Notifications & Messages

Jared Hamilton
From: Jared Hamilton
Hey - It’s time to join the thousands of other dealer professionals on DrivingSales. Create an account so you can get full access to the articles, discussions and people that are shaping the future of the automotive industry.
×
Erik Nachbahr, CISSP

Erik Nachbahr, CISSP President

Exclusive Blog Posts

Manager vs. Mentor

Manager vs. Mentor

    We sat down with Clint Pulver at DSES 2019 to ask him the difference between a manager and a mentor. There is always a mentor w…

Are We the Cause for Removed Managers?

Are We the Cause for Removed Managers?

One of the keynote speakers for DSES 19, Clint Pulver spoke in detail about the types of managers we encounter. One of those managers is the “re…

Customer Lifetime Value

Customer Lifetime Value

  We sat down with Jon Rossman at DSES to see what he thinks about the challenges facing automotive today. Companies need to be looking to …

A Big Reason People Leave Your Website and Don’t Come Back

A Big Reason People Leave Your Website and Don’t Come Back

I intended to write about the renewed importance of service videos on a dealership’s website. A resource I had lined up changed my topic in about…

Some Car Buying Tips for Customers

Some Car Buying Tips for Customers

Car dealerships are known for being stressful places. It can be very difficult to resist pressure from a skilled vehicle salesperson—and customers sa…

Not Ready for the CCPA? Take These Steps Before January.

By now California dealers are aware of the California Consumer Privacy Act (CCPA), which takes effect in January, 2020. This law requires businesses to take “reasonable measures” to secure consumers' personal and identifiable information (PII), such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.

The California Attorney General defines “reasonable measures" as compliance with 20 controls established by the Center for Internet Security (CIS). The amount of work required to get a typical dealership compliant is more than 1,200 hours and approximately six months, so if your dealership hasn’t started you’re unlikely to be compliant by the January deadline.

However, there are steps you can take to demonstrate that you’re working towards compliance, if you should need to do so for legal reasons. The first step is to order a GAP analysis.

GAP Analysis/Risk Assessment

A GAP analysis from a qualified vendor will determine the current state of your IT infrastructure, and where it falls short of CCPA requirements.

This process involves security experts who will inventory and assess all of your dealership’s hardware, software and network equipment to find areas of vulnerability.

Upon completion of this step, you’ll receive a remediation plan that identifies the gaps between where your dealership’s IT is now compared with the CIS Controls’ best practices. The remediation plan is basically a list of recommendations that include new hardware, software, policies, procedures and processes.

Depending on the current state of your IT it’s always possible that no new hardware, policies or procedures are needed. However, in most cases some updates will be necessary.

Since the CCPA wasn’t just written for dealerships, remediation steps won’t be required for all 20 CIS Controls. For example, CIS Control 18 relates to software development best practices, which don’t apply to most dealerships. As for the other controls, it’s important to know there’s some leeway in the interpretation of the CCPA’s “reasonable measures.” What’s reasonable for an auto dealership might not be reasonable for another type of business, and vice versa. This is why it’s important to hire security experts with knowledge of both the CCPA requirements and of the car business.

Once your GAP Analysis and remediation plan are complete, it’s time to start working on the controls. If you’re starting late, a reasonable goal is to complete the first five CIS controls:

Step 1: Inventory and Control of Hardware Assets

This control requires businesses to inventory, track and manage all hardware devices that connect to your network so that only authorized devices are given access.

Step 2: Inventory and Control of Software Assets

This control requires businesses to inventory, track and manage all software on the network so that only authorized software is installed. Additionally, you’re required to maintain an up-to-date list of all authorized software that includes the name, version and install date. Also, install and use a whitelisting tool to ensure that only authorized software can execute.

Step 3: Continuous Vulnerability Management

Information technology (IT) isn’t static. The CCPA requires that all businesses continuously acquire, assess and take action on new information in order to identify vulnerabilities and minimize opportunities for cybercriminals.

Step 4: Controlled Use of Administrative Privileges

To prevent hackers from gaining access to your system, the CCPA requires the use of tools designed to ensure that only authorized individuals have privileges. Additionally, multi-factor authentication and encrypted channels for all administrative account access are required.

Step 5:  Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

The default configurations on new hardware devices and software are geared towards ease of deployment, not for security. But many businesses never change these configurations, making it easy for cybercriminals to gain access to your system.

The CCPA requires businesses to develop secure configuration settings using configuration management tools. Once configured, these settings need to be continually monitored to prevent security decay as new vulnerabilities are reported.

These five controls are only a fraction of what needs to be done to protect your customer data, but the good news is they can be accomplished relatively quickly so that you can demonstrate your dealership is making the effort to become compliant.

 Unlock all of the community & features  Join Now