RSS Feed The following blog is based on an article that Randy Henrick published in the July-August 2016 edition of Subprime Auto Finance News
Auto Remarketing News recently reported a study finding that 84% of consumers would not do business with a dealer that experienced a data security breach of customer information. Earlier studies found that 60% of data breaches target small and mid-size businesses and six in ten victims go out of business within six months of a breach. This is your biggest financial risk as dealerships are prime targets of hackers and criminals seeking customer identity data.
No one can ensure you will never be breached. But there are relatively simple things you can do right now to reduce your risk from a hacker or disaffected insider who wants to steal your customers' information. The goal of data security is to make yourself a less attractive target in the hopes that the bad guys will move on to someone else.
To do this, you must first understand that people are your biggest data breach risks. Hackers find it much easier to get into your system through the back-end, your users, by using social media schemes and other tricks, than by trying to blast through the front end of your system which is typically better protected. Think of data security as three p's: people, patching, and processes.
People
People are your biggest risk. A well-trained employee is your best protection against a data breach. A poorly trained employee is your biggest nightmare. Criminals use "phishing" emails that look legitimate to encourage the reader to click on a link or attachment that downloads malware and viruses into your system. Or they call and pretend to need the user's name and password to troubleshoot. Or users go to unsafe websites. Only 55% of websites are believed to be safe. Collectively, these schemes and more are called "social engineering" and employees must be trained repeatedly and monitored to not fall victim.
Patching
Ongoing software patching is critical so that all your software, especially security software, is always up to date. An IBM study found that 98% of companies that experienced a data breach in 2014 had not installed patches released up to a year earlier. Windows 2003 and Windows XP are no longer supported. Failing to frequently patch software opens huge holes in the front end of your system. So does not changing the default passwords on software, especially security software.
Processes
A main goal of data security is to limit points of entry into your system as well as to secure your paper documents. Here are a few things you can easily do to address these risks:
1. Restrict who in your dealership can access customer information. Permissions should be limited to only those employees who need customer information to do their jobs and only to the extent they need it. Also disable all administrator privileges as if these are compromised, a hacker can work substantial damage and change your system with a few clicks on a keyboard.
2. Train your employees frequently and make data security a dealership priority. Create a culture of security. Conduct periodic system penetration tests ("white hat hackers") that attempt to break into your system and vulnerability assessments that detect viruses on PCs and use fake phishing emails to see how many employees click on them. There should be penalties or incentives for employees' compliance with your security procedures to make it real.
3. Disable the ability of anyone to download customer information onto external devices such as USBs, external hard drives, and even PCs. Disable the ability to transmit it by email as well. Install data protection software that will help prevent data from leaving your system.,
4. Reduce your risk of an employee being tricked by social engineering by systematically prohibiting access to Web-based email such as Gmail or Yahoo. Avoid malware-laden sites by enabling employees to only go to Internet sites approved by your IT department or consultant. Proxy servers that identify and block access to dangerous sites can also help. These steps alone will substantially reduce the risk of social engineering. A recent study found that one in eleven people click on links in phishing emails.
5. Require complex passwords and frequent changes. Systems that require log-ins usually provide for audit logs of access and activity. Keep and review periodically the audit logs of users as they can warn you of unusual activity such as spikes in an employee's access to customer data which may indicate their credentials have been compromised. In the event of a breach, audit logs of system activity will be an important resource to assess and understand the breach.
6. Adopt clean desk and short PC screen timeout policies so criminals can't take cell phone pictures of documents or information left out in the open. Similarly, wipe the hard drives of digital devices like PCs and copiers when you trade-in or discard them as "deleting" data only removes pointers to it and the information can be accessed from the hard drive. Lock up all paper files and put a "gatekeeper" in charge to track who accesses them and why. These reviews should be combined with audit logs to gain a full picture of each user's activity.
7. Do security background checks on vendors such as mail houses and credit portals that will have access to your customer data. Review their security policies, certifications, and penetration test results. Require notice immediately for any security incidents that could impact your information. Try to get an indemnity for inadequate security or a data breach although many vendors may resist giving you this protection.
8. Investigate getting cyber insurance which covers the costs of various elements of a data breach such as forensics costs, legal, regulatory, PR, customer service vendors, and more. In 2014, a typical cyber insurance policy for $1 million of coverage cost about $16,000, whereas breached records were estimated to cost $201 for each one compromised taking into account all attendant costs and losses. Significantly, an estimated 40% of cyber insurance policyholders made claims in 2014.
9. The FTC requires your Safeguards program to include a security incident response plan consisting of senior members of your team and outside specialists (IT, Legal, PR, forensics, breach response vendors) who have assigned tasks if a breach occurs. Test the plan with tabletop exercises so that people will know their responsibilities as workflows develop. The first 48 hours after a breach are most critical and having a response team in place will help you preserve evidence and manage the process more efficiently. Also get to know the cyber security specialist at your local FBI office. The FBI offers assistance to companies that are victimized by a data breach and a law enforcement investigation will give you cover to delay sending out notices to affected consumers (required by 48 states and the District of Columbia) until you are in a position to know what happened.
10. Be sure to encrypt all your customer data from the moment it is received or entered on your website until you securely destroy of it. Make a DR copy of your data and applications and place it on another system. "Ransomware" attacks are increasing. In these attacks, a hacker encrypts your entire system so it is inaccessible. You are given a ransom amount to pay in virtual anonymous currency called bitcoins to get the encryption key. A DR system can limit your ransomware risk.
11. Mobile devices need to be managed. Obtain Mobile Device Management (MDM) software which inventories every mobile device used to access your system and doesn't let any others get in. Couple this software with "containerization" software that sends your information to the mobile device through a separate secure stream that you control. Adopt a BYOD (Bring Your Own Device) policy that requires employees who want to use their personal cell phones and tablets to register them with the mobile device management software and allows you to install the container feature. This should help prevent your information from being accessed by any viruses the device picks up.
The FTC will not sue you merely because you experience a data breach. They and other regulators will look at the reasonableness of your program and practices, including your security incident response plan. Make sure to continually update your program as new threats develop.
These are just a few of the steps you can easily take to make your customer information more secure and reduce your risk of being the next breach victim. These practices also will make your program more reasonable in the event of a regulatory inquiry or lawsuit.
__________________
Randy Henrick is an auto dealer compliance expert who offers compliance consulting services to dealers at www.AutoDealerCompliance.net. Randy served for 12 years as Dealertrack's lead regulatory and compliance attorney and wrote all of Dealertrack's Compliance Guides. He presented workshops at the last two NADA national conventions, speaks to dealer associations, and prepares training and other compliance materials for dealers. Because of the general nature of this article, it is not intended as legal or compliance advice to any person but raises issues you may want to discuss with your attorney or compliance professional.
Auto Remarketing News recently reported a study finding that 84% of consumers would not do business with a dealer that experienced a data security breach of customer information. Earlier studies found that 60% of data breaches target small and mid-size businesses and six in ten victims go out of business within six months of a breach. This is your biggest financial risk as dealerships are prime targets of hackers and criminals seeking customer identity data.
No one can ensure you will never be breached. But there are relatively simple things you can do right now to reduce your risk from a hacker or disaffected insider who wants to steal your customers' information. The goal of data security is to make yourself a less attractive target in the hopes that the bad guys will move on to someone else.
To do this, you must first understand that people are your biggest data breach risks. Hackers find it much easier to get into your system through the back-end, your users, by using social media schemes and other tricks, than by trying to blast through the front end of your system which is typically better protected. Think of data security as three p's: people, patching, and processes.
People
People are your biggest risk. A well-trained employee is your best protection against a data breach. A poorly trained employee is your biggest nightmare. Criminals use "phishing" emails that look legitimate to encourage the reader to click on a link or attachment that downloads malware and viruses into your system. Or they call and pretend to need the user's name and password to troubleshoot. Or users go to unsafe websites. Only 55% of websites are believed to be safe. Collectively, these schemes and more are called "social engineering" and employees must be trained repeatedly and monitored to not fall victim.
Patching
Ongoing software patching is critical so that all your software, especially security software, is always up to date. An IBM study found that 98% of companies that experienced a data breach in 2014 had not installed patches released up to a year earlier. Windows 2003 and Windows XP are no longer supported. Failing to frequently patch software opens huge holes in the front end of your system. So does not changing the default passwords on software, especially security software.
Processes
A main goal of data security is to limit points of entry into your system as well as to secure your paper documents. Here are a few things you can easily do to address these risks:
1. Restrict who in your dealership can access customer information. Permissions should be limited to only those employees who need customer information to do their jobs and only to the extent they need it. Also disable all administrator privileges as if these are compromised, a hacker can work substantial damage and change your system with a few clicks on a keyboard.
2. Train your employees frequently and make data security a dealership priority. Create a culture of security. Conduct periodic system penetration tests ("white hat hackers") that attempt to break into your system and vulnerability assessments that detect viruses on PCs and use fake phishing emails to see how many employees click on them. There should be penalties or incentives for employees' compliance with your security procedures to make it real.
3. Disable the ability of anyone to download customer information onto external devices such as USBs, external hard drives, and even PCs. Disable the ability to transmit it by email as well. Install data protection software that will help prevent data from leaving your system.,
4. Reduce your risk of an employee being tricked by social engineering by systematically prohibiting access to Web-based email such as Gmail or Yahoo. Avoid malware-laden sites by enabling employees to only go to Internet sites approved by your IT department or consultant. Proxy servers that identify and block access to dangerous sites can also help. These steps alone will substantially reduce the risk of social engineering. A recent study found that one in eleven people click on links in phishing emails.
5. Require complex passwords and frequent changes. Systems that require log-ins usually provide for audit logs of access and activity. Keep and review periodically the audit logs of users as they can warn you of unusual activity such as spikes in an employee's access to customer data which may indicate their credentials have been compromised. In the event of a breach, audit logs of system activity will be an important resource to assess and understand the breach.
6. Adopt clean desk and short PC screen timeout policies so criminals can't take cell phone pictures of documents or information left out in the open. Similarly, wipe the hard drives of digital devices like PCs and copiers when you trade-in or discard them as "deleting" data only removes pointers to it and the information can be accessed from the hard drive. Lock up all paper files and put a "gatekeeper" in charge to track who accesses them and why. These reviews should be combined with audit logs to gain a full picture of each user's activity.
7. Do security background checks on vendors such as mail houses and credit portals that will have access to your customer data. Review their security policies, certifications, and penetration test results. Require notice immediately for any security incidents that could impact your information. Try to get an indemnity for inadequate security or a data breach although many vendors may resist giving you this protection.
8. Investigate getting cyber insurance which covers the costs of various elements of a data breach such as forensics costs, legal, regulatory, PR, customer service vendors, and more. In 2014, a typical cyber insurance policy for $1 million of coverage cost about $16,000, whereas breached records were estimated to cost $201 for each one compromised taking into account all attendant costs and losses. Significantly, an estimated 40% of cyber insurance policyholders made claims in 2014.
9. The FTC requires your Safeguards program to include a security incident response plan consisting of senior members of your team and outside specialists (IT, Legal, PR, forensics, breach response vendors) who have assigned tasks if a breach occurs. Test the plan with tabletop exercises so that people will know their responsibilities as workflows develop. The first 48 hours after a breach are most critical and having a response team in place will help you preserve evidence and manage the process more efficiently. Also get to know the cyber security specialist at your local FBI office. The FBI offers assistance to companies that are victimized by a data breach and a law enforcement investigation will give you cover to delay sending out notices to affected consumers (required by 48 states and the District of Columbia) until you are in a position to know what happened.
10. Be sure to encrypt all your customer data from the moment it is received or entered on your website until you securely destroy of it. Make a DR copy of your data and applications and place it on another system. "Ransomware" attacks are increasing. In these attacks, a hacker encrypts your entire system so it is inaccessible. You are given a ransom amount to pay in virtual anonymous currency called bitcoins to get the encryption key. A DR system can limit your ransomware risk.
11. Mobile devices need to be managed. Obtain Mobile Device Management (MDM) software which inventories every mobile device used to access your system and doesn't let any others get in. Couple this software with "containerization" software that sends your information to the mobile device through a separate secure stream that you control. Adopt a BYOD (Bring Your Own Device) policy that requires employees who want to use their personal cell phones and tablets to register them with the mobile device management software and allows you to install the container feature. This should help prevent your information from being accessed by any viruses the device picks up.
The FTC will not sue you merely because you experience a data breach. They and other regulators will look at the reasonableness of your program and practices, including your security incident response plan. Make sure to continually update your program as new threats develop.
These are just a few of the steps you can easily take to make your customer information more secure and reduce your risk of being the next breach victim. These practices also will make your program more reasonable in the event of a regulatory inquiry or lawsuit.
__________________
Randy Henrick is an auto dealer compliance expert who offers compliance consulting services to dealers at www.AutoDealerCompliance.net. Randy served for 12 years as Dealertrack's lead regulatory and compliance attorney and wrote all of Dealertrack's Compliance Guides. He presented workshops at the last two NADA national conventions, speaks to dealer associations, and prepares training and other compliance materials for dealers. Because of the general nature of this article, it is not intended as legal or compliance advice to any person but raises issues you may want to discuss with your attorney or compliance professional.