The new FTC Safeguards Rule requires dealerships to implement and maintain an information security program that protects consumer data. The new Safeguards Rule goes into effect in December 2022. Dealerships are now scrambling to comply with these new regulations. But why are they scrambling? The FTC isn’t asking businesses to do anything extraordinary.
The FTC requires that businesses implement a set of cybersecurity best practices that have been shown to be an effective defense against a cyberattack. These best practices have been developed by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). These are reasonable best practices that have been around for a while. In fact, all Helion’s clients have these best practices in place.
Does your dealership have in place the technical cybersecurity best practices to comply with the FTC’s new Rule? These include:
- A Qualified Individual – someone responsible for your technical cybersecurity strategy who has cybersecurity training and expertise.
- Annual Risk Assessments – an assessment to identify cybersecurity risks and vulnerabilities that are then categorized and prioritized.
- Continuous Threat Monitoring – a combination of technology like Security Information Event Management (SIEM) and a team of cybersecurity professionals that monitor your IT environment 24x7x365 for suspicious behavior, investigate such behavior, and stop any malicious behavior swiftly.
- Employee Cybersecurity Awareness Training – this training can be gamified and automated to make it easy and convenient for your employees.
- Multi-Factor Authentication (MFA) – all employee access to consumer PII must have MFA implemented.
- Effective Administrative Account Management – this is often done with the appropriate implementation and ongoing management of Microsoft Active Directory.
- Timely Security Patch Management – this ensures that technology is kept up-to-date and runs smoothly. But more importantly it fixes vulnerabilities that the cybercriminal looks to exploit.
- Device Lifecycle Management – this ongoing process ensures that you don’t have obsolete hardware connected to your network since this is serious cybersecurity vulnerability.
- Data Encryption – encoding data into ciphertext so that only authorized recipients can decrypt the data.
- Data Backup – data backup must be done frequently, and restoration testing done regularly.
If you don’t have these best practices in place, then perhaps it’s because IT and cybersecurity isn’t your business. Instead, you’re an expert at selling and servicing cars and trucks – as you should be.
Today, dealerships that are scrambling to cobble together the IT/cybersecurity best practices that the FTC requires are most likely doing so because of the following:
- Don’t Have Access the Appropriate Expertise – only about 30% of dealerships employ a network engineer with computer security certification and training. Most don’t have a trained cybersecurity professional. In fact, many dealerships have someone running their IT/cybersecurity who has no formal IT/cybersecurity training.
- Difficulty Hiring & Keeping IT & Cybersecurity Expertise – well-trained, certified IT and cybersecurity professionals are very expensive, hard to recruit, and difficult to keep happy. These people want to work in a dynamic environment with the best technology and the ability to further their training and certifications.
- IT & Cybersecurity Has Changed Significantly – today, technology and the cybersecurity threat advances and changes quickly. Keeping ahead of these changes requires a level of expertise that most dealerships just don’t have in place.
So, what should you do? The answer is simple, focus on what you know best – selling and servicing cars and trucks. Don’t attempt to establish your own internal IT/cybersecurity team – it won’t work. Instead, outsource your IT/cybersecurity to a company who is in the business of providing IT/cybersecurity services.
When you outsource, you don’t have to deal with the hassle and expense associated with recruiting, training, and retaining IT/cybersecurity professionals.
When you outsource, if you need to scale up or scale back it’s easy. Just call your IT/cybersecurity provider.
When you outsource, you don’t put all your eggs in one basket. If you happen to hire a great cybersecurity person and then that person finds a better opportunity and quits, then you aren’t left holding the bag with no support.
When you outsource, you’ll always stay current. This way, you never have to scramble again to deal with new compliance rules and regulations. Dealerships that outsource their IT/cybersecurity services aren’t scrambling to comply with the new FTC Rule. Instead, these dealers are just doing what they do best – selling and servicing cars and trucks. What are you doing?