Nearly every industry has fallen victim to Online Security issues at one time or another, including many automobile dealerships. Their databases are fertile ground for a hacker, chock full of customers’ personal and financial information. The importance of protecting this data cannot be overstated – and today’s blog offers tips from an industry expert to help keep it safe.
Tim Taylor is Owner of TaylorWorks, a Central Florida-based Managed IT Services and Support company whose clients include multiple automobile dealerships. We spoke to Tim about some of the most effective ways a dealership can protect one of its most important assets – the customer database.
What can a dealer do to protect himself from Online Security breaches?
As any dealer knows, their database would be a goldmine for hackers, so it’s very important that their networks are completely secure. They must have good firewalls and if they allow people to operate remotely, they should use VPN (Virtual Private Network) connections. Even if their network data is 100% online, hackers can still infiltrate one employee’s computer and get what they want.
If you have internal servers, they should always be backed up both locally and online (in the cloud) so if a ransomware situation occurs, it allows you to recover very quickly and not have to worry about paying the ransom. It is also vital that your backup system runs continuously. Here’s an example why this is true: if a hacker strikes at 4:00 in the afternoon and the best thing you can do is recover everything from the previous day, that’s obviously not good for the dealership because you risk losing everything you keyed in during the present day.
You simply shouldn’t take chances. You never think it is going to happen to you … until it does. A lot of businesses today – ours included – require a second authentication to log on to their computers. This is called Two-Factor authentication. In addition to the user name and password, the employee also validates their identity from their phone. This is an inexpensive – but very smart – extra layer of protection, because it helps keep unwanted people from gaining access to your vital information.
As you mentioned earlier, each individual computer at a dealership can be hacked. Is there anything that can be done to help make them less vulnerable?
One very important thing is making sure all your machines are continuously updated. I’m talking about simple Microsoft Windows updates. If this doesn’t happen, there is a much bigger chance that information can get compromised. Microsoft creates a lot of patches to stop things like this but if they’re not installed on the computers it doesn’t do any good. You need software on your PCs that can give you reports regarding each machine getting updated on a regular basis. A Managed Service provider can provide this.
The dealerships that take the necessary steps to keep up with these things are the ones who don’t have big problems. The ones who try to save a little money or don’t pay enough attention to it are the ones who often end up with their systems infected, compromised or ransomed. And here’s the thing: it costs a lot more to correct a big problem like this than it would have ever cost to prevent it in the first place when you consider the downtime, the loss of productivity and any ransom you might have to pay … not to mention possible sales lost while you are down! And these days, hackers often base ransom amounts on what they think you can afford to pay, not just a predetermined sum of money – so the amounts they demand can be quite high.
How should a dealership handle online “phishers” – people using fake correspondence to obtain financial or other confidential information from Internet users?
Dealerships manage large amounts of money and sometimes wire transfer big sums online. So it only makes sense to train all your employees – especially those who handle money in any way – to be especially careful. We actually have a service where we send out “dummy e-mails” to our clients’ employees purporting to be from Microsoft, FedEx or another company the employee would consider legitimate. In these emails, we ask employees to verify their ID, password and other information. It’s all very official-looking but of course, not real. We then go back to the client and tell them which employees fell for the dummy emails and gave out their information. This type of ongoing staff training is very important so your employees know to be on alert at all times.
Transferring money should involve a multi-level approval process and even a call before the transfer is ever actually made – because once money has been intercepted by a phisher you’re not going to get it back.