Navigating the FTC Safeguards Rule: A Guide for Auto Dealerships

By Mike Toole, director of security and IT at Blumira [ Join Cybersecurity Insiders ]
369

Recent cybersecurity incidents affecting auto dealerships nationwide have underscored the growing importance of strong security measures. United States government organizations have emphasized that entities handling sensitive customer financial information must establish data protection protocols. Given auto dealerships fall into this category, they are expected to comply with the FTC Safeguards Rule.

The FTC’s rule requires entities to “develop, implement and maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.” This rule presents an opportunity for the industry to come together, share best practices and ultimately enhance individual organizations’ cybersecurity posture.

For auto dealership decision-makers wondering where to start when implementing robust security measures, here are four industry-wide best practices to consider.

#1: Identify Critical Vendors and Systems

Conduct an inventory of all third-party systems used in your dealership by cataloging every third-party application, software and service utilized across operations. Systems include your dealership management system (DMS), customer relationship management (CRM) software, and even smaller, less conspicuous tools like service scheduling platforms. Create a comprehensive list that details each system’s purpose, usage frequency and access points. Conducting an inventory will serve as the foundation for understanding where your critical dependencies lie.

Determine which systems are essential for your dealership’s smooth functioning. Systems such as your DMS, CRM and inventory management platforms are often at the top of this list due to their central role in managing sales, customer interactions and vehicle inventory. Evaluate the impact of each system’s potential downtime or breach. Prioritize these systems based on their importance and the severity of the consequences should they be compromised. For instance, a breach in your DMS could lead to significant financial losses and operational disruptions, while issues in your CRM could affect customer trust and satisfaction.

#2: Assess Security Measures

Check if critical vendors have basic cybersecurity measures in place. Ask them about their security practices and if they have any certifications (like ISO 27001) that demonstrate a commitment to maintaining high-security standards. Other questions to consider asking include:

  • How do they manage data encryption?
  • What are their access control measures?
  • Do they perform regular security audits?
  • Can you provide reports from security audits or assessments?

Additional security steps your teams can take include:

  • Ensure you protect critical systems with strong passwords, regular updates and antivirus software.
  • To add an extra layer of security, consider using multi-factor authentication (MFA) where possible.
  • Regular updates are crucial for fixing vulnerabilities that cyber attackers could exploit. Establish automatic updates where possible and have a process for manually applying critical patches.
  • When choosing antivirus software, prioritize those that perform regular scans and are updated frequently to recognize the latest threats. Antivirus software can help detect and neutralize malicious activities before they cause significant damage.

#3: Limit the Blast Radius

Divide your network into separate segments. For example, keep your sales and financial systems separate. This way, if one part of your network is compromised, the others remain safe. Ensure that each segment has strict access controls, allowing only authorized personnel to access specific segments. For instance, sales personnel should not have access to financial data, and vice versa.

Use the principle of least privilege for vendor access to your systems. Grant vendors the minimum level of access necessary to perform their tasks. By limiting their access to only the systems and data they need, you can effectively reduce the potential impact of a compromised vendor account. Implement continuous monitoring of vendor systems to detect any unusual or suspicious activity. One helpful tool is a security information and event management (SIEM) tool, which collects and analyzes log data from various sources, providing real-time visibility into potential threats.

#4: Backup and Recovery

Establish a schedule for regular backups of all critical data, including customer information, financial records, sales data and inventory details. Determine the frequency of backups based on the data volume and the information’s criticality. Daily or weekly backups are common practices for maintaining up-to-date records.

Consider having redundant systems or alternative vendors for critical functions. For example, have backup servers or alternative systems ready to take over if the primary system fails. Redundant systems minimize downtime and ensure business continuity.

Create detailed business continuity plans for each critical vendor system. These plans should include step-by-step procedures for recovering critical systems, restoring data and resuming normal business activities. Identify and document alternative processes or manual workarounds for critical functions. For instance, if your digital sales system goes down, have a plan in place for processing sales manually.

Test and update these backup processes annually. Perform scenario-based drills that simulate different types of disruptions. These drills help identify potential weaknesses in your recovery plans and provide opportunities for improvement. Update your backup and recovery plans based on lessons learned from actual and simulated events, and communicate changes to team members so they have the most current version of the plan.

Embracing Collective Progress 

As you adapt your business to these policies, it’s crucial to view them through a lens of collective progress. Each new security measure implemented, each lesson learned from a simulation and each collaborative effort between dealerships contribute to the overall resilience of the automotive industry.

Looking ahead, the true measure of success will not be avoiding every possible threat—an unrealistic goal in today’s digital world—but how swiftly and effectively you respond when challenges arise. By fostering a culture of openness, continuous learning and mutual support, auto dealership decision-makers can protect individual businesses and strengthen the entire automotive ecosystem. In doing so, industry leaders can safeguard operations and reinforce customer trust.

Ad

No posts to display