As dealerships scramble to comply with the new FTC Safeguards Rule it’s important to remember why the new rule exists – to drive businesses to implement more effective cybersecurity practices that will protect consumer data.  The new rule doesn’t exist just to annoy businesses.

Unfortunately, many dealerships are solely concerned with finding the easiest, cheapest way to simply check the FTC’s compliance boxes.  This approach doesn’t address the intent of the Rule and will inevitably lead to fines – and even worse than an FTC fine – dealership downtime.  Average downtime from a successful cyberattack is about 3 weeks.

The Director of the FTC’s Bureau of Consumer Protection said, “the Safeguards Rule details common-sense steps that institutions must implement to protect consumer data from cyberattacks and other threats.”  This is the intent of the Rule.  To comply with the intent of the Rule, dealerships must address the most common dealership vulnerabilities.  These vulnerabilities include:

1. Failure To Promptly Apply Security Patches – Known software vulnerabilities are addressed by applying a software security patch. Cybercriminals routinely look to exploit unpatched software vulnerabilities.  Many dealerships don’t have adequate staff to effectively manage the quantity of new patches.  Additionally, the application of a new patch can sometimes lead to technical issues with other systems.  Therefore, patching is often low on a dealership list of priorities.
2. Use of Obsolete Devices – Many dealerships view IT as an expense to be minimized – even though the selling and servicing of cars and trucks depends on it.  As a result, you can often find obsolete equipment in use at a dealership and these devices remain connected to the dealership’s network.  Obsolete devices that are no longer supported by the manufacturer can’t receive new security updates.  This makes these devices easy targets for the cybercriminal.
3. Lack of Employee Phishing Awareness Training – Phishing attacks are a common method used by cybercriminals to gain access to a dealership’s systems. However, many car dealerships don’t provide adequate training to their employees on how to identify and avoid phishing attacks. This lack of training can leave the dealership’s systems vulnerable to attacks.
4. Poor Account Access Control – According to a Gartner report, 50% of security failures can be attributed to improper identity, privileges, and access management controls.  Dealerships often have issues controlling access to privileged accounts, mismanaging account access for terminated employees, and mismanaging privileged machine accounts.  This is an IT responsibility and dealership IT is often overworked and understaffed.  Consequently, this very important function is neglected.
5. Poor Data Backup and Restoration Practices – Data backup and restoration practices aren’t a cyber defense, but they are critical for business continuity.  If you fall victim to a successful cyberattack then your downtime will be predicated on the reliability of your backup and how swiftly your IT team can reconstitute your systems.  When dealerships begin to take their cybersecurity threat seriously, they tend to focus primarily on cyber defense and disregard cyber recovery.  The fact is that no matter how strong your defenses are at some point the cybercriminal will slip in.  Mitigating the impact to your dealership requires that dealerships pay attention to preparing an effective cyber recovery plan.

The vulnerabilities mentioned above are not the only vulnerabilities facing dealerships, but they are some of the most common.

It’s important to remember that the FTC Safeguards Rule requires that dealerships “develop, implement, and maintain a comprehensive information security program.”  If you are not addressing the vulnerabilities discussed in this blog – which are all common-sense best practices – then you are failing to develop, implement, and maintain a comprehensive security program and you are not complying with the intent of the new FTC Safeguards Rule.