What Does Business Continuity Mean for Your Dealership?

It’s Business Continuity Awareness Week – an obscure fact known only to those who spend most of their time planning for things that we hope will never happen: a flood, fire, hurricane, tornado - heck, even an act of war or civil unrest. These folks thrive on scary weather forecasts and what, for the rest of us, look like doomsday plans.

CDK Global and many large companies are fortunate to have people dedicated to planning for the “what if,” but smaller businesses like some dealerships may not  have that luxury. So how do you make business continuity work for you? Some dealers hire professionals, but not everyone has the resources.

Here are the basics to consider:

Identify Risks

The first step is to consider what potential crises could throw your business, your employees, and potentially your customers into chaos. Is your business, or the homes of many of your employees for that matter, located in an area prone to flooding, hurricanes, tornadoes, or other natural disasters? Maybe you’re located near a military base; could a major military deployment take the vast majority of your customers out of the market for months? How would you cope with that? Listing these risks can be easier if you think of them in these categories:

Malicious: These types of disasters are related to criminal activity seeking to bring harm to your business. For example: Your office manager clicked on a phishing email and keylogging malware captured her user ID and password to your bank account. Now an Eastern European organized crime ring wiped out your bank account.

Natural disasters: These are naturally occurring disasters like floods, blizzards, ice storms, hurricanes or earthquakes.

Technical issues: These types of incidents are often caused by loss of service from a technology provider or a hardware or software failure.

Human resource issues: Think about these issues as they relate to your staff. What would happen if the next flu outbreak caused half of your employees to be out sick?

Geographic factors: Think of issues that might stem from your location; for example, a construction project that temporarily blocks access to your dealership.

Geopolitical factors: Think about how political factors could affect your dealership. If a large portion of your customers are in the military, how might you plan for deployments?

Once you’ve got the list, ask yourself how probable each potential issue might be and how severe the potential impact could be on your dealership. Answering those two questions will help you assess the risk and prioritize.

Business Impact Analysis

Next, determine which mission-critical business processes need to be in place in order for you to continue to function following a disruption. Think about which processes need to be functioning at minimum for you to continue selling and servicing vehicles. What core IT applications need to be functional for you to maintain those processes? Do you have manual processes that would allow you to continue operations?  What about physical infrastructure and resources? If your facility is under a few feet of water, can you set up and operate remotely for a time?

In addition to identifying your key functions, you should also estimate what losses you could incur from a business interruption.

Incident Management Plan

Lastly, develop a plan that establishes who is responsible for taking action should an incident occur. Have a written plan and make sure you have printed copies in a secondary location. If phone and Internet service is disrupted, you and your employees need to be able to work the plan without normal phone or Internet communications. Run simulations so you can ensure that everyone knows their responsibilities and can act quickly should disaster strike. If you need help building a plan, read our Disaster Preparedness white paper for a full explanation.

Planning for disaster isn’t the most fun task, and it often doesn’t seem to be the most pressing – but taking the time now to prepare will make navigating the unexpected that much easier.

Most dealerships have a process to onboard new employees — background checks, drug tests, references, acknowledgement of dealership policies, etc. — but do you have a written process in place to offboard employees when they leave?

In a widely-publicized case that’s still under litigation, Wolf Auto Center in Colorado alleges that two former dealership employees "used their prior usernames, passwords and company email accounts to obtain data, confidential information and trade secrets." My guess: this happens much more frequently than we realize. Employees leave one dealership to go to work for another — and take their data access with them. Courts have decided this is illegal. Even if you have a valid user ID and password for a system, it’s illegal to log into a system you know you should no longer be accessing.

But it’s not enough to know the law is on your side — you need to prevent it from happening in the first place. It’s better to dedicate time now to planning and prevention than spend your time and resources discovering a theft, gathering forensic evidence and dealing with a potential prosecution.

Instead, create a written offboarding process. Here are some different things to consider.

Disable employee access for all systems and accounts  

Keep a list of account access for each employee with access — not just when they were first hired, but throughout the course of their employment. As you change vendors and your employees potentially change roles, keep track of the privileges and permissions they’ve been given. Examples include your DMS, CRM and OEM systems, third-party websites, lead providers, social media accounts, etc. If you haven’t tracked their access while they’ve worked for you, it’s more challenging to disable access when they leave.

Double-down on your DMS

When employees leave, disable their access to your DMS. However, disabling a user in your DMS can be complex. Removing someone from the core DMS application may not remove them from every application your DMS provides. If you’re unsure, call your DMS provider for help.

Check your access

Review logs regularly to check for any inappropriate access or users accessing sensitive information, like financial statements. Audit your users to be sure they’re all still your employees. Check logs for DMS activity at unusual times of the night or day.

Stay secure with separate logins

Never allow multiple users to share the same login — it makes it impossible to detect improper access or theft by an employee.

Data on devices

If your dealership encourages a BYOD (bring your own device) environment  for conducting company business, you need to be able to dispose of your data on their device. If a dealership-owned device is lost or a former employee fails to return it, be sure you have a mechanism to remotely wipe the device or make it unusable. There are various applications that protect and secure company data on mobile devices; be sure your employees have them installed and your IT team is monitoring and wiping devices once employees have left.

With the excitement of a new employee, most dealerships have many processes to make sure they’re safe. Take the same precautions when employees leave your dealership as well, for your safety and theirs.

Last week’s DDoS attack was premeditated, sophisticated, and scary, taking down the likes of Amazon, Twitter, Netflix, and PayPal, companies that likely had very sophisticated cyber defenses in place.

Every few days lately, more hacked emails from politicians and campaign officials make the news, proof that nobody is above being fooled by a well-crafted phishing email.

And then there’s the constant trickle of data breaches with their “we’re sorry” offer of free credit monitoring for a year or so.

“I’m tired of worrying about security.”

The SAAR is beginning to stall, and most dealers I talk to are focused on belt-tightening, not protecting themselves from hackers. But you can’t put your head in the sand  – you’re selling cars and trucks that are increasingly connected, to each other, to their owners, and to your dealership.

A recent study by the National Institute of Standards and Technology (NIST) found that people are suffering from security fatigue, tired of changing and remembering passwords and PINs, tired of the headlines. They also think security is someone else’s responsibility, referring to the bank or store they do business with.

And it’s only going to get more complicated. The auto industry is already a complex environment of manufacturers, suppliers and dealers. But with the Internet of Things comes even greater complexity. Every component of software or hardware and every participant in the supply chain and lifecycle of the connected car is potentially vulnerable to cyber threats. We have to be aware of our shared responsibility. We need to collaborate to implement the technology and processes to protect the industry and our consumers at every point in the chain. We are only as strong as our weakest link.

The relationship between the consumer, manufacturer and dealer are complex, but we are all intertwined in the task of protecting the cars and the consumers from harm. The task of staying secure may seem exhausting, but the consequences for not prioritizing security could be devastating. Take the time to educate your employees and make sure the proper processes and technology are in place to protect your dealership.

Curious how to protect your dealership? Learn more about security best practices on our blog.

We’ve also made in a priority to put SecurityFirst for our dealers.

“Good day,

Please allow me to introduce myself. My name is Dr. (Mrs.) Mariam Abacha, the wife of the late head of state and commander in chief of the armed forces of the federal republic of Nigeria who died on the 8th of June 1998. The present democratic government is determined to portray all the good work of my late husband in a bad light and have gone as far as confiscating all my late husband's assets, properties, freezing our accounts both within and outside Nigeria.

My late husband had/has Eighty Million USD ($80,000,000.00) specially preserved and well packed in trunk boxes of which only my husband and I knew about. It is this sum that I seek your assistance to get out of Nigeria as soon as possible. You will be well compensated. I implore you to please give consideration to my predicament and help a widow in need….”

Remember when all phishing emails were this obvious? Full of misspellings, awkward English and bad graphics, I used to think only my mom clicked on these things.

As I like to say, it’s called organized crime for a reason – they’re organizations just like our legitimate companies. And just like a well-run company, they’ve implemented improved processes over the last couple of years like:

• Copywriting. The emails are well-written, with fewer spelling errors and better English phrasing.
• Graphics. Many phish now include logos from companies we all know and do business with, which makes us much more likely to click.
• Web development. A talented developer can put up a site that looks strikingly similar to a legitimate website but delivers malware instead.
• Call centers. Scams that involve out- or in-bound phone calls as part of the scam are now handled by criminal call centers. “Bad guys” outsource to others for the sake of efficiency. These call centers can handle multiple languages and scams at once, just like a well-run lawful call center.
• Data science. Just like any marketing department, hackers are now using data to improve their success rates. They are building data warehouses with data stolen from various breaches – credit card numbers from one breach, social security numbers from another and passwords from a third. They are compiling holistic views of individuals so that they can target their victims with more convincing scams – the more they know about you, the better they can target their messaging or delivery to entangle you.

Plenty of work is being done to block phish from ever hitting our inboxes both at work and at home, but with millions hitting servers every day, if even 1% get through, that can mean success for hackers. If it didn’t work, they wouldn’t be doing it.

So what can you do?

Phishing scams can be aggressive, but you’re not defenseless. Have a healthy suspicion in your life online. If someone knocked on your door peddling these scams, you wouldn’t think twice about sending them packing. Have the same attitude about your online presence. When in doubt, follow these tips:

• Don’t open email or attachments from people you don’t know. If it’s important enough, they will call you.
• Use multi-factor authentication on every account that offers it – your bank, credit cards, email, social media, etc.
• Keep your anti-virus protection up-to-date. Check for updates. Run them instead of clicking “ignore” or “remind me later.”
• Educate your friends, family and coworkers. Often phish are spread from one infected individual.
• Practice safe surfing. Don’t download pirated material or use torrent sites. It’s illegal and you’re likely to get a malware infection.

While traditional fishing is relaxing and rewarding, phishing can be anything but. Protecting yourself online isn’t optional anymore, it’s essential to educate yourself on security practices so you can stay out of the hands of the “bad guys.” Throwing the “phish” back into the lake is just the first step.