Many a dealer has had sleepless nights thinking about the security of his data. Running a dealership with a technologically current, efficient Dealer Management System (DMS) or Customer Relations Management (CRM) system while still protecting sensitive data can be quite a balancing act.
CDK’s recent announcement of their SecurityFirst initiative has once again focused dealers on their responsibilities and exposure when it comes to customer data.
The funding for SecurityFirst, of course, comes from increased fees. Dealers will pay indirectly as third party vendors pass along their increased cost. Certified vendors will pay a monthly fee to access the CDK DMS, (as has been the case with Reynolds and Reynolds for years). The thinking is that, although it is common for data to be compromised by outside sources hacking through security, it is nearly as likely that an internal error by a dealership employee will cause a breach. The more the data is accessed by third parties connected to your dealership, the more likely that an error will expose sensitive data. CDK’s effort to control third party access, by those not “certified” will affect the dealer’s bottom line but it does establish an extra level of enhanced security. Additionally, CDK now offers a reporting tool called Dealer Data Exchange (DDX) which provides dealers with the ability to pull reports showing all data extractions by third parties.
Other than minimizing outside access to data, there are several other areas where dealers must be vigilant concerning data security:
- Controlled data circulation. Is anyone with access to your data selling it off to brokers and adding it to marketing lists? Though market research is vital and some data access comes along with it, a dealer and his customers should feel secure in the knowledge that any data moving back and forth between the dealership and its DMS, CRM, or other third party system is only being used for its intended purposes. Data is valuable and the sale of customer data should not be permitted to anyone without the dealer’s specific approval. Read all contracts. Require provisions that prevent dissemination of data.
- Data and password protection. There are many otherwise-secure networks of many businesses nationwide that leave their wireless networks open or just use the hardware manufacturer’s default password. A secure and regularly-updated password is a simple way to reduce intrusion. Ensuring that the network is protected and that the data itself is encrypted should be high on the priority list for anyone entrusted with sensitive personal data. Ensure also that the system operating system is current and supported. Windows XP, for example, is no longer supported by Microsoft and does not offer the same level of protection as newer Windows versions.
- IT policy and process. Just having the stable equipment and current software will not always prevent a data security breach. The technology used to infiltrate data is advancing at the same rate, if not faster, than the measures employed to protect it. By closely monitoring the system, however, a dealer can minimize the likelihood of a potential breach as well as be informed exactly when a breach takes place and what areas may have been compromised. As required by the Gramm-Leach-Bliley Act (GLBA) of 1999, dealers must have a thorough IT plan in place to protect against unintended distribution of non-public information (NPI), and a thorough monitoring process will go a long way in meeting that standard. Though it may be impossible to constantly monitor a system first hand, most dealers will choose to professionals to do the monitoring (e.g. Helion or Nuspire).
- Physical hardware and equipment. The least labor-intensive way to help safeguard your sensitive data is to ensure that the right hardware and software are in place. A robust firewall is the right first step, but a Unified Threat Management (UTM) Device can be a better choice. A UTM will provide a comprehensive set of security features arrayed in a single device. The streamlined result is simple, although it can become an assailable intrusion point if the UTM itself is compromised. Just another reminder that all enterprises looking into data security will have to approach the problem from multiple perspectives and remember that security is an ongoing process, not a single event. The recent Europay, Mastercard, and Visa (EMV) liability shift, now demands proper equipment designed to read chip-enabled debit and credit cards. Reynolds and Reynolds (R&R) has introduced a system named ReyPay specifically to handle this change in transactional security.
- Internal training procedures. The biggest single threat to data security is human error or negligence. Equipment may fail. Certainly a malicious intruder may attack your fortified security. Just as likely as either of those two scenarios is the simple fact that greed, thoughtlessness, and laxity are endemic to the human condition. The following chart displays percentages provided by Symantec.
While countermeasures are available to diminish the likelihood of errors, the most important step to take for dealership leaders is to continually motivate, train and educate your staff on the importance of data security. In nearly every case, it isn’t an intentional act that leads to internal data mismanagement.
With these five areas of focus in mind, dealers will be one step ahead when determining their data security. This will not only create a safer relationship with clients, but will also help ensure the dealership is compliance with OEM standards. The STAR Dealership Infrastructure Guidelines define the network and security prerequisites for most OEMs – Ford, GM, Toyota, Honda, etc. A good overview of those standards is here: STAR Dealership Infrastructure Guidelines.
Data security does not have to be a daunting task for dealers, but it must be addressed. Every day we as a society become more and more reliant on technology and are more linked in to the internet and cloud-based systems. Thousands of people’s personal information can be compromised, and, from a liability standpoint, millions of dollars could be spent in settlements. There is simply too much to lose.