Note: This post was created prior to the implementation of the CCPA. The law is now in effect as of January 1, 2020. Keep reading to learn more about CCPA compliance and how your dealership may be affected.

On January 1, 2020, the California Consumer Privacy Act will go into full effect. The CCPA aims to protect California consumer data by requiring businesses to take “reasonable measures” to secure consumers’ personal and identifiable information (PII), which means California truck and auto dealers will be affected.

Even if your dealership has the right technology in place, the biggest cybersecurity threat remains: your employees. 

Employee negligence is the main cause of data breaches, so preparing for the CCPA is about more than just updating configurations on hardware and software — it’s also about updating workplace policies and properly training employees on how to comply with the California Consumer Privacy Act.

The California Attorney General defines taking “reasonable measures” as being compliant with 20 controls established by the Center for Internet Security (CIS). In this blog post, we’ll go over a few actions you can take to improve your employees’ defense against cyber attacks, and which CIS controls they fall under.

Make sure these steps are part of your dealership’s CCPA compliance checklist:

1. Provide Security Awareness Training – CIS Control 17: Implement a Security Awareness and Training Program

Employees need to be trained on a number of cybersecurity issues, but one of the most important concerns is phishing. 91% of successful cyberattacks start with a phishing email, so it’s imperative that employees learn how to identify potential phishing, and know what not to do with those emails (download attachments, click links, etc.).

Before launching a training program, perform a skills gap analysis to determine how many of your employees fall for phishing emails. Then, once you implement a cybersecurity awareness training program, you can track your organization’s progress against that baseline.

2. Enforce Password Policies – CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

When passwords are weak, easy to guess, and/or used across multiple platforms, that makes everything easier for cyber attackers.

All employees should follow password best practices. Your organization may have stricter password policies, but at the very least, passwords should:

• Be 8 characters or longer
• Be a combination of letters, numbers, and special characters
• Not be common words or phrases (e.g. “password” or “login”)
• Not contain employee information such as name or birthday (e.g. “JohnSmith1980”)
• Not be used for more than one device/platform/application
• Be changed every 90 days, if not more frequently
• Never be shared with anyone

It can be difficult for employees to remember multiple passwords, especially when they constantly need to be changed, but a password manager can help.

3. Prohibit Visiting Personal Websites At Work – CIS Control 7: Email and Web Browser Protections

When employees visit unsecure websites on company devices or networks, they leave your business more vulnerable to malware, viruses, and phishing attempts. Using web filters to block employee access to commonly-targeted areas like social media, online shopping, and gaming applications can help reduce cyber risk.

4. Don’t Allow Personal Devices – CIS Controls 1 and 2: Inventory and Control of Hardware and Software Assets

Unprotected mobile apps and web applications are highly vulnerable to cyberattacks, so when employees connect personal devices like smartphones, tablets, and laptops to your network, that’s a recipe for disaster. 

There are strategies you can use to reduce risk without completely banning BYOD, such as two-factor authentication, mobile device management (MDM), and network access control (NAC) software, but allowing any personal device use will always carry risk. The safest thing to do is to eliminate it completely.

5. Require Verbal Verification for All Wire Transfers – CIS Control 13: Data Protection

Wire transfer fraud is a real threat to dealerships. Once a wire transfer is complete, it’s almost impossible to retrieve the funds, making it a particularly attractive option for cyber attackers.

Wire transfers requested via email should never be processed without verbal verification. Dealership employees are commonly fooled by emails that appear to be from a high-level executive in their organization, so it’s important to implement a procedure for employees to follow in order to verify the request.

To truly protect your business from cyber threats, you need to have multiple lines of defense. As you plan for the CCPA, remember that your employees are just as important as your technology, and invest in their cybersecurity training just as you would invest in new hardware or software.