Out of the Breach

Auto Remarketing News recently reported a study finding that 84% of consumers would not do business with a dealer who had experienced a data security breach of customer information. Earlier studies found that 60% of data breaches target small and mid-size businesses and six in 10 victims go out of business within six months of a breach. This is your dealer clients’ biggest financial risk, as dealerships are prime targets of hackers and criminals seeking valuable personal identity data.

No one can guarantee the dealerships you serve will never be breached. But there are relatively simple things your clients can do right now to reduce their risk from a hacker or disaffected insider who wants to steal your customers’ information. The goal of data security is to make yourself a less attractive target in the hopes that the bad guys will move on to someone else.

To do this, you must first understand that people are your biggest data breach risks. Hackers find it much easier to get into the dealership’s system through the back end, by using social media schemes and other tricks, than by trying to blast through the front end of the system, which is typically better protected. Think of data security in terms of the Three Ps: people, patching and processes.

1. People: People are your biggest risk. A well-trained employee is your best protection against a data breach. A poorly trained employee is your biggest nightmare. Criminals use “phishing” emails that look legitimate to encourage the reader to click on a link or attachment that downloads malware and viruses into your system. Or they call and pretend to need the user’s name and password to troubleshoot. Or users go to unsafe websites. Only 55% of websites are believed to be safe. Collectively, these schemes and more are called “social engineering,” and employees must be trained repeatedly and monitored to not fall victim.
2. Patching: Ongoing software patching is critical so that all your software, especially security software, is always up to date. An IBM study found that 98% of companies that experienced a data breach in 2014 had not installed patches released up to a year earlier. Windows 2003 and Windows XP are no longer supported. Failing to frequently patch software opens huge holes in the front end of your system. So does not changing the default passwords on software, especially security software.
3. Processes: A main goal of data security is to limit points of entry into your system as well as to secure your paper documents. Here are a few things your dealers can easily do to address these risks:

• A dealership should restrict access to customer information. Permissions should be limited to only those employees who need customer information to do their jobs and only to the extent they need it. Also disable all administrator privileges as if these are compromised, a hacker can work substantial damage and change your system with a few clicks on a keyboard.
• Train your employees frequently and make data security a dealership priority. Create a culture of security. Conduct periodic system penetration tests (“white hat” hackers) that attempt to break into your system and vulnerability assessments that detect viruses on PCs and use fake phishing emails to see how many employees click on them. There should be penalties or incentives for employees’ compliance with your security procedures to make it real.
• Disable the ability of anyone to download customer information onto external devices such as USBs, external hard drives, and even PCs. Disable the ability to transmit it by email as well. Install data protection software that will help prevent data from leaving your system.
• Reduce your risk of an employee being tricked by social engineering by systematically prohibiting access to Web-based email such as Gmail or Yahoo. Avoid malware-laden sites by enabling employees to only go to Internet sites approved by your IT department or consultant. Proxy servers that identify and block access to dangerous sites can also help. These steps alone will substantially reduce the risk of social engineering. A recent study found that one in 11 people click on links in phishing emails.
• Require complex passwords and frequent changes. Systems that require log-ins usually provide for audit logs of access and activity. Keep and review periodically the audit logs of users as they can warn you of unusual activity such as spikes in an employee’s access to customer data which may indicate their credentials have been compromised. In the event of a breach, audit logs of system activity will be an important resource to assess and understand the breach.
• Adopt clean desk and short PC screen timeout policies so criminals can’t take pictures of documents or information left out in the open. Similarly, wipe the hard drives of digital devices like PCs and copiers when you trade in or discard them; “deleting” data only removes pointers to it and the information can be accessed from the hard drive. Lock up all paper files and put a “gatekeeper” in charge to track who accesses them and why. These reviews should be combined with audit logs to gain a full picture of each user’s activity.
• Do security background checks on vendors such as mail houses and credit portals that will have access to your customer data. Review their security policies, certifications, and penetration test results. Require notice immediately for any security incidents that could impact your information. Try to get an indemnity for inadequate security or a data breach, although many vendors may resist giving you this protection.
• Investigate getting cyber insurance, which covers the costs of various elements of a data breach such as forensics, legal, regulatory, PR, customer service vendors and more. In 2014, a typical cyber insurance policy for $1 million of coverage cost about $16,000, whereas breached records were estimated to cost $201 for each one compromised taking into account all attendant costs and losses. Significantly, an estimated 40% of cyber insurance policyholders made claims in 2014.
• The Federal Trade Commission (FTC) requires your Safeguards program to include a security incident response plan consisting of senior members of your team and outside specialists (IT, legal, PR, forensics, breach response vendors) who have assigned tasks if a breach occurs. Test the plan with tabletop exercises so that people will know their responsibilities as workflows develop. The first 48 hours after a breach are most critical, and having a response team in place will help you preserve evidence and manage the process more efficiently. Also get to know the cybersecurity specialist at your local FBI office. The FBI offers assistance to companies that are victimized by a data breach and a law enforcement investigation will give you cover to delay sending out notices to affected consumers (required by 48 states and the District of Columbia) until you are in a position to know what happened.
• Be sure to encrypt all your customer data from the moment it is received or entered on your website until you securely destroy it. Make a disaster recovery (DR) copy of your data and applications and place it on another system. “Ransomware” attacks are increasing. In these attacks, a hacker encrypts your entire system so it is inaccessible. You are given a ransom amount to pay in virtual anonymous currency called bitcoins to get the encryption key. A DR system can limit your ransomware risk.
• Mobile devices need to be managed. Obtain mobile device management (MDM) software which inventories every mobile device used to access your system and doesn’t let any others get in. Couple this software with “containerization” software that sends your information to the mobile device through a separate secure stream that you control. Adopt a bring-your-own-device policy that requires employees who want to use their personal phones and tablets to register them with the mobile device management software and allows you to install the container feature. This should help prevent your information from being accessed by any viruses the device picks up.

The FTC will not sue you merely because you experience a data breach. They and other regulators will look at the reasonableness of your program and practices, including your security incident response plan. Make sure to continually update your program as new threats develop.

These are just a few of the steps you can easily take to make your dealers’ customer information more secure and reduce their risk of being the next breach victim. These practices also will make their programs more reasonable in the event of a regulatory inquiry or lawsuit. Finally, please note that, due to the general nature of this article, it is not intended as legal or compliance advice to any person. It raises issues your dealers may want to discuss with their attorneys or compliance professionals.