3 Steps to Manage Dealership Security in the Open Integration Era
Due in large part to technological advances over the past decade, there has never been more freedom for your dealership to integrate to its preferred dealership service providers—for example, your inventory provider. With this freedom to integrate comes the responsibility to protect your dealership’s customer information.
Although there are countless facets of dealership security, I’d like to focus on managing your dealership’s employee life cycle throughout all of your integrated dealer systems. There are three critical times to consider:
- Ongoing use
Onboarding: Instruct and train
With each new employee start date comes an opportunity to instruct and train about your dealership’s security policies and procedures. Knowledge is power, and instilling all new employees with the importance of dealer security will go a long way toward keeping your customer information safe from unauthorized access and misuse.
When onboarding new employees to your integrated dealer systems, keep an eye out for integrated dealer systems with enhanced security features, and reinforce the importance of these features as they relate to customer information security. Key security features include:
- Multi- or two-factor authentication to require you to register your computing device to your user ID and password, and help protect your dealership against data theft and corruption. Make sure your employees understand how to authenticate their computer or other device, and if security questions are required, to use questions and answers that are not easily guessed.
- Strict password requirements, such as a minimum of eight characters, to help protect customer information. Password strength and complexity are an easy way to keep unauthorized personnel from using your computer. Again, use passwords that are not easily guessed.
- IP blocking to limit dealership user access to integrated dealer systems to dealership-approved IP address(es), helping prevent unauthorized access from remote or mobile locations. This is a great opportunity to explain your dealership’s policies regarding remote access to integrated dealer systems and their appropriate purposes and use.
Ongoing use: Stay in control
Chances are your dealership’s employees are constantly looking to get ahead, and sometimes that means lateral moves from your sales floor to your F&I office. When this happens, be sure to alter employees’ permissions and monitor their ongoing access to your integrated dealer systems.
For example, you may not want sales consultants to have the ability to pull credit bureaus, but you may want them to be able to use your dealership’s CRM, desking, menu, and inventory systems. Keep your dealership in control by utilizing integrated dealer systems that offer:
- System permissions: This functionality will provide your dealership systems administrator(s) a high level of control to assign employee permissions and access to specific dealership systems to suit your business processes and the employee’s responsibilities, as well as the ability to control access to personal and confidential customer data.
- System notifications or activity alerts: These system tools can be configured to notify you of changes to setup or preferences, or of other potentially suspicious employee activity within an integrated dealer system.
Termination: Say goodbye
Whether it’s for retirement, to pursue a better opportunity, or to move to another dealership location, chances are your dealership’s employees will not be with your dealership forever.
To be prepared, be sure to maintain an employee exit checklist/policy, which includes provisions to remove former employees’ access to all integrated dealer systems upon completion of their employment at your dealership. A checklist can also be used when an employee moves within your dealership to a new position.
In order to better audit your dealership’s employment exit checklist/policy, be on the lookout for integrated dealer systems that provide enhanced security features such as user reports. These reports should provide detailed information on the dealership’s integrated dealer system users and may include:
- Dealer ID and dealer name (for dealer groups)
- User name
- Last successful login date
- No user activity for more than 60 days
It is a sound security practice to check your user reports against your active employee list; you should never have an ex-employee authorized to access your integrated dealer systems.
In the new era of open integration, your dealership has the freedom to integrate to your preferred dealer service providers to make your life easier and make your integrated dealer systems more efficient.
Be sure to own the responsibility that comes with this freedom by managing the three steps of the employee life cycle—onboarding, ongoing use, and termination—throughout all of your integrated dealer systems.
Dan Doman is the chief legal and privacy officer (CLPO) for RouteOne LLC, a joint venture created by Ally Financial, Ford Motor Credit Company, TD Auto Finance, and Toyota Financial Services. Dan is responsible for managing the legal, governmental, privacy, and security affairs of RouteOne LLC.