Requirements in recent consumer data privacy laws are causing confusion and unnecessary expense for dealers. For example, on January 1st, the California Consumer Protection Act (CCPA) became law. The legislation requires companies to have “reasonable security” in place to protect sensitive consumer information. However, it fails to define what these reasonable measures are.
As an auto dealer, how do you know what reasonable measures to take without a clear-cut definition? In California, the Attorney General points to 20 controls issued by the Center for Internet Security (CIS) as guidelines for business owners.
The CIS controls are very thorough and provide a broad framework of steps to take for businesses in all industries. However, it’s important to note that not every business in every industry has to follow all 20 controls exactly as written.
What’s reasonable for an auto dealer is different than what’s reasonable for a business in another industry. For example, some wording in the CIS controls pertain specifically to software developers, so those ‘guidelines’ would not be applicable to auto dealerships.
The intent of the CIS is for their framework to be adapted by industry-specific experts who define how its elements should be implemented in that specific industry. In the auto industry, it’s critical that when you’re searching for help implementing the CIS controls, the person or entity has both cybersecurity expertise AND an intimate knowledge of your business—the business of selling and servicing cars.
At Helion, we’ve adapted the CIS controls specifically for auto dealerships, and have come up with a list of 10 essential IT security best practices. These include the following:
- Training/written policies/standards
- Windows Active Directory
- Cloud-managed, business-grade network equipment
- Unified security management
- Cloud-hosted email, file sharing and backup
- Remote management and monitoring tool
- Centrally managed enterprise anti-virus/malware and URL filtering
- 802.1x port-based network access control
- Adaptive identity management
- Penetration testing
To learn more about each of these best practices and how they help your dealership comply with new consumer privacy laws, download our free guide: IT Best Practices for Auto Dealers.
When implementing these best practices, start with the simplest initiatives that have the broadest impact, and refine your security practices as time progresses. When implemented, these best practices will provide proof-positive that your auto dealership is taking “reasonable measures” to protect your customer data and keep your IT systems safe.