Dealerships leverage data in every aspect of their business. Sensitive customer information is being stored in dealer management systems and customer relationship management systems, in finance and insurance (F&I), sales and service databases and even shared with third-party providers. Failure to secure this data can leave your dealership vulnerable and result in significant financial and reputational damage.
“The threat landscape is evolving and more active than ever,” said Adam Page, our chief information security officer. “Massive data breaches affecting millions of customers of big retailers and banks make headlines, but the majority of breaches happen to smaller companies.”
According to a recent report by RiskBased Security, the first six months of 2019 saw more than 3,800 publicly disclosed breaches that exposed approximately 4 billion records, an increase of 54% compared to the first six months of 2018. The report also revealed that the majority of breaches affect companies with 10,000 or fewer records, indicating that no business is too small to be on a cyber criminal’s radar.
“Cybercriminals may consciously seek out smaller organizations instead of the Fortune 500s because they think the data will be less protected,” explained Nikki Ingram, one of our cybersecurity risk engineers who works closely with dealerships to identify their data vulnerabilities. “Smaller companies can also be more susceptible to ransomware attacks, which is when a company’s computer system is blocked by a hacker until a sum of money is paid either due to lack of security controls or a backup strategy.”
Employees Are Your First Line of Defense
For most companies, it’s not a software program or firewall malfunction that leads to a data breach. It’s employee error that occurs across all departments in an organization.
“That’s why one of the key strategies to minimize the risk of a data breach is to focus on training the people who use and collect customers’ personal information,” explained Daryl Allegree, a regional risk engineer and member of our Alternative Markets Risk Engineering team.
Employee errors can happen while handling data in the most basic ways, such as:
• Taping passwords to a computer terminal
• Neglecting to lock a file cabinet containing sensitive customer information
• Failing to shred paper or online copies of credit applications
• Misplacing a mobile device and having it picked up by a “bad actor”
• Opening emails from an unknown sender that instigates a phishing attack, which results in a malware infection, theft of sensitive customer information or fraudulent wire transfer
• Approving an invoice submitted online from a cybercriminal posing as a vendor that results in thousands of dollars in lost funds
One of the most basic levels of security starts by securing physical paperwork. Shred financial documents that are no longer needed. Physical financial files, especially those found in the F&I office, should be kept in offices that are locked and accessible to only a few employees.
Creating a Culture of Data Security
Every organization’s culture starts at the executive level. A member of the senior management team should be assigned to oversee development and maintenance of a cybersecurity program and company policy. This cybersecurity leader should consider creating a cross-functional team to monitor security awareness, education and compliance throughout the organization.
“At the core of a cybersecurity program is employee training,” Ingram said. “Awareness training with employees has shown to have very good return on investment, much more than some of the technology solutions which require ongoing management to keep effective.”
She recommended educating employees on the current threats and attacks, and best practices on how to maintain the confidentiality, privacy and security of sensitive customer data. A company’s cybersecurity policies and procedures should be reviewed; if the policies are violated, employees should be made aware that disciplinary actions will be taken.
Ingram recommends that training should be held at least annually. Cybercriminals are constantly adopting new tactics to breach data, and if your employees aren’t aware of the latest methods, attacks can go undetected for months within an organization and create widespread damage. If your dealership experiences frequent staff turnover, training should be integrated as part of new employee onboarding.