can recommend practical measures.
The cost to a dealership group for an audit can run from $30,000 to $50,000, which is no small sum. However, considering the far higher cost of a security breach – which IS a high probability if you do nothing – then it is a prudent investment for the long term.
Security Technology You May Need
Now that I’ve discussed best practices, let’s look at security technology:
1) A regularly updated firewall is an essential component of an Internet security system.
2) All external network connections should be monitored by an intrusion prevention system (IPS) or other network-monitoring tool that sends alerts when a security breach is detected.
An IPS looks for malware such as CryptoLocker, which can lock up your files, make them unreadable and hold your dealership for ransom to access your own files. Audi, for example, is requiring that its dealers install IPSes. General Motors is pushing IPSes, and I expect other OEMS to follow suit.
3) “Logging” is another essential component of any security system. Logging creates a record of events that allows for a comprehensive replay of network and server threats. So, it helps IT specialists and law enforcement track down hackers by following their digital trails.
4) “Patching” is a core technology component of a security system. All network devices, computers and servers should be patched regularly to close known security holes.
5) Finally, antivirus software is another recommended tool to protect against hackers.
When All These Efforts Fail …
However, even if your dealership is making smart use of insurance, best practices and technology, it’s quite likely it will be hacked someday. So, you need a plan and resources to respond to hacking after the fact.
It is good practice to assign a hacking incident response team with clearly defined roles – including notifying key legal, insurance and IT contacts about a security breach – and who can work effectively with law enforcement.
Finally, every dealership should have a privacy policy that covers its responsibilities to customers, including the confidentiality and protection of their non-public personal information. I recommend consulting with legal counsel to write a sound privacy policy. If taking on all of my recommendations seems like a tall order, consider bringing in an outside security consultant who understands the dealership space.
I know this is a LOT of risk and information to absorb. However, while cyber security may sound technical in nature, at its core it is a business issue. Your dealership’s competitive position and financial health may be at stake. It’s therefore important for your management team to address what customer and business information is most sensitive. Your brand, customer trust and strategic positioning may be at risk.