While I was at NADA this year, I ran into a dealer who told me that he had recently discovered something very upsetting. An ex-salesperson who went to work for the competition had been logging into the dealer's CRM and stealing leads, which the salesperson then proceeded to enter into the CRM at his current workplace. Apparently this had been going on, undetected, for months.
How can this happen, you wonder? Unfortunately for dealers, it's pretty easy.
I wrote recently about how most dealerships don't have an established process to delete user accounts when employees leave. A simple checklist is all it takes.
But there's another very common practice in dealerships that makes it easy for ex-employees to continue logging in. That practice is shared accounts.
Sometimes, for the convenience of having employees being able to shift back and forth between different computers, or to save money, dealerships establish shared accounts. For instance, a sales department with five salespeople may have three CRM accounts with logins that look something like this:
Okay, so anyone who knows anything about cybersecurity takes one look at those login credentials and breaks out into a cold sweat. Actually, there are quite a few things wrong with those login credentials.
But the biggest security risk is that everyone knows what the logins are, including all your ex-salespeople.
If your dealership's DMS, CRM or other applications are cloud-based, those databases can be accessed from any computer, anywhere, as long as the person is using the right login credentials. Ex salespeople could be stealing your leads. So could ex service managers.
As upsetting as this is, what you may not realize is that if this is happening, stolen leads are the least of your concerns. Your dealership is legally responsible for protecting your customers' personal information. If your database is breached, your dealership could be liable for all the costs involved. At about $30 per customer record, this could add up to millions of dollars.
Another problem with shared accounts is that it muddles the audit trail. When your database is breached one of the first things the FBI does is audit your logins. You should always be able to tell who specifically logged into what, where and when. With shared accounts this is a problem, which means that nice FBI agent will probably become upset. In my experience, it's best not to upset FBI agents more than is necessary.
Shared accounts are a bad idea, all around. Assign every employee a unique username and establish a process to delete all user accounts after your employees leave. This will help keep your leads and your customers' personal information safe from prying eyes.