How confident are you that your dealership can withstand a cyber attack? In my experience, most dealers underestimate the threat of attack and overestimate their ability to withstand an attack.
When looking at your internal information technology (IT) strategy, it’s important to understand where cyber attacks originate.
First, identify what in your dealership is valuable to cyber criminals. Assuming money is a primary motivator, they want to accomplish one of the following:
- Obtain routing and bank account numbers
- Access your customer data; social security numbers, credit scores and credit card numbers.
- Hold your data hostage and make you pay ransom to gain access to it
To successfully thwart these objectives, your dealership needs to have three lines of defense in place.
Perimeter
This is the first and most obvious line of defense that most people think of when it comes to security. The perimeter consists of technology solutions designed to keep your data safe.
Ensure that you have an up-to-date firewall, spam filter (aka spam firewall) and an intrusion prevention system. Additionally, make sure your routers are enterprise-grade, as they have better security features.
Desktop
This is where we see a lot of dealerships are making themselves vulnerable. Employees’ computers need to be locked down at the desktop level.
Ironically, the way to accomplish this is not at the desktop. You need to have a centralized administrative set-up, so that employees are not allowed to install or de-install their own software. Anti-virus software should also be centrally managed and not installed on individual desktops.
Additionally, install web-filtering software that monitors employee activity and prevents them from accessing dangerous websites. Many cyber attacks occur because employees click on an email link that leads them to malicious websites.
Switching from desktop-based applications to cloud-based applications is also highly recommended. The huge Equifax breach that exposed millions of customer records occurred because of a simple failure to install a software update, also known as a patch. If you’re using cloud-based applications such as Office 365, security patches are automatically updated.
Employees
The final and perhaps most importance line of defense is your employees. Over ninety percent of successful data breaches start with phishing attacks, which use emails to lure employees into clicking on something they shouldn’t.
Make sure you provide your employees with security awareness training, which is required under the FTC Safeguards Rule. Also put policies and procedures in place designed to increase security, such as:
- Require employees to change passwords every 90 days
- Verbally confirm all wire transfers
- Patch all desktop-based applications weekly, if not daily
- Keep logging records
- Get an IT security audit once a year
- Obtain cyber liability insurance
- Create a cyber incident response plan and response team
The threat of cyber attacks is growing and should not be underestimated. Do you have three lines of defense in place? If not, your dealership is vulnerable.