Your dealership has likely spent millions of dollars and hundreds of hours building your database and related systems. But how much time have you devoted to ensuring that your most valuable asset – your data – is safe and secure?
If your answer is “not much” or “not enough” or “I’m not sure,” don’t worry, you are not alone.
For most of the dealers I know – and I know many – your favorite parts of the job are the active, tangible ones: selling cars, servicing vehicles, and just generally making sure that your business runs like a well-oiled machine.
Less exciting and less immediate but just as, if not more, important is data security. You need to take this seriously, without feeling overwhelmed by it. Because once you understand how breaches occur, you can protect your business against them. Ignore them, however, and you could be putting your organization at risk.
That’s because your data is your business. Lose it, and you lose the ability to operate effectively.
Now, you probably think of yourself as being in the business of selling and servicing cars, and on the surface of things that’s true. But consider this: behind every sale, every service call, and every business decision you make is data.
Your dealership has amassed a mountain of information, from internal data such as payroll, accounting, inventory management, parts, and service records, to client relationship management tools and customer information, including credit applications, social security or social insurance numbers, financing terms and more.
Good data stewardship is essential to maintaining customer trust. The risks of shoddy security processes or a data breach are serious: scrutiny or fines by government regulators, legal action, major reputational damage.
So, while it may not be fun, it’s crucial to protect that goldmine of data that you have amassed, which includes a staggering amount of client personal and financial data. There are two main threats to the integrity of your system: technology and people, i.e. employees. You need to mitigate against the risks posed by both to ensure your information security plan is effective. The best firewalls and technology will be worth nothing if your staff don’t know how to protect against potential security incursions. And the best policies and procedures in the industry are worth nothing if they are not clearly articulated and consistently enforced.
This may sound obvious, but it’s complicated by the way most dealerships operate. While your organizations regularly handle highly sensitive information, and lots of it, most are small- to medium-sized businesses, which means you lack a dedicated, in-house IT department to provide ongoing security oversight. Often this task falls to a tech-savvy staff member in addition to his or her primary duties. Odds are, whoever oversees data security at your dealership lacks the knowledge to stay on top of legislation, technology and trends to ensure that the sensitive information you hold is adequately protected.
Delegation of IT security is further complicated – and potentially compromised – because most dealerships use 10 or more unique systems. It is no small feat to stay abreast of the technology, never mind the latest and greatest security threats and the ever-present human factor.
Think about your own organization for a moment: How many systems do your various departments use? Who makes sure your policies and procedures are up-to-date? Who’s accountable when they are ignored or violated? Whose job is it to disable access when a staff member leaves your organization? How confident are you that former employees no longer have access? How often are staff required to change their passwords? How often are usernames and passwords shared among employees?
See what I mean?
Here are some simple ways to make sure your data-handling processes are secure.
Pick Your Partners Wisely
- Ask vendors and potential vendors about their data security and sharing policies. Where will your data be stored? On your network or the vendor’s servers?
- Read the fine print of your contract. And don’t be afraid to ask about anything you don’t understand.
- Take the time to understand how third-party vendors will integrate into your DMS. What can they access? Are they certified? If you’re not sure, check the DMS website, which will list certified partners.
- How do your vendors handle user access? Do they have automatic logoff? Automatic password resets based on time?
Know the Law
- Understand your duties as a dealer to protect your customers’ personal information. The Federal Trade Commission is a great place to start.
- Incorporate knowledge about when and how you can use data into your organization’s policies and procedures.
- Review your organization’s plan to protect itself from employee data breaches.
Manage User Access
Your vendor may have the best security going, but that won’t protect against breaches by staff and former employees. You need to:
- Ensure only current employees have access to your system.
- Create a process to block former employees once they leave your organization.
- Create a zero-tolerance policy for sharing sign-on credentials between staff members.
- Limit employee access to only the information he or she needs for their job.
- Set up your system to prompt users for regular password resets.
- Remind employees that the customer is the dealership’s, not “theirs,” and the same is true for all client data.
Know your Technologies
You should become very familiar with the technologies your teams use to:
- Create clear, strict rules and procedures around exporting data.
- Ensure your technologies are compliant with local and federal legislation. It will be you, not the vendor, who will be held liable if not.
Make it Everyone’s Business
Data security is as much about people as it is about technology, and untrained staff can inadvertently open you up to risk. Your dealership data security strategy must include your entire team, with clear policies and procedures for anyone who has access to your systems.
- Foster a culture of data security among your staff. That means it’s not just the management team that knows the risks of data insecurity and how to mitigate them. Train all employees on relevant legislation and on your organization’s policies and procedures.
- Train staff about potential hacking risks, and how to spot them, including suspicious emails, and links or downloads in messages from unknown senders. Develop protocols for reporting suspicious messages or requests.
- Restrict employees’ ability to download software, and limit the use of external devices such as USBs, disks, and drives.
Good data stewardship is an essential part of running your business. If you only do one thing today to make your dealership more secure, here’s an easy one: see who has access to your systems and disable former employees. Easy, right? What else are you going to do to protect your most valuable asset?
Bob Quirion has been in the automotive software industry for almost 30 years. CEO & founder of DealerMine CRM, he is a hands-on leader, involved with every aspect of his business. EMAIL: firstname.lastname@example.org.
Bob Quirion has been in the automotive software industry for almost 30 years. CEO & founder of DealerMine CRM, he is a hands-on leader, involved with every aspect of his business. EMAIL: email@example.com