If you run monthly reports, sales logs, F&I logs or any kind of sales report, the data gathered from the DMS is probably stored on the local machine’s hard drive as well. If you e-mailed a file containing customers’ NPI, that e-mail is still in your “sent items” file, along with the attachment. If you received any e-mail with customers’ NPI contained, either in the body of the e-mail or attached to it, the data goes wherever the e-mail goes. Some menu applications store the data you enter, at least temporarily. Many credit bureau files — the Holy Grail to identity thieves — are stored on a local computer if the bureau file is downloaded.
With all of this sensitive data kept electronically at the dealership, whose responsibility is it to protect it? It’s the dealer’s, of course.Any IT guy will tell you that no network is completely secure. Mercifully, the law is written with this in mind. The law requires a conscientious, good-faith effort (properly documented and maintained) to protect customers’ NPI. A perfect result is not required.The law obligates dealers to “Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information…”In plain English, with respect to computer security, that means a dealer must conduct a Network Vulnerability Assessment (NVA). An NVA is a complete scan of your network that searches for flaws in a system or device that, if leveraged by an attacker (whether internal or external), could compromise the security of your network. Vulnerabilities might be as easily rectified as strengthening a weak password policy, applying a missing update, updating outdated firmware, or as serious as the presence of active spyware on your network. There are literally thousands of possible vulnerabilities, and more become known each day.The NVA obligation can be satisfied in a couple of ways. You could hire a company to come in and assess your network. The cost for this type of assessment could range from $5,000 to $50,000.
Alternatively, a dealer could purchase a vulnerability scanner appliance that would scan the entire network from the inside looking for vulnerabilities. It would find all of the weaknesses on the network and report them so you could fix them, thus limiting what a hacker — or rogue employee — will have access to.This method of reporting vulnerabilities also satisfies the requirement that a dealer periodically audit its information security program. If you own the scanner, it could be configured to scan regularly and compare the current scan to previous scans and provide charts showing your network’s improving health over time as more and more vulnerabilities are detected and eliminated.The law also holds the dealer responsible for “detecting, preventing and responding to attacks, intrusions, or other systems failures.”Many dealers believe they satisfy this requirement by having a firewall. They assume wrongly. A firewall — properly configured — is the first component of a security system. It is not, however, a prevention or detection system. Thus, to rely on a firewall alone is to walk around with a “Sue Me!” sign on one’s wallet.Imagine you wanted to protect your physical dealership, so you put a fence up all the way around it. The fence does a great job keeping out all of the bad guys, but in doing that you’ve also kept out all of the good guys. It’s tough to sell cars if no one can get in at all. The same is true of a firewall. You use it to close all of the unnecessary “gates” or ports into your network.But remember, the bad guys expect a firewall. They simply scan for open ports. It follows that the fewer ports you leave open, the fewer chances a hacker has of getting in. The fact still remains that you have to leave ports open in order to do business, just like you have to leave gates in your fence.
Response to the law is accomplished by having an intrusion detection system (IDS). An IDS is any device that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful.
Security Requires Regular Updates
Once you have your NVAs scheduled regularly and all of your known vulnerabilities corrected and your firewall properly configured and your IDS installed and updated regularly (whew!), you can turn your attention to some other practices.
Be Strict About Passwords
Have rules requiring numbers and letters in a valid password as well as minimum lengths. Force password changes regularly. Never share any employee’s password with an outside vendor. Know where your administrative passwords for all systems are kept and make sure it is a safe place. What would happen if your system administrator were hit by a bus on the way to work?
Now that you have the hardware and the rules in place, all you need is training. The law is clear here, too. It says the dealer is responsible for “employee training and management.” Have a plan, know your plan and then train your people.
Complying with the law and securing your data doesn’t have to be an overwhelming task. You can get a firewall, an IDS and an NVA all separately, or you can install a device that performs all of those functions in one appliance. Either way, start there and bring the network up to compliance.
Alan Andreu is president of Dealership Defense LLC. He began working in the retail automotive industry in 1983 as a finance director. For the past seven years, Alan has used his experience in the industry and his education in computer science to develop methods that support and provide security to dealership management systems for dealerships nationwide.