IGNITE YOUR INFORMATION SECURITY PRACTICES.
By Steve Levine, Chief Legal and Compliance Officer of Ignite Consulting Partners, LLC, a provider of technology, process improvement and compliance advice to dealers.
Over the last year, the Federal Trade Commission has taken a renewed interest in how businesses protect customer information. They’ve even published a booklet, Start with Security: A Guide for Business, to assist businesses to formulate their own strategies, which can be found at FTC.gov). This is a great resource because the FTC has creates a list of tips for business to follow based on many cases it’s pursued.
From talking to many independent dealers, though, it seems as if the message hasn’t been heard. Too many of you think that good information security is simply a matter of buying the right equipment such as firewalls and virus protection. Guess again, because that’s just a start, and simple things like a stolen device, employee negligence, or falling for a phony email are just as if not more likely as a cyber-attack to bring down your house of cards. It’s important to remember that protecting both your customer’s sensitive information and protecting your sensitive business data is the job of every employee. Perform a self-audit of the following three areas to see where things stand:
Technology – Good news and Bad news.
Virtually every dealer is dependent on technology to run their business. The efficiencies and other benefits are just too great but the bad news that technology can also do harm unless a thoughtful approach to its use is taken. The first thing to do is check you have an appropriately sophisticated firewall. This will help keep hackers and other bad guys out of your system. Next, give thought to whether or not wireless access is provided on the premises. A lot of dealerships provide it as a convenience to its customers and employees; however, outsiders can connect to your system and that’s dangerous. If a stranger figures a way in, it can obtain an address within the system and then have access to information. It’s a good idea to turn off wireless access outside of business hours and audit access frequency.
With more employees working from home, outside service providers like accountants looking for access, and even owners wanting easy access to reports at night and on weekends, remote access has become a big issue. Although expensive, a virtual private network (“VPN”) is the safest option. Spend the extra money and get that extra level of security.
Next, employees can carry your business in their pockets. It’s a good safety precaution to have tracking tools installed on mobile devices such as phones, laptops and tablets. These allow for locating the device when missing, and can also be used to remotely wipe data from the device should the need arise. Having that ability can save you sleepless nights in the event a device goes missing. It’s also important to look at your policy manual and see whether it addresses what type of information employees are allowed to store on a device. Does it address whether sensitive reports and data be downloaded to a device that can be taken anywhere? Are all employees subject to the same policies, or do employees that have access to more sensitive information prompted to use additional encryption tools?
It’s also beneficial to examine policies and procedures related to employee use of email and software. There should be a prohibition against using shared logins. Each employee should have a unique username so that their activities can be identified and they can be held accountable. Frequently, employees share logins for convenience, especially if they do the same job or cover for one another due to vacations and other staffing needs. Make it your policy to have unique logins so that you have an audit trail of what actions were taken by each employee.
Do you have a password policy? I encourage use of an aggressive password policy that requires change on a regular basis, such as monthly or quarterly. Have your IT folks create robust password criteria that require symbols, numbers and letters and doesn’t allow the same password to be used repeatedly. Finally, have a policy that requires employees to lock their computers if they leave their desk and use of automatic screensavers after brief periods of inactivity, such as 5-10 minutes. A visitor to your location should never have access to sensitive information on a computer screen or access to your network because an employee failed to lock their computer.
Lastly, educate your employees to the practical dangers presented in today’s web based environment. Many aren’t familiar with “phishing”, “spoofing”, and similar email attacks that can leave your entire network open to invasion and virus. Provide training materials so that employees are on the lookout for fictitious emails and false web addresses. Give them the tools they need to act as your front line of defense, then test them to make sure that they understand the information.
Facility Security – Does it allow access to sensitive information?
The layout of the dealership present lots of ripe opportunities for the compromise of information. One of the most common mistakes is information being open and available at the receptionist or other employee’s desks, where customers, vendors, or other invitees can catch a glimpse or do worse. Thought should be given to what type of information is handled by employees that interact directly with the public, thus increasing the odds that visitors will be in proximity to documents they shouldn’t see. More importantly, every dealership should have a “clean desk” policy which prohibits sensitive information from being kept on a desk when left unattended. Make sure that employees have access to locked drawers and file cabinets in which to store papers when stepping away from the desk. Employees with offices should either have the ability to lock up their papers or their office.
Consider whether all employees have access to the entire facility, or whether access is restricted by job description so that employees aren’t free to enter areas where they have no reason to go. In a larger dealership that handles both front end sales and collections, for instance, the front end employees wouldn’t have much of a reason to have unfettered access to the collections department, nor would collections personnel have reason to freely walk through the accounting office. Those areas could be kept behind locked doors. In a smaller dealership, it may not be practical to restrict access, though, so it’s important to consider proper placement of personnel and the other measures discussed herein.
Next, what policies and procedures are in place to limit the access of third party vendors such as delivery personnel, repairmen, and other service providers? Are they required to physically sign in and out when they come and go? Are they escorted back to the work area and supervised, or are they left to wander around the facility? What kind of due diligence is done to investigate these vendors?
Know who you are doing business with and make sure that they have policies and procedures in place to hire trust-worthy people before you let them into your business. Special attention should be given to cleaning crews and any other personnel that are given access to the facility after hours without supervision. For those sensitive positions, even more due diligence is appropriate, and it is not unreasonable to ask if those employees are bonded and what type of insurance is covered to protect the dealership in the event of wrongful conduct.
Don’t choose convenience over security. They are both important. Put copy machines, fax machines and scanners behind locked doors. Put good shredders next to every waste paper basket. Understand where various employees need to go within the dealership and where access should be limited to those with a specific purpose. These are simple steps that can eliminate problems.
Employees can be a Threat
Employees, through careless or negligent conduct or through intentional acts, are probably the biggest point of vulnerability for a dealership. Protect your business by conducting robust pre-employment screening to make sure your future employees are trustworthy. On the first day of work (or as soon as possible if never done before) have employees sign a Confidentiality Agreement that sets forth how they are to handle confidential information they come across as an employee and restricts their use of such information in any capacity. Test the employees at least annually on their confidentiality obligations and, upon separation, provide them with a copy of the signed Agreement and remind them of their obligations under it.
Make sure to have an Employee Handbook that has sections dealing with information security and the expectations being placed upon them. Have a one page summary for them to sign and put it in their personnel file. Have a strong training program that includes education on security concerns and then test every employee on those standards and document the results in personnel files. This should be done at least annually and preferably more often so that employees understand the seriousness of the issue.
“Hot button” issues that should be referenced in these training materials include:
What are the company policies regarding use of thumb drives, camera phones, and any other portable devices?
Are employees allowed to access the internet while at work and, if so, is access restricted to certain sites?
Are employees allowed to access their personnel email accounts while at work? Are employees allowed to email company information to their personal email accounts?
Can employees download data, reports, or customer information to portable devices such as tablets and phones?
The possible topics are extensive and will vary greatly depending on the size and type of business of the dealership.
Dealerships are especially vulnerable to an information breach upon the separation of an employee. A good way to protect the business is to have a sophisticated separation process that is systematic, routine, and applied consistently no matter the job description. Critical items should include:
a list of all parties that should be notified of the employee’s departure;
list of all systems and programs to which employee has access;
list of company property in their possession;
disable system access and recover keys and badges;
delete or redirect accounts, including VPN, network, email, and voicemail; removal from distribution lists; and notify vendors and clients as appropriate.
I also think it’s a good practice to provide the exiting employee with a copy of the Confidentiality Agreement they signed during their employment and remind them of the serious consequences of any breach.
Learn about Cyber-Liability Insurance
Be proactive and ask your insurance professional about obtaining cyber liability insurance to protect you in the event of an unfortunate episode. This type of insurance can save your business! If there is a data breach, most dealers are not prepared to incur significant costs that hit quickly such as legal and forensic services to discover a breach, regulatory compliance and notice of affected persons; customer credit monitoring, business interruption expenses, damage to your network and lost data, and a public relations campaign to control reputational damage. This type of insurance coverage is very valuable and it’s important for the business leaders to understand how it is different than regular errors and omissions coverage and how it can be tailored to fit a particular business.
Dealers can no longer lock up the gates at night and feel that their business is protected. It’s necessary to build controls for the facility, technology and the employees that work there. By attacking all three of these prongs highlighted in this article, a dealer can put itself in the best position to protect its information and that of its customers.