Dealers are concerned about complying with the new FTC Safeguards Rule. As they delve into what they need to do to comply there appears to be confusion about the option of either implementing continuous threat monitoring or conducting an annual penetration test along with vulnerability scanning twice per year.
The FTC says that “absent continuous threat monitoring” an organization can opt to do the penetration testing and vulnerability scans. This means the FTC preference is for continuous threat monitoring. Penetration testing and vulnerability scans are essentially better than nothing. Remember, the intent of the new FTC Rule isn’t to simply hassle organizations with new regulations – it’s an attempt to drive organizations to bolster their cyber defenses. The FTC wants you to better protect the consumer data that you have been entrusted with.
If you did a penetration test yesterday and a cybercriminal attacks your dealership today – the penetration test will do NOTHING to stop the attack. If you are attacked today and you have a penetration test scheduled for tomorrow the penetration test will do NOTHING to stop the attack. Penetration tests and vulnerability scans provide you with a snapshot of your vulnerabilities at a specific point in time – that’s it. Penetration tests provide valuable information, but they DO NOT provide an active defense against a cyberattack.
On the other hand, continuous threat monitoring provides your dealership with an active defense against a cyberattack. With continuous threat monitoring you have a combination of software and cybersecurity expertise watching your network 24 hours a day, 7 days a week, 365 days a year for suspicious behavior. When something suspicious is detected, professional threat hunters investigate the suspicious activity and determine if in fact it is an attack in progress. If it is an attack, then the attack is stopped in its tracks and all malicious software removed from your network.
Your number one objective in complying with the new FTC Safeguards Rule should be to optimize your dealership’s cyber defenses. It’s when you have a data breach – and you must report the breach publicly – that regulators and cyber liability insurers will start to investigate your dealership. It’s when you have a breach that your dealership will be examined under a microscope. Your best option in complying with the FTC Safeguards Rule – and keeping your cyber liability insurance – is to do everything you possibly can to prevent a breach in the first place. Your best protection against cybercrime is to implement continuous threat monitoring.