By now, you have probably seen the television advertisement showing two executives sitting on a bench wondering about their future—and the future of their company—after a data breach. “What did they get?” one asks. “They got everything!” replies the other.
The message is clear. A data breach has devastating consequences for both the business and individuals.
Dealership data and information security was at the forefront during the recent NADA and AFSA Vehicle Finance conferences. AFSA had one of the world’s leading hackers present on dealership security, while NADA held workshops on the same issue. The reason for the focus on security is clear:
- According to a recent NuSecure Labs report, data port scanning for potential targets by hackers is up 38% at auto dealerships over 2015. Up to 95% had little to no data security whatsoever, the FBI reports.
- The cost of a data breach? An average of $217 per lost or stolen record, according to a 2015 Ponemon Institute study sponsored by IBM.
- Too frequently, dealers falsely believe they are too small of a target for hackers. A business like Target may be a big fish, but a hacker can scoop vast numbers of critical personal and financial data from hundreds of auto dealerships more easily and more quickly.
- The National Cyber Security Alliance notes that 30% of small-to-medium-sized businesses—like car dealerships—believe they’re more likely to be struck by lightning before their computer systems fall victim to an Internet attack.
- Dealerships are vulnerable, and according to Steve Wozniak, who made a special appearance at the AFSA conference, all will be hacked at some point.
Given these statistics and realities mentioned, one would think the majority of the conversation was technical and related to IT solutions. The general conclusion from both conferences, however, was quite different.
Experts agree that most dealerships will be hacked through an unsuspecting employee and social engineering. Despite the best security software and network monitoring programs, the weakest part of a dealership security program is an untrained employee.
Kevin Mitnick, considered by some to be the world’s greatest hacker, said his company has a 99.5% success rate o penetrating company security through social engineering. All it takes is one employee to fall for a phishing scam, open the wrong file in an email, insert a thumb drive, or accept the wrong software upgrade to allow a hacker to gain access to your network.
Therefore, dealership information security must include policies and procedures for all employees who have access to the dealership network and information. These security policies should include:
- Training for all employees.
- Restrictions on the ability to download software.
- Limiting and restricting employee use of USBs, disks, backup drives, and other devices to the dealership’s computers and network.
- System guidelines and restrictions for users.
- Protocols for reporting suspect inquiries, emails, attachments, requests, and notifications.
- Password protection, security, and requirements.
- Limits on Internet access and use of the network.
Although all of these policies have something to do with your network, none have anything to do with your firewall. They all have to do with the human factor.
You can buy all the technology in the world for your dealership, but there is no protection you can buy to protect your business from an employee downloading the virus that leaves your front door wide open. That protection comes only from training your employees, instituting strict policies, monitoring compliance with the policies, and taking the corrective or disciplinary action in a timely fashion.
Don’t be the executive sitting on a bench wondering what happened after all your proprietary and customer information was stolen. Train your employees and protect your network now.
To read Automotive Compliance Consultants’ whitepaper, Data Security Simplified, go here.
David R. Missimer, [email protected], is general counsel for Automotive Compliance Consultants Inc. He spent 28 years in private practice as a litigator representing lenders, auto dealers, and numerous other entities and individuals. He has worked with Dealership Compliance issues since 2003 as co-founder of ACC. He is a member of the National Association of Dealer Counsel, American Financial Services Association, and National Automotive Finance Association.