Six Tips for Designing a Data Security Plan
Over the past few years, there have been dozens of high-profile cyberattacks on major U.S. corporations. Cyber thieves have stolen sensitive customer and corporate information enabling them to hack into customers’ financial accounts and businesses’ computer systems to commit fraud and theft.
Your dealership could present an especially attractive target for hackers because of the treasure trove of customer financial data you possess. Thus, it’s critical to take steps now to protect your sensitive data from this genuine threat.
Why dealerships are vulnerable
As dealerships have widely adopted customer relationship management (CRM) systems and dealership management systems (DMS) in recent years, they’ve become more vulnerable to the hacking of these systems. Hackers can access sensitive information stored in your CRM and DMS in a matter of seconds and use this data to wreak financial havoc on your store and its customers.
Many dealerships also remain susceptible to so-called “spear phishing” email schemes. In these scams, thieves send employees legitimate-looking emails that either contain viruses as attachments or links that download viruses if they’re clicked.
At one dealership, a financial employee clicked on a link that she thought was taking her to their bank’s website. Once there, she entered login information and bank account numbers which were used by the cyber thief to initiate a $400,000 fraudulent wire transfer.
At another dealership, an F&I manager opened an email attachment that downloaded a virus onto his computer. The virus enabled hackers to track his keystrokes and the websites that he visited. With this information, cyber thieves were then able to log into credit bureau sites and pull up credit reports on hundreds of the dealership’s customers, which they used to commit fraud and theft.
How to design a program
Automotive retail is regulated under the Graham-Leach-Bliley Act, which deals with how financial institutions handle their customers’ private information, including digital information. More specifically, the act’s “Safeguards rule” requires dealerships to implement security programs designed to protect this information.
Here are some guidelines for designing and implementing a data security program that can help you comply with the Safeguards rule:
1. Appoint a chief compliance officer. A dealership’s chief operating officer or fixed operations director often assumes this role. It’s critical that a high-level dealership employee take ownership of your business’ data security program. That employee’s leadership will encourage everyone else to buy into the program.
2. Perform a risk assessment. The goal here is to determine specific areas where your dealership is vulnerable to a cyberattack. Start by identifying everywhere data is stored, including on computer hard drives (both desktops and laptops), mobile devices and removable media (for example, thumb drives), as well as within your CRM system and DMS. Collect data from every department, including sales, service, F&I and human resources.
3. Establish basic security policies. These typically include things such as requiring verbal verification for all wire transfers and restricting employees’ ability to transport electronic devices containing sensitive customer or corporate information. Also, store copies of customers’ driver’s licenses in a secure area and shred them once they’re no longer needed.
4. Update security software patches. This is an easy but often overlooked data security step. More than 90% of dealerships don’t have a system in place to keep their security patches regularly updated, according to a WardsAuto.com article. Your chief compliance officer should ensure that software updates are completed on all store systems and computers whenever they’re due.
5. Train employees in basic data security measures. Doing so includes educating employees about spear phishing email schemes. Many of these fake emails are highly sophisticated and look legitimate, so don’t assume employees will know how to spot them. Focus your training especially on employees who work in the accounting and F&I departments.
6. Integrate third-party computer systems cautiously. Before allowing third parties to integrate with your dealership’s systems and software, review their data security controls and procedures. Also obtain copies of their security certifications.
Make it a top priority
The costs of a cyberattack can be crippling — financially, and in terms of lost customer confidence and damaged reputation. Make cybersecurity a top priority for your dealership if it isn’t already.
Cyber-liability insurance can mitigate costs
One way to mitigate some of the costs of a cyberattack is to buy a cyber-liability insurance policy. This type of coverage will pay some of the costs associated with a data breach in which your customers’ personal information — including driver’s license, credit card and Social Security numbers — is compromised.
Generally, a cyber-liability insurance policy covers legal fees associated with a cyberattack. It could also cover the cost of forensic analysis conducted to discover the cause of a data breach, public relations efforts undertaken to restore your reputation after a cyberattack, and credit monitoring and identity recovery services provided to affected customers.