As F&I processes like econtracting, paperless deal jackets and electronic storage have become more prevalent, many dealers have been lulled into a false sense of security. They believe the digital processes that reduce paper eliminate risks of theft of customer and dealership financial information. Well, they’re mistaken.
Digital processes certainly offer many security hedges over paper-based ones, but as a recent Starbucks data hack confirms, the data they contain is still vulnerable. So let your next cup of coffee be a reminder that no enterprise is immune to thieves who want to steal your data to defraud your customers.
Size Doesn’t Matter
The message here is to take your dealership’s network and data security seriously. Dealers have been hearing increasingly louder drumbeats from those of us who help ensure compliance with regulations designed to protect consumers. Unfortunately, many of our clients associate data breaches with those experienced by companies such as Target and Sony. They don’t think cybercriminals are interested in the low-hanging fruit a typical dealership has to offer. This is a misconception that can be costly.
In fact, according to a recent Trustwave Global Security Report, 71% of security breaches target small businesses. During a panel discussion at the Online Trust Alliance’s Data Privacy and Protection Town Hall in February, FBI Special Agent George Schultzel revealed that, in up to 95% of the breaches the agency handles, the affected companies had “little to no security whatsoever.”
“Most of the bad guys are hitting targets out of convenience,” Agent Schultzel said. “So when they find someone who has some security, there’s always going to be one that doesn’t have any, and they’ll move on to that one.”
And the cost of a data breach? Most businesses breached have fewer than 100 employees. Yet 28,765 records are stolen, on average, per data breach, with an average cost of $188 per record stolen. That is a devastating figure for any small business.
Digital processes can help eliminate paper documents containing customers’ Social Security numbers, bank account numbers and other critical personal data. But if you’re heading in this direction at your store, realize that you’re also increasing the amount of digital files and information on your systems, and they are no less vulnerable than paper records. In fact, they may even be more vulnerable.
Digital document processes capture and archive sensitive information found on service records, credit applications, deal sheets, photocopies of driver’s licenses and more. That data is then transferred through multiple departments and into storage. All that movement means the cyberthief does not need to enter the dealership to obtain electronic records.
Digitizing business documents saves time, reduces physical data storage needs and reduces materials costs. Dealers using digital repair order processes, for instance, say the time that service technicians save reviewing and processing digital repair orders and supporting files vs. paper versions makes them more productive. Making the switch also allows these operations to eliminate or redeploy recordkeeping staff. In theory, that means fewer prying eyes and fewer opportunities to capture valuable data from deal jackets, repair orders and other documents.
But hackers are increasingly creative in how they obtain consumer information, and dealerships offer them a deep pool of customer data. To appreciate your risk, think of all the units in operation your store can claim.
It is widely believed that the hackers who hit Starbucks this past May got in via its customers’ mobile devices and then their bank accounts when they used a payment app. Starbucks denies the mobile device connection, and others have attributed the problem to users’ weak passwords. Nevertheless, business was disrupted and customers were inconvenienced.
It’s doubtful we will forsake digital to return to paper and paper processing, but if either medium is not intentionally secured and protected, the dealership is at risk. A secure and routinely monitored, audited and upgraded IT compliance process is absolutely necessary.
The proliferation and use of digital devices for engaging with customers and capturing signatures is smooth and effortless, but it brings considerable security risks. The Wi-Fi offered for customer and employee use must be managed and protected, for example, and all digital data must be securely protected from access and use by unauthorized individuals.
But that’s only one of the many preventive measures dealerships must take to protect valuable data in the digital age. Here is a more comprehensive checklist that includes tips from companies such as IBM and Experian:
- Secure processes at the intersection of paper and digital mediums, such as scanners and smartphones that photograph documents and digital printers that output the hard copy.
- Improve device password and username sophistication. Create and enforce dealership policy for strong passwords and change them on a regular basis.
- Use antivirus and malware software, but realize they alone will not thwart hackers who want your data.
- Use digital devices to capture driver’s licenses and other personal data you collect for test-drive purposes. Double-check scanners and printers to be sure paper versions are not left behind. Put the paper version in the paper deal jacket or scan and then destroy the paper document.
- Audit your credit and debit card nodes to ensure payment card industry (PCI) compliance.
- Secure your email servers. Remember the time hackers got into a Texas dealership’s email system and sent out two million spam emails per minute?
- Ensure the privacy and protection of the wireless networks you support. Provide a separate wireless system for consumer use. This will help protect dealership networks from virus infection or access through unauthorized devices.
- Partner with a compliance resource that can bring sophisticated and experienced dealership environment IT security solutions to your dealership’s wireless and wired networks. And make sure this resource consistently probes the network for weakness.
- Institute strict policies restricting the downloading of software and the use of flash drives.
- Restrict access to the network and do away with the centrally located computer with a password of “password.” Yes, I have seen this way too often.
- Finally, if you are econtracting, a firewall is not enough to get that electronic contract admitted in court. You will need to show the dealership has:
- Security: The esignature system should have bank-level security protocols to ensure documents and audit records cannot be accessed by unauthorized parties.
- Audit Logs: Audit logs are an important part of legal admissibility. They should be time-stamped, detailed and secured.
- Authentication: The higher the level of authentication, the more likely the judge will admit the electronic contract into evidence.
If you have any question or doubt that your IT network is secure and protected from cybercrime, contact your compliance partner immediately. Digital F&I processes may reduce the expense of storing paper documents, but they are not immune to costly consumer data theft. Only timely, preventive action can save them and you from financial loss.
Terry Dortch is a former dealer and the president of Automotive Compliance Consultants. Email him at [email protected]