Risky Business. How Secure is Your Dealership s Information? By Robert Gibbs

Similar documents
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Cyber Criminal Methods & Prevention Techniques. By

What is Penetration Testing?

The Honest Advantage

A company built on security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The 10 Disaster Planning Essentials For A Small Business Network

Start the Security Walkthrough

PCI Compliance. What is it? Who uses it? Why is it important?

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

A practical guide to IT security

The Cyber War on Small Business

Information Security Policy

An ICS Whitepaper Choosing the Right Security Assessment

Internet of Things Toolkit for Small and Medium Businesses

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Education Network Security

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

CA Security Management

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Carbon Black PCI Compliance Mapping Checklist

How Network Security Services Work to Protect Your Business

Teradata and Protegrity High-Value Protection for High-Value Data

10 FOCUS AREAS FOR BREACH PREVENTION

IT & DATA SECURITY BREACH PREVENTION

Management Information Systems. B15. Managing Information Resources and IT Security

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

What is ISO ISMS? Business Beam

Provided as an educational service by: Introduction

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

IS Today: Managing in a Digital World 9/17/12

Projectplace: A Secure Project Collaboration Solution

CCISO Blueprint v1. EC-Council

align security instill confidence

Choosing the Right Security Assessment

Symantec Small Business Solutions

Computer Security Policy

Understanding Office 365: Is A Cloud Based Solution Right For Your Business?

Roadmap to the Efficient Cloud: 3 Checkpoints for the Modern Enterprise

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

The Data Breach: How to Stay Defensible Before, During & After the Incident

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Security Solutions. Overview. Business Needs

SECURITY PRACTICES OVERVIEW

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Disaster Recovery Self-Audit

Why you MUST protect your customer data

Cyber Security Program

Frequently Asked Questions (FAQ)

Apex Information Security Policy

10 Hidden IT Risks That Might Threaten Your Business

Information Security Management Criteria for Our Business Partners

Network Performance, Security and Reliability Assessment

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

The Value Of NEONet Cybersecurity. Why You Need To Protect Your The Value Of NEOnet Cybersecurity. Private Student Data In Ohio

HIPAA RISK ADVISOR SAMPLE REPORT

to Enhance Your Cyber Security Needs

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Keys to a more secure data environment

INTELLIGENCE DRIVEN GRC FOR SECURITY

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Information Technology General Control Review

IMPROVING NETWORK SECURITY

Security Issues When Preparing for Disasters

It s Not If But When: How to Build Your Cyber Incident Response Plan

Best Practices in Securing a Multicloud World

CYBERSECURITY RISK LOWERING CHECKLIST

How Cyber-Criminals Steal and Profit from your Data

Cybersecurity and Hospitals: A Board Perspective

Securing Devices in the Internet of Things

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

SECURING DEVICES IN THE INTERNET OF THINGS

Data Protection Policy

Sage Data Security Services Directory

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Going Paperless & Remote File Sharing

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Securing Today s Mobile Workforce

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

EXHIBIT A. - HIPAA Security Assessment Template -

The 10 Disaster Planning Essentials

Managed IT Services Eliminating technology pains for SMBs

Employee Security Awareness Training

Tracking and Reporting

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Transcription:

I S S U E P A P E Risky Business By Robert Gibbs R 2 0 0 8

Risky Business Remember when information security meant locking your file cabinets at night? Unfortunately, those days are long gone. With the Internet and e-mail, information security has a dramatically different meaning. All businesses, big and small, need to protect themselves from computer viruses, hackers, spyware, crimeware, spam, phishing sites, and even pop-ups. More than a nuisance, these technological evils are a danger to businesses, customers, and your bottom line. Don t think for one minute that your small business is not under attack. This is a silent war. Attacks are made at random. Threats are looking for server space and bandwidth to be used to propagate further attacks in the never-ending search for data to be exploited. Your data is at risk 24/7/365. With these dangers constantly present, how do you know if your data is protected? What steps should you take to ensure your sensitive customer information and your computer systems are safe? How do you avoid going overboard with expensive solutions you don t need? Answering these questions may be easier than you think. This Issue Paper explains how to determine what you need to keep your information and computer systems safe. To start, we will break this process down into three basic steps: Gather background information. Develop and implement data security policies, standards, and procedures. Maintain and audit policies, standards, and procedures. These steps are discussed on the following pages, along with the reasoning behind each. Useful suggestions to help you get started in evaluating the security of your systems and information are also included. Step 1: Gather Background Information To improve your information security, you must first understand where you are vulnerable. Create an inventory of your business-critical information assets. These assets include computer hardware, software, databases, and physical documentation (e.g., contracts and employee records). It may be best to create this list in a spreadsheet for easy addition to and reorganization throughout the rest of the process. Be sure to include notes about your inventory as you go along. When your research is done, this inventory list becomes the basis for your plan of action. Next, go back through the list and prioritize the items from most to least important. To help you prioritize, ask questions like: How does this information relate to my business objectives? Is the information critical for my business operations? What are the consequences of a competitor, hacker, or thief obtaining the information? These questions help you determine which assets are most important to your business and pose the greatest risk to you if compromised. For example, any paper or electronic record containing non-public information about a customer, vendor, or employee would clearly be a higher security priority than last month s parts inventory. Once you ve prioritized your assets, look at how each one is used, by whom, and for what reason. This includes your staff and third parties who access your system. Ask yourself: Who needs to have access to that information? Are the appropriate unique usernames and passwords in place? Are they changed regularly for added protection? Are they disabled when employees leave? Once your inventory is complete, identify the assets on the list that have adequate security features in place and which ones do not. You may want to do this step with a partner to verify your categorization. Some things to look for are: Firewalls and Virtual Private Network (VPN) access. Authorization and authentication controls. Updated antivirus tools and spam filters. All businesses, big and small, need to protect themselves from computer viruses, hackers, spyware, crimeware, spam, phishing sites, and even pop-ups. Your data is at risk 24/7/365. To improve your information security, you must first understand where you are vulnerable. 2

Internet content control. Network security policy compliance tools. Cryptography tools. Intrusion detection systems. Locked cabinetry, room space, or offsite storage for paper documents and back-up data tapes (e.g., your daily DMS system back-up tapes) that are safe from potential disasters such as floods or fires. Reviewing existing security features may be the most time-consuming part of the process. Don t be afraid to ask others to help identify which security features you have. Most managers don t know this information off the top of their heads. Once you ve identified existing security features, cross off the assets that already have adequate security features. Since those assets are already protected, they should not be your priority. However, a periodic review is recommended to ensure today s measures are sufficient tomorrow. When finished, the remaining inventory list may look overwhelming, but don t panic. Your Dealership Management System (DMS) provider should be able to help you. If you are unsure about this, contact your local DMS representative and ask these questions: Has a security officer been designated to coordinate the safeguarding of customer information? Have the risks to customer information been identified and assessed? Have safeguards been implemented to protect customer information? This should assure you that your DMS partner is taking adequate steps to protect your information and minimize losses in the event of a security breach. If the answers to any of these questions is no, you should demand that they play a more active role in assisting with data security to earn your continued business. They may even offer security checks to help identify potential risks specific to your system, including who is accessing your system, what information they are accessing, and whether they are authorized accordingly. If it is offered, take advantage of this service. It will save you much time and effort during your background information research. Even though your business partners should help you keep compliant, it is your responsibility to stay informed of current legislation and to make sure that you are not in violation. In the event of a lawsuit, your dealership is liable, not your software and hardware partners. Be proactive in ensuring compliance with all applicable laws. Finally, research the solutions available to you for each item on your list. Some of the items can be fixed by a simple process or procedure change, while others may require the additional hardware or software. Your DMS provider may have many of the products or services you re looking for. If not, try a third party vendor or consult an electronics store. NOTE: Beware of vendors who claim they have methods to extract data from a PC at your dealership. This emerging trend is used by service providers to bypass security features built into your DMS software. Dealership IT professionals agree that running server software on a PC at the dealership is not a secure solution, and leaves the DMS vulnerable to: Data Corruption Via viruses from a third party, which are most often unintentional. Spyware Service provider software requires a DMS ID and password, so any spyware can capture dealership or customer information. Unauthorized access The service provider accesses and utilizes more DMS data than was authorized. Step 2: Develop and Implement Security Policies, Standards, and Procedures Now that you have an information asset inventory and have found products and services you need to purchase to help be compliant, you are ready to start implementing. This consists of two parts: 1) purchasing and installing new hardware and software, and 2) developing your Reviewing existing security features may be the most timeconsuming part of the process. Be proactive in ensuring compliance with all applicable laws. Beware of vendors who claim that they have methods to extract data from a PC at your dealership. 3

dealership s security policies. We ll touch on purchasing and installation, and then focus on how to develop effective security procedures. When you purchase hardware and software, ask vendors about their capabilities and experience. Communicate your security objectives to ensure the vendor has the right tools to meet your needs. Ask questions, and ask for references. Once you ve made a decision, your vendor should handle installation to make sure your system runs properly. When developing security policies, keep them simple and short. Your employees will not read and comprehend a 100-page security manual. Rather, develop concise and to-the-point policies. Your goal is for employees to read the policy, understand it, and, most importantly, abide by it. Security policies should include a list of information to be protected, plus standards for physical security, access controls, security technology, personnel actions, and security incidents/response. We ll briefly review some of these areas to explain which types of standards should be included: Physical security: Includes locks on the building, locking cables on PCs and laptops, fire-proof and water-proof containers for information storage and back-up, and use of paper-shredders. Also includes access control measures for the physical or electronic storage of sensitive information such as financial applications and customer records. These measures help prevent the theft and/or destruction of sensitive information. System access controls: Good control measures include unique hard-to-guess passwords for each employee, frequent password changes, and never sharing passwords. This allows you to maintain accountability by managing information access. The same measures apply to CPAs or service providers you have authorized to access the DMS. Security technology: Refers to firewalls, antivirus software, and intrusion detection systems. These tools protect you from anyone trying to get into your system to steal or corrupt your information. Your DMS provider can give you details about which security systems are available to you and how to implement them. You should also regularly perform data backups of your business-critical information on the servers. Nightly backups are preferable. Remember to keep those tapes in a secure place. Personnel actions: These standards state your guidelines for appropriate behavior by employees and the actions to be taken if an employee breaches the security guidelines. This standard gives you consistency and accountability in upholding the ethical values of the dealership. These policies should range from physical security to Internet access and network security. Security incidents and response: Includes guidelines for reporting unusual requests for information, visitors in secure employee-only areas, atypical computer activity, and computer slow-downs. A manager should contact the DMS provider and/or local authorities if the security breach involves customer data. The general rule is: If in doubt act! Step 3: Maintain and Audit Security Policies, Standards, and Procedures Now that you ve developed new security policies, you must enforce, reinforce, audit, and update. You enforce by thoroughly training all of your employees on the policies and making sure they understand not only what the policies are, but also why the policies are in place. Reinforcing means that you live and work by these standards. Infractions must be addressed immediately. When doing so, make sure your employee knows why it is an infraction. Next, audit the process. Have you reviewed your DMS security file? Are there user IDs that you do not recognize? If so, delete them to stay in control of your data. Are your paper documents securely stored all of the time or just some of the time? Lastly, your standards are not set in stone. Every six months, review and update your policies and standards, and retrain your employees. When you purchase hardware and software, ask potential vendors about their capabilities and experience. When developing security policies, keep them simple and short. Security policies should include a list of information to be protected, plus standards for physical security, access controls, security technology, personnel actions, and security incidents/response. Once you ve developed new security policies, you must enforce, reinforce, audit, and update. 4

Through these reviews, you can proactively identify new potential threats and identify outdated standards. If any standards are out of date, employees may lose confidence in the standards and ignore all of them. Conclusion We live in a time when customer and employee information is a valuable asset. It is critical to your business that you do everything you can to protect this important asset. While you work hard to protect your systems and information, others are working equally hard to access it. You need to have processes in place that protect both your systems and information. A security breach can be more damaging than a physical break-in, affecting your dealership s credibility and trustworthiness. Security breaches can be subject to consumer lawsuits, federal and state penalties, and lost sales. By law, a security breach forces you to contact your customers and advise them accordingly. You have invested years building long-term, trusting customer relationships. All of this can be unraveled in a matter of minutes. Ask yourself this question: With all the choices available in the marketplace, would you continue to deal with a company that did not do everything possible to protect your personal information? It is critical that information systems are monitored continually against unauthorized network (and wireless) intrusions. This paper discussed a three-step process for securing your dealership s information: 1) gathering background information, 2) developing and implementing security policies, standards, and procedures, and 3) maintaining and auditing these policies and processes. Information security will continue to increase in importance and complexity. By following the steps covered to implement the right hardware and software systems, and create and establish security standards and procedures, you can keep your dealership, employees, and customers protected from major threats. Now that you have a game plan, it s time to put it into action. Think of who can help you compile your inventory list. And get started on your path to a more secure dealership. Every six months, review and update your policies and standards and retrain your employees. Information systems must be monitored continually against unauthorized network (and wireless) intrusions. About the Author Rob Gibbs is vice president of IT Engineering and Operations at Reynolds and Reynolds. He is responsible for infrastructure, engineering, and networks in all Reynolds internal IT and Hosted environments that support customer applications. Prior to joining Reynolds, Gibbs worked with Overwatch Systems, a company that develops and supplies software and intelligence solutions to the U.S. Department of Defense. Additionally, Gibbs background includes independent consulting and corporate work in network engineering and architecting, as well as infrastructure and secure data center operations. Reynolds and Reynolds is the automotive industry s largest and most trusted provider of automobile dealership software, services, and forms to help dealerships maximize sales and profits and improve business results. The company is headquartered in Dayton, Ohio, with major operations in Houston and College Station, Texas; Celina, Ohio; Mississauga, Ontario; and Montreal, Quebec. (www.reyrey.com, www.reyrey.ca, www.reyrey.ca/fr). 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback