The Federal Trade Commission (FTC) mandates that dealerships – like any other business – have a “comprehensive information security program” in place to protect sensitive customer data.  In this blog, we’ll delve into the critical aspects of vulnerability management, highlighting why a vulnerability scan – while valuable – is just the starting point and by itself does absolutely nothing to establish a comprehensive information security program.

Identifying Vulnerabilities

Dealerships, like many other businesses, rely heavily on various applications, networks, and endpoints to sell and service cars and trucks. However, these digital assets can also be entry points for cybercriminals if left unchecked. Common vulnerabilities include communication ports unnecessarily left open, unpatched software, and incorrect configurations. These weaknesses can provide a gateway for cyberattacks that can disrupt your business and compromise customer data.

Root Causes of Vulnerabilities

One significant reason behind the existence of vulnerabilities in dealership IT environments is the strain placed on overworked and stressed IT teams. As their to-do lists grow longer, essential tasks such as software patching and configuration checks may take a backseat, leading to the persistence of vulnerabilities.

The Limitations of Vulnerability Scans

While a vulnerability scan can generate a list of vulnerabilities to address, it cannot fix these issues on its own. This is a critical point to understand. Addressing cybersecurity vulnerabilities often requires highly technical expertise and substantial time to remediate. Simply identifying vulnerabilities without a plan to address them is akin to shining a light on a problem but taking no action to solve it.

Resource Consumption

The process of remediating these vulnerabilities can consume substantial IT resources. It demands a team of qualified IT and cybersecurity professionals who can not only identify issues but also take concrete steps to address them. This can lead to a significant resource drain if your team lacks the necessary expertise or bandwidth.

The FTC Compliance Requirement

It’s important to note that complying with the FTC Safeguards Rule goes beyond just conducting vulnerability scans or penetration tests. The FTC explicitly requires that businesses – including dealerships – have a “comprehensive information security program” in place. This program should address not only the identification of vulnerabilities but also their remediation. Having an information security program riddled with unresolved vulnerabilities does not meet the FTC’s compliance standards.