On any given day, the typical retail automotive F&I office receives upwards of 1,000 pieces of sensitive customer data, including bank account numbers, credit or other financial records, mortgage records, tax documents, wire transfer receipts, Social Security numbers and photos of driver's licenses. But one little gap in the dealership’s IT security system can put those valuable records at risk, exposing the company to a data breach.
Understanding your risks, and putting the necessary prevention and response processes in place will be key to protecting your business going forward.
You may be asking yourself, “How pervasive are data breaches?”
The answer is, “Very pervasive.”
The fact is, data breaches are on the rise across all industries, and as we’ve seen from breaches like Experian and Target, all companies, regardless of size, can be targeted. According to a 2018 report by tech firm Cisco Systems - the number one provider of servers worldwide - 53% of midmarket businesses say that they have suffered a cyber breach, at a cost of $1 - $2.5 million. The Ponemon Institute, a Michigan-based research group, found that in 2018, 67% of small to medium sized businesses had suffered an attack. The FBI’s Internet Crime Report found that more than 350,000 cyberattacks had occurred in 2018, costing over $2.7 billion. More recently, 3,800 publicly disclosed data breaches occurred in the first six months of 2019, exposing up to 4.1 billion records.
So, what can you do to be prepared? Start with education and staying up to date with the most common methods used to gain access to a company’s systems.
Education
According to cybersecurity firm Proofpoint, more than 99% of cyber attacks rely on human interaction, such as opening a file, following a link, or opening a document. The most common types of attacks include:
Malware: A program that is covertly placed onto a computer or electronic device, with the intent to compromise the confidentiality, integrity or availability of data.
Phishing: A technique that attempts to acquire sensitive data with the perpetrator posing as a legitimate business or person.
Ransomware: A type of malware that attempts to deny access to a user’s data and encrypts that data until a ransom is paid.
Distributed Denial of Service (DDoS) Attack: A high-volume of unwanted traffic that ends up exhausting the bandwidth as well as the resources of a company’s systems, rendering them unable to respond to any more requests.
SQL Injection Attack: By injecting a malicious inquiry, the attacker can see into the database as well as modify the data, run any administrative command and even wipe out the entire database.
Man in the Middle (MITM) Attack: Attackers compromise a network and insert themselves between a client and a server, such as a WiFi network and the attached devices.
Something as simple as opening a suspicious email or clicking a link can open the door to a vicious attack. So educate your team on these attacks and how they can help prevent a data breach from happening. This includes implementing new processes and safeguards to protect your data.
Prevention
To start the process of ensuring data security and applying safeguards, we recommend starting with a simple acronym to ensure your business is checking all the boxes: ADRIFT
Assess security risk across all access points and partners.
Document information security program procedures.
Regularly review foreseeable risks that could result in unauthorized disclosure or compromise of consumer data.
Identify a person responsible for customer information security with the authority to implement program changes.
Foresee manageable risks that could result in unauthorized disclosure of private consumer information.
Train your team regularly on your procedures for securing private consumer data.
In addition to protecting data within your own domain, it is critical that you evaluate the security measures of your business partners and obtain security agreements with them. After all, if they experience a breach, they could put your business at risk.
There are programs and certifications that can help ensure you are partnered with organizations who do business above the line. SSAE 18 certification is one of these and is the most widely recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations. SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy. The SSAE 18 certification demonstrates to clients and contract holders that the company has the necessary processes in place to ensure the security of personal and confidential information.
Response
While education and prevention are necessary, it’s also important that your dealership is prepared to respond to a data breach.
The National Institute of Standards and Technology (NIST) has developed an excellent framework to use as a guideline when it comes to responding to a data breach.
Identify - Before an attack even occurs, identify what data or systems are vulnerable. Everything from the copy machine to the cloud servers should be evaluated.
Protect - Safeguard the data and your systems with a cyber attack insurance policy. And, don’t forget to back up your systems. While the cost may seem steep, having those items in place can save millions of dollars in the long-run.
Detect - Be aware of any anomalies in your systems to detect a breach as soon as possible. The old rule of “See something, say something” is particularly relevant in the case of a data breach.
Respond - Take whatever action is necessary to stop the breach in its tracks. Contain the impact while managing communications.
Recover - Restore the capabilities and services that may have been disrupted, and put protections in place to guard against future attempts to gain entry into your systems.
While this may seem daunting, it doesn’t have to be. You most likely already have systems in place to protect your data. Start by writing them down. Talk with your administrators to get data security recommendations. Consider investing in at least a yearly security audit to determine the strength of your systems and apply any new process changes. Lastly, you don’t have to respond to a breach on your own. Evaluate potential partners to help conduct a security response in the event of a breach.
With the amount of confidential consumer information collected in the retail automotive industry, data security is mission critical to successfully conducting business. Understanding your risks, and putting the necessary prevention and response processes in place will be key to protecting your business going forward.
Mautice Hamilton brings extensive experience in spearheading application development and management to his role as vice president of technology at EFG Companies.
