Erik Nachbahr shares steps dealers can take steps to protect their dealerships from ransomware.

Erik Nachbahr shares the leading cause of customer data breaches at dealerships and how this can be prevented.

Do you think that compliance with the proposed FTC Safeguards Rule, the California Consumer Protection Act (CCPA) or New York’s SHIELD Act, puts an onerous burden on dealers? To put it mildly, you aint’ seen nothin’ yet.

Congress recently introduced The Online Privacy Act, new legislation that establishes a “privacy bill of rights” for consumers and is similar in language to Europe’s General Data Protection Regulation (GDPR).

The motivation behind the new bill is that data-collection and data-sharing industries make billions annually from selling Americans’ personal information and that privacy for online consumers is nearly non-existent.

The new law targets tech companies in particular, but applies to every business that collects, stores and sells consumers’ personal and identifiable information (PII). This includes auto dealerships.

If passed, The Online Privacy Act would be even tougher than California’s CCPA, which goes into effect in January 2020.

In a nutshell The Online Privacy Act would:

Create user rights

The bill grants every American the right to access, correct or delete their data. It also creates a right impermanence, which lets customers decide how long companies can keep their data.

Establish a Digital Privacy Agency (DPA)

Currently the Federal Trade Commission broadly regulates privacy, but only employs a few dozen people who are dedicated to enforcing violations. The Online Privacy Act establishes a new federal agency of 1,600 officials who would be empowered to issue new regulations and enforce the new privacy law. As written, the DPA would be about the same size as the Federal Communications Commission (FCC).

Define how companies may use, and not use, customer data

If this legislation is passed, auto dealerships will be required to be transparent about what they do with customers’ data. Auto dealers could not disclose, share or sell user data without receiving explicit consent from customers. The bill minimizes the amount of data companies collect, process and maintain, and bars companies from using data in discriminatory ways.

Additionally, The Online Privacy Act forbids the use of private communications like email, in order to target customers with ads.

If your dealership experiences a data breach that exposes your customers’ personal data, you would have 72 hours to alert both your customers and the DPA.

Strengthen enforcement

If your dealership violates any of the rules laid out in the Online Privacy Act, or any of the new regulations created by the DPA, you could be fined as much as $42,530 per incident. It would also allow state attorneys generals to bring civil actions and consumers to bring civil suits against your dealership for lack of compliance.

Whether The Online Privacy Act passes into law remains to be seen. Currently there is some debate over details like whether the bill should pre-empt states’ laws or whether individuals should be allowed to sue companies for violations.

However, the legislation has bipartisan support, and both democrats and Trump have stated they want a consumer data privacy law.

Erik Nachbahr shares the two major causes of outages that can disrupt a dealership's operations and how to avoid them. 

By now California dealers are aware of the California Consumer Privacy Act (CCPA), which takes effect in January, 2020. This law requires businesses to take “reasonable measures” to secure consumers' personal and identifiable information (PII), such as names, addresses, social security numbers, credit card numbers, credit scores and bank account numbers.

The California Attorney General defines “reasonable measures" as compliance with 20 controls established by the Center for Internet Security (CIS). The amount of work required to get a typical dealership compliant is more than 1,200 hours and approximately six months, so if your dealership hasn’t started you’re unlikely to be compliant by the January deadline.

However, there are steps you can take to demonstrate that you’re working towards compliance, if you should need to do so for legal reasons. The first step is to order a GAP analysis.

GAP Analysis/Risk Assessment

A GAP analysis from a qualified vendor will determine the current state of your IT infrastructure, and where it falls short of CCPA requirements.

This process involves security experts who will inventory and assess all of your dealership’s hardware, software and network equipment to find areas of vulnerability.

Upon completion of this step, you’ll receive a remediation plan that identifies the gaps between where your dealership’s IT is now compared with the CIS Controls’ best practices. The remediation plan is basically a list of recommendations that include new hardware, software, policies, procedures and processes.

Depending on the current state of your IT it’s always possible that no new hardware, policies or procedures are needed. However, in most cases some updates will be necessary.

Since the CCPA wasn’t just written for dealerships, remediation steps won’t be required for all 20 CIS Controls. For example, CIS Control 18 relates to software development best practices, which don’t apply to most dealerships. As for the other controls, it’s important to know there’s some leeway in the interpretation of the CCPA’s “reasonable measures.” What’s reasonable for an auto dealership might not be reasonable for another type of business, and vice versa. This is why it’s important to hire security experts with knowledge of both the CCPA requirements and of the car business.

Once your GAP Analysis and remediation plan are complete, it’s time to start working on the controls. If you’re starting late, a reasonable goal is to complete the first five CIS controls:

Step 1: Inventory and Control of Hardware Assets

This control requires businesses to inventory, track and manage all hardware devices that connect to your network so that only authorized devices are given access.

Step 2: Inventory and Control of Software Assets

This control requires businesses to inventory, track and manage all software on the network so that only authorized software is installed. Additionally, you’re required to maintain an up-to-date list of all authorized software that includes the name, version and install date. Also, install and use a whitelisting tool to ensure that only authorized software can execute.

Step 3: Continuous Vulnerability Management

Information technology (IT) isn’t static. The CCPA requires that all businesses continuously acquire, assess and take action on new information in order to identify vulnerabilities and minimize opportunities for cybercriminals.

Step 4: Controlled Use of Administrative Privileges

To prevent hackers from gaining access to your system, the CCPA requires the use of tools designed to ensure that only authorized individuals have privileges. Additionally, multi-factor authentication and encrypted channels for all administrative account access are required.

Step 5:  Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

The default configurations on new hardware devices and software are geared towards ease of deployment, not for security. But many businesses never change these configurations, making it easy for cybercriminals to gain access to your system.

The CCPA requires businesses to develop secure configuration settings using configuration management tools. Once configured, these settings need to be continually monitored to prevent security decay as new vulnerabilities are reported.

These five controls are only a fraction of what needs to be done to protect your customer data, but the good news is they can be accomplished relatively quickly so that you can demonstrate your dealership is making the effort to become compliant.

Erik Nachbahr shares why dealers need to be mindful of their Wi-Fi service in order to manage it properly in this video blog.

Remember the movie “War Games?” A teenager hacked into a computer and unwittingly almost started a nuclear war. In the late 60s, a famous phone phreak dubbed “Captain Crunch” figured out a way to make long-distance phone calls for free using a toy whistle from a box of Cap n’ Crunch cereal.

These examples established an early perception of “hackers” as lone wolves: teenagers in basements, social misfits out for revenge or bored college kids pulling pranks. Their intent was relatively harmless, and they eventually got caught and had to pay consequences.

Unfortunately, this perception still exists today and is one reason why many businesses don’t take the threat of cyberattacks seriously.

To understand how serious the threat of a cyberattack is, you need to understand who’s behind the threat and what their motivations are.

Cybercrime is the world’s fastest growing criminal industry. By 2021, cybercrime will cost the world $6 trillion annually. This is the greatest wealth transfer in history, far more profitable than the entire global trade of illegal drugs.

The motivation for most cybercriminals is money, pure and simple. Cybercrimes are designed to steal money and data that can be sold for money. Once stolen, consumers’ personal and identifiable information (PII) is typically sold on the dark web, purchased by other criminals with plans to exploit that information.

Most “hackers” today are employees of large multi-national crime organizations, some of which are state-sponsored. Around the world, smart and tech-savvy people are being lured by the promise of huge salaries. Entry-level cybercriminals make about $40,000 per year (which is an excellent salary in many countries). But the real payoff comes with experience, with seasoned cybercriminals raking in $1 million to $2 million per year.

These cybercrime organizations and their employees find safe haven in countries that don’t have extradition agreements with the U.S. China and Russia are the two biggest offenders, followed by Iran and North Korea. However, cybercriminals reside in many countries, including the U.K., Germany, Australia, Japan, South Korea, Ukraine, Israel, France and even the U.S.

U.S. Companies Targeted

Who do these cybercriminals like to attack? Companies in the U.S. are the most targeted, followed by companies in China, India and Europe.

Most of the news-worthy attacks we hear about on the news happen to large organizations, such as government agencies, or healthcare, retail, tech and financial institutions.

But that doesn’t mean that auto dealers aren’t at risk. In fact, 43% of cyberattacks target small businesses with fewer than 250 employees. In particular, companies with antiquated information technology (IT) infrastructures are easy to exploit, and Windows is the most targeted platform.

Does this profile sound familiar to you?

In most dealerships I have seen the IT networks are outdated, with some running the same setup and technology they had five years ago. Many dealers have not made significant upgrades in 10 years. They also trust the management of IT to people who aren’t qualified—in fact, only a third of dealerships employ a network engineer with computer security certifications and training.

Additionally, I have seen many dealerships still running the Windows 7 operating system on computers that are 4 or 5 years old. As of January 2020, Windows 7 will no longer be supported with updates by Microsoft. If you’re still running Windows 7 in January, your dealership will be highly vulnerable to a cyberattack.

It’s nearly 100% certain that cybercrime syndicates already have a plan in place to exploit organizations that haven’t yet upgraded to Windows 10 when January rolls around. Thousands if not hundreds of thousands of cybercriminals around the world are waiting for this opportunity.

Unfortunately, the problem of cybercrime is only going to get worse and it may never get better. This could be the new normal. Thousands of extremely smart people spend every minute of every day dreaming up new ways to steal your money.

The malware threat is now migrating from PCs and laptops to smartphones and mobile devices. Experts worry that in the near future, cybercrime could take an even darker turn. Got a pacemaker? It could feasibly be switched off by a cybercriminal in another country, unless you send bitcoins.

Connected cars also make us vulnerable to what could be an entirely new form of terrorist attack: causing random cars to crash.

But why worry about things you can’t control? There’s plenty that you can control, starting with taking the threat of a cyberattack seriously, and creating a plan to prevent it.

In this video blog, Erik Nachbahr explains how software updates can wreak havoc on a dealership's operation and why having a centrally managed update system is vital to avoid that disruption. 

Cyberattacks are on the rise. In the first six months of 2019, the number of data breaches has increased by 54% compared to the same period last year. As of July, more than 4.1 billion customer records have been exposed in approximately 3,800 publicly disclosed data breaches.If your dealership hasn’t already been targeted, chances are it will be. What can you do to prevent such attacks?

I’ve written previously about how a layered defense is the best approach. This includes:

Policies, procedures and awareness

Physical security: locks on server rooms

Perimeter security: networks

Host security: computers and servers

Application security

Data security

Cyber liability insurance

Human Firewall

In this blog, I’d like to talk about the last line of defense—the Human Firewall. Its importance cannot be underestimated. Your dealership can have an impenetrable technology defense, but your employees are the weak link and cybercriminals know it.

Most attacks these days don’t even target computer systems, they target employees. In fact, 91% of successful cyberattacks start with a phishing email. Of the 100+ billion spam emails sent out by cybercriminals every day, it’s estimated that one in 200 make it through spam filters and into email inboxes. That’s approximately 11,500,000 spam emails per day.

To ensure that your employees don’t click on these emails, or fall for other scams, you need to build a human firewall. Here are tips to include in your cybersecurity policy.

Provide Security Awareness Training

In states that have passed consumer privacy laws (such as California, New York and Ohio), this is now a legal requirement. Businesses subject to these laws must provide training to their employees.

In a security awareness training program, baseline testing is first used to assess the percentage of employees in your company that click on phishing links. Then, those employees are enrolled into an online training program. Once enrolled, employees are educated with videos, interactive games and training modules. Monthly phishing tests and benchmark reports allow you to gauge progress.

The training teaches employees how to spot suspicious emails, as well as best practices such as not downloading attachments or clicking links in emails, even if sent from a known source, without first verifying the email is legitimate.

The good news is, security awareness training programs are inexpensive and deliver a high ROI. Prior to security awareness training, in an average business 27% of employees open phishing emails. After 90 days of training, the risk drops to 13% and after one year of training, the risk drops to 2%.

Require Password Changes

Employees should create secure passwords for the applications they use and change them every 90 days. Never use the same password for more than one application, and never share or give login ID or password information to anyone. A password manager can help.

Prohibit Visiting Personal Websites at Work

Your corporate security policy should not allow employees to visit social media sites, online shopping or gaming sites at work. This isn’t about forcing employees to be more productive or spying on them; it's about your network security and financial health. Many phishing scams include links to fake websites, and many social media posts will lead unsuspecting individuals to similar sites. Viruses and malware are often disguised in ‘free’ applications or products for download.

Don’t Allow Personal Devices

If your employees are using their personal laptops and/or cellphones at work, that’s trouble waiting to happen. Unprotected mobile apps and web applications are highly vulnerable to cyberattacks. When plugged into your network, these devices can easily spread viruses and malware.

Require Verbal Verification for All Wire Transfers

It’s OK to email wiring instructions, but every wire transfer should require verbal verification over the phone before the money is sent. It’s a common practice now for cybercriminals to pose as a dealer principal, GM, Controller, salesperson or other managers, and send emails to accounting staff with instructions to wire money into an account. I know of several dealerships that have lost a lot of money this way and once the money is wired, there is no way to get it back. In every scenario we’ve seen, a conversation would have immediately thwarted the attack.

Your employees are the last line of defense protecting your dealership from the increasing threat of cyberattacks. To keep your data, bank accounts and reputation safe, build a human firewall with employee training and new cybersecurity policies.

In this video blog, Erik Nachbahr shares how if not handled correctly on the IT side, employee turnover can cost a dealer sales