You’ve built a successful business. Now how do you get your employees to care as much about protecting it as you do?

People are your greatest asset, but some days they can feel like your greatest liability. Humans are fallible, and even the best ones make mistakes. There are only a few bad apples out there that come to work to do harm, not good. So how do you keep well-intentioned people from making mistakes, and let the potential rogue employee know you are not going to let them get away with damaging what you’ve built?

The key is the culture you foster in your business. Company culture sounds like a touchy-feely thing that you can’t control, but more of it rests with you and your leadership than you might realize. As Peter Drucker said, “Culture eats strategy for breakfast.” It’s a powerful tool in running your organization successfully.

Before you can start building a culture that values securing your business and avoiding risky business, you need a foundation to build on. These are the first steps. (Part Two, Building a Culture of Security, my next post, is coming soon!)

1. Open and Honest Accountability

Holding people accountable for their actions doesn’t have to be punitive, but if you don’t have accountability, you will have a culture of chaos. It also doesn’t mean you fire everyone who makes a mistake -- otherwise your employees will simply hide their mistakes. Foster an atmosphere where people own their ”stuff” and everyone learns from mistakes. You still want people to take risks and innovate, but when people don’t follow company policy or process, put the company at risk, or just make a bad business decision, you need to acknowledge and respond appropriately. In my line of work, that could be anything from a friendly “oops!” message to an employee who clicks on a phishing email, to a disciplinary conversation with an employee who breaks a security policy. And when incidents bring insights, generously share with others as a “teaching moment.” Your goal is not to embarrass those involved but instead reframe their mistakes in order to help others learn and avoid the same pitfalls in the future.

2. Just Enough Policy

Do you have written company policies that your employees must acknowledge every year?

Create policies that cover the basics like how we all treat each other (policies regarding discrimination, harassment, etc), how we all behave (ethics, code of conduct, anti-bribery, corruption, workplace violence, etc.), how we remain in compliance (legal, regulatory, and contractual) and how we maintain security (data privacy and security, password practices, network security, access controls, etc.). Take advantage of resources that can help guide your policy creation, like NADA, the FTC, your insurance company, and of course your legal counsel.

3. Just Enough Process

While you don’t want to stifle innovation, a culture without some process is one of organizational immaturity. Errors become commonplace, and even worse, breed inefficiency. Document your processes so that everyone knows “how we do things around here.” Once you’ve documented your processes, it makes it much easier to teach others through training, and more importantly, without it, you can’t do No. 1 – hold people accountable. In the world of security, process includes things like having every potential new vendor complete a security assessment as a part of your procurement process, doing background checks on job applicants, or having a system to track software licenses in use at your company.

4. Influence Human Behavior

Your policies and processes may be complete, but how well do people’s behaviors reflect what is in them? Reading a policy or a process does not mean people change their behavior. It’s essential to continually reinforce the desired human behavior through incentives, disincentives and marketing. The first two – rewarding desired behaviors and creating negative consequences for undesirable behaviors - are pretty straight forward and can be reinforced by pay plans and HR. The third – marketing - is a lot more fun. Security can be a dry topic, so if you can make the topic engaging you’re more likely to create the desired behaviors. Marketing security messages is no easy feat – stay tuned for my next blog that will dig more into this topic, and even make it fun.

Start with these foundational steps, and watch for my next post, “How to Get People to Care About Security As Much As You Do." 

What Does Business Continuity Mean for Your Dealership?

It’s Business Continuity Awareness Week – an obscure fact known only to those who spend most of their time planning for things that we hope will never happen: a flood, fire, hurricane, tornado - heck, even an act of war or civil unrest. These folks thrive on scary weather forecasts and what, for the rest of us, look like doomsday plans.

CDK Global and many large companies are fortunate to have people dedicated to planning for the “what if,” but smaller businesses like some dealerships may not  have that luxury. So how do you make business continuity work for you? Some dealers hire professionals, but not everyone has the resources.

Here are the basics to consider:

Identify Risks

The first step is to consider what potential crises could throw your business, your employees, and potentially your customers into chaos. Is your business, or the homes of many of your employees for that matter, located in an area prone to flooding, hurricanes, tornadoes, or other natural disasters? Maybe you’re located near a military base; could a major military deployment take the vast majority of your customers out of the market for months? How would you cope with that? Listing these risks can be easier if you think of them in these categories:

Malicious: These types of disasters are related to criminal activity seeking to bring harm to your business. For example: Your office manager clicked on a phishing email and keylogging malware captured her user ID and password to your bank account. Now an Eastern European organized crime ring wiped out your bank account.

Natural disasters: These are naturally occurring disasters like floods, blizzards, ice storms, hurricanes or earthquakes.

Technical issues: These types of incidents are often caused by loss of service from a technology provider or a hardware or software failure.

Human resource issues: Think about these issues as they relate to your staff. What would happen if the next flu outbreak caused half of your employees to be out sick?

Geographic factors: Think of issues that might stem from your location; for example, a construction project that temporarily blocks access to your dealership.

Geopolitical factors: Think about how political factors could affect your dealership. If a large portion of your customers are in the military, how might you plan for deployments?

Once you’ve got the list, ask yourself how probable each potential issue might be and how severe the potential impact could be on your dealership. Answering those two questions will help you assess the risk and prioritize.

Business Impact Analysis

Next, determine which mission-critical business processes need to be in place in order for you to continue to function following a disruption. Think about which processes need to be functioning at minimum for you to continue selling and servicing vehicles. What core IT applications need to be functional for you to maintain those processes? Do you have manual processes that would allow you to continue operations?  What about physical infrastructure and resources? If your facility is under a few feet of water, can you set up and operate remotely for a time?

In addition to identifying your key functions, you should also estimate what losses you could incur from a business interruption.

Incident Management Plan

Lastly, develop a plan that establishes who is responsible for taking action should an incident occur. Have a written plan and make sure you have printed copies in a secondary location. If phone and Internet service is disrupted, you and your employees need to be able to work the plan without normal phone or Internet communications. Run simulations so you can ensure that everyone knows their responsibilities and can act quickly should disaster strike. If you need help building a plan, read our Disaster Preparedness white paper for a full explanation.

Planning for disaster isn’t the most fun task, and it often doesn’t seem to be the most pressing – but taking the time now to prepare will make navigating the unexpected that much easier.

Most dealerships have a process to onboard new employees — background checks, drug tests, references, acknowledgement of dealership policies, etc. — but do you have a written process in place to offboard employees when they leave?

In a widely-publicized case that’s still under litigation, Wolf Auto Center in Colorado alleges that two former dealership employees "used their prior usernames, passwords and company email accounts to obtain data, confidential information and trade secrets." My guess: this happens much more frequently than we realize. Employees leave one dealership to go to work for another — and take their data access with them. Courts have decided this is illegal. Even if you have a valid user ID and password for a system, it’s illegal to log into a system you know you should no longer be accessing.

But it’s not enough to know the law is on your side — you need to prevent it from happening in the first place. It’s better to dedicate time now to planning and prevention than spend your time and resources discovering a theft, gathering forensic evidence and dealing with a potential prosecution.

Instead, create a written offboarding process. Here are some different things to consider.

Disable employee access for all systems and accounts  

Keep a list of account access for each employee with access — not just when they were first hired, but throughout the course of their employment. As you change vendors and your employees potentially change roles, keep track of the privileges and permissions they’ve been given. Examples include your DMS, CRM and OEM systems, third-party websites, lead providers, social media accounts, etc. If you haven’t tracked their access while they’ve worked for you, it’s more challenging to disable access when they leave.

Double-down on your DMS

When employees leave, disable their access to your DMS. However, disabling a user in your DMS can be complex. Removing someone from the core DMS application may not remove them from every application your DMS provides. If you’re unsure, call your DMS provider for help.

Check your access

Review logs regularly to check for any inappropriate access or users accessing sensitive information, like financial statements. Audit your users to be sure they’re all still your employees. Check logs for DMS activity at unusual times of the night or day.

Stay secure with separate logins

Never allow multiple users to share the same login — it makes it impossible to detect improper access or theft by an employee.

Data on devices

If your dealership encourages a BYOD (bring your own device) environment  for conducting company business, you need to be able to dispose of your data on their device. If a dealership-owned device is lost or a former employee fails to return it, be sure you have a mechanism to remotely wipe the device or make it unusable. There are various applications that protect and secure company data on mobile devices; be sure your employees have them installed and your IT team is monitoring and wiping devices once employees have left.

With the excitement of a new employee, most dealerships have many processes to make sure they’re safe. Take the same precautions when employees leave your dealership as well, for your safety and theirs.

Last week’s DDoS attack was premeditated, sophisticated, and scary, taking down the likes of Amazon, Twitter, Netflix, and PayPal, companies that likely had very sophisticated cyber defenses in place.

Every few days lately, more hacked emails from politicians and campaign officials make the news, proof that nobody is above being fooled by a well-crafted phishing email.

And then there’s the constant trickle of data breaches with their “we’re sorry” offer of free credit monitoring for a year or so.

“I’m tired of worrying about security.”

The SAAR is beginning to stall, and most dealers I talk to are focused on belt-tightening, not protecting themselves from hackers. But you can’t put your head in the sand  – you’re selling cars and trucks that are increasingly connected, to each other, to their owners, and to your dealership.

A recent study by the National Institute of Standards and Technology (NIST) found that people are suffering from security fatigue, tired of changing and remembering passwords and PINs, tired of the headlines. They also think security is someone else’s responsibility, referring to the bank or store they do business with.

And it’s only going to get more complicated. The auto industry is already a complex environment of manufacturers, suppliers and dealers. But with the Internet of Things comes even greater complexity. Every component of software or hardware and every participant in the supply chain and lifecycle of the connected car is potentially vulnerable to cyber threats. We have to be aware of our shared responsibility. We need to collaborate to implement the technology and processes to protect the industry and our consumers at every point in the chain. We are only as strong as our weakest link.

The relationship between the consumer, manufacturer and dealer are complex, but we are all intertwined in the task of protecting the cars and the consumers from harm. The task of staying secure may seem exhausting, but the consequences for not prioritizing security could be devastating. Take the time to educate your employees and make sure the proper processes and technology are in place to protect your dealership.

Curious how to protect your dealership? Learn more about security best practices on our blog.

We’ve also made in a priority to put SecurityFirst for our dealers.

“Good day,

Please allow me to introduce myself. My name is Dr. (Mrs.) Mariam Abacha, the wife of the late head of state and commander in chief of the armed forces of the federal republic of Nigeria who died on the 8th of June 1998. The present democratic government is determined to portray all the good work of my late husband in a bad light and have gone as far as confiscating all my late husband's assets, properties, freezing our accounts both within and outside Nigeria.

My late husband had/has Eighty Million USD ($80,000,000.00) specially preserved and well packed in trunk boxes of which only my husband and I knew about. It is this sum that I seek your assistance to get out of Nigeria as soon as possible. You will be well compensated. I implore you to please give consideration to my predicament and help a widow in need….”

Remember when all phishing emails were this obvious? Full of misspellings, awkward English and bad graphics, I used to think only my mom clicked on these things.

As I like to say, it’s called organized crime for a reason – they’re organizations just like our legitimate companies. And just like a well-run company, they’ve implemented improved processes over the last couple of years like:

• Copywriting. The emails are well-written, with fewer spelling errors and better English phrasing.
• Graphics. Many phish now include logos from companies we all know and do business with, which makes us much more likely to click.
• Web development. A talented developer can put up a site that looks strikingly similar to a legitimate website but delivers malware instead.
• Call centers. Scams that involve out- or in-bound phone calls as part of the scam are now handled by criminal call centers. “Bad guys” outsource to others for the sake of efficiency. These call centers can handle multiple languages and scams at once, just like a well-run lawful call center.
• Data science. Just like any marketing department, hackers are now using data to improve their success rates. They are building data warehouses with data stolen from various breaches – credit card numbers from one breach, social security numbers from another and passwords from a third. They are compiling holistic views of individuals so that they can target their victims with more convincing scams – the more they know about you, the better they can target their messaging or delivery to entangle you.

Plenty of work is being done to block phish from ever hitting our inboxes both at work and at home, but with millions hitting servers every day, if even 1% get through, that can mean success for hackers. If it didn’t work, they wouldn’t be doing it.

So what can you do?

Phishing scams can be aggressive, but you’re not defenseless. Have a healthy suspicion in your life online. If someone knocked on your door peddling these scams, you wouldn’t think twice about sending them packing. Have the same attitude about your online presence. When in doubt, follow these tips:

• Don’t open email or attachments from people you don’t know. If it’s important enough, they will call you.
• Use multi-factor authentication on every account that offers it – your bank, credit cards, email, social media, etc.
• Keep your anti-virus protection up-to-date. Check for updates. Run them instead of clicking “ignore” or “remind me later.”
• Educate your friends, family and coworkers. Often phish are spread from one infected individual.
• Practice safe surfing. Don’t download pirated material or use torrent sites. It’s illegal and you’re likely to get a malware infection.

While traditional fishing is relaxing and rewarding, phishing can be anything but. Protecting yourself online isn’t optional anymore, it’s essential to educate yourself on security practices so you can stay out of the hands of the “bad guys.” Throwing the “phish” back into the lake is just the first step.

The Security Risks of Outdated Software

Resistance to Change Can be a Big Gamble

There are always early adopters of technology – using the latest and greatest in their business and personal lives – and late adopters, who would rather let all the kinks get worked out by someone else first.  And who needs a huge disruption to their business – to their life – just to upgrade technology that’s working just fine? If it ain’t broke, don’t fix it.

The problem is, with technology, it may be broken in ways you can’t see.  You could be gambling your enterprise – your data, your financial resources, your reputation, your security – all while thinking you’re being responsible and avoiding disruption to your business, your employees, and your customers.

The gamble is that using outdated software puts you at an increased risk of having a security breach.

Why?  Outdated software is more likely to have flaws that can be exploited by cyber criminals.  Those security gaps are more often present in older software that’s no longer maintained, automatically updated, or supported by its maker.

You know how there comes a point with an old car when it’s just not worth repairing?  The same thing happens to software – new models come out, and while the developers work to continually “patch” (repair) the old models, at some point, they stop updating their manuals to focus on newer models.  Technology companies using that outdated software in their solutions are left no choice when the original developer is no longer issuing patches.  It’s time to update to something safer.

Case in Point:  Windows XP

Windows XP is so old…how old is it? 

According to The Security Advocate, it’s so old, and the fact that it is outdated is so well known, that law firms still running the software can be held liable for any breach of client data, if the breach is found to be the result of the firm using Windows XP.

“It will be difficult to make a straight-faced argument in court that it was reasonable to safeguard client data with well-known outdated software that the software developer very publicly announced would no longer receive any further support or security updates,” writes The Security Advocate.

Imagine your business being legally liable for an attack, perpetrated by someone else, because your operating system is out of date.

Given that car dealers are essentially considered financial institutions, with lots of sensitive data in their systems, would you gamble your business on this?  Get off Windows XP.

There was a lot of press on updating from Windows XP last fall when Microsoft announced that they were discontinuing support for the 12-year-old software.  It was back in the headlines last spring when a western European country reported that hackers stole $1.32 million from ATM’s.  The ATM’s run on Windows XP, which was cited as the reason they were vulnerable to the attack.

Some Windows XP users are using a hack to protect themselves from a hack. Someone has taken security updates issued by Microsoft for other Windows products, and hacked them to supposedly be effective at updating Windows XP.  Microsoft warns that these updates were not intended for XP and won't protect users.   I don’t know about you, but I don’t think I would trust a random hacker to protecting me from other hackers.

Another Example

CDK Chief Business Security Officer Jim Foote recently spoke to Automotive News about something called the Bourne-Again Shell (Bash) Shellshock vulnerability. 

What is a “shell”? 

 “Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform”, according to LinuxCommand.org.  Think of it as the innermost part of your operating system.  It’s invisible to the average user, and unfortunately, if a bad guy gets in and exploits your system at the “command level”, that will be invisible to users, too.  It won’t be obvious on Windows or whatever operating system you’re using; it also won’t be visible in the applications you’re using.

What is the Shellshock vulnerability? 

“Shellshock is an outside attack by remote computers or bots against a target system in which remote commands attempt to penetrate firewalls and other security defenses”, says Jim Foote.  “If you’re still running w.e.b.Suite, that’s now over ten years old, it’s time, for security reasons, to upgrade to newer technology.”

Shellshock affects the Unix operating system – a popular system used by CDK, many technologies companies, and the US government.

So if Shellshock is so bad, why can’t you protect against it?  In most cases, you can.  When alerted to the problem last fall by the government, CDK and other technology companies created patches to protect against this vulnerability.  But if you’re using a system that’s running an older version of Unix, no longer being supported by its creator, there is no patch.  The solution is to get up-to-date:  upgrade from your old operating system to the newer, safer, more secure version.

So don’t gamble everything you’ve worked so hard to build in an attempt to keep your business from having to adapt to newer, safer technology.  Playing it safe isn’t playing it safe at all when it comes to using out-of-date unpatched software.  You may be better off putting your money in a European ATM.

If you haven’t updated from WindowsXP, tell us why.  We’d like to hear from you.  Security@cdk.com.