Asset Protection

Today’s dealerships are “connected” — not Tony Soprano connected but connected to their customers, employees, OEM brands, and to the communities they serve. Unfortunately, dealerships are also connected to predators that would like nothing more than to get into their systems to access valuable data about their customers and employees, as well as intimate details about the dealers and their businesses.

The “Who’s data is it anyway?” debate between dealers, third-party vendors and DMS providers may not be as intense as it was back in 2007, but the issues involved remain just as critical. The reason is data drives virtually every solution used to manage today’s connected dealership, challenging both manufacturers and dealers to maintain data centers of clean and current customer, employee, finance, and vehicle data.

The problem is dealers often have third-party vendors connecting and pulling that data — sometimes multiple times a day — from their DMS, including “legitimate” partners like OEMs and authorized vendors of CRM and merchandizing systems, as well as other complimentary applications. And as dealers seek to integrate multiple solutions, the movement of sensitive customer and dealership proprietary data becomes essential. It also becomes a legal and financial liability.

A New Role

Dealers need to be keenly aware of the risks involved in providing access to data. The best course of action for dealers is to appoint a chief information security officer. This individual would be responsible for maintaining an inventory of all data stored in all dealership systems. He or she would also be responsible for detecting and correcting data breaches.

Cyber Security expert Richard White, who serves as managing director of data security firm Oxford Solutions, spoke at this year’s National Automobile Dealers Association (NADA) Convention & Expo. His main message was that people have become desensitized to reported cyber-attacks because they have become so common.

I’m guessing most of you have received a notice about a data breach from a retailer, credit card company, or health care company. These alerts are usually followed by some assurance that the firm will provide some level of data security protection for a period of time at their expense, as if that’s enough for us to sleep better at night knowing our private information may be swimming in unfriendly waters.

Bottom line, if you haven’t taken inventory of who is connecting to your systems, the data being stored, and the legal requirements your dealership is responsible for, it is critical you take action now.

A Bigger Threat

There is a bigger threat, however. See, when it comes to securing their data, most dealers focus on what is flowing in and out of their DMS, why the factory wants their data, and which vendors are connecting to their systems. What they overlook is the threat posed by the very people they employ — individuals who use the web to connect to the DMS and the very applications used to run the dealership.

And just think about how they’re making those connections. Are they using the same devices they use to run personal applications, surf the web, and receive and open unscreened junk mail and files that might contain viruses and malware intended to infiltrate networks? Unless the activities taking place on those personal devices are monitored, the dealership’s exposure to hacking, fraud and extortion is multiplied exponentially.

And, yes, we see businesses being hacked and their data hijacked on a weekly basis. In some cases, these hackers lock out the business until a ransom is paid. 

And if you think your dealership doesn’t really use web applications, think again. At this year’s NADA Convention & Expo, I asked a group of dealers how many applications they thought were being accessed at their dealerships. All of them replied with a range of between six and 10 applications.

Well, according to Brady Ferron, the average dealership juggles around 42 different online destinations — some dealer rooftops handling more than 60. Ferron is looking to address many of the data security issues dealers are facing as CEO of DealerHQ, and he had recently completed an inventory of applications used in several dealerships when I shared with him my conversation with that group of dealers.

See, what many dealers overlook is their connections to social media sites like Facebook, Twitter, LinkedIn, and Instagram. Add in personal applications, email, games, reference tools, and smartphones, and it’s easy to see how these access points have grown over the years.  And the risk from multiple web applications only grows with the number of individuals a dealership employs.

The good news is that many of these applications utilized by dealerships are password protected. The bad news is each application requires a logon and password credential for each employee. And unfortunately, many dealers fail to cut off access to these applications when an employee leaves the dealership. That’s why revoking credentials should be part of your employee exit strategy. Hey, it’s a good first step to protecting your most prized asset: your data.

David Nathanson is chief consulting officer and head of the retail advisory practice at motormindz, a global automotive professional services and technology company. Email David at [email protected].