I S S U E P A P E Risky Business By Robert Gibbs R 2 0 0 8
Risky Business Remember when information security meant locking your file cabinets at night? Unfortunately, those days are long gone. With the Internet and e-mail, information security has a dramatically different meaning. All businesses, big and small, need to protect themselves from computer viruses, hackers, spyware, crimeware, spam, phishing sites, and even pop-ups. More than a nuisance, these technological evils are a danger to businesses, customers, and your bottom line. Don t think for one minute that your small business is not under attack. This is a silent war. Attacks are made at random. Threats are looking for server space and bandwidth to be used to propagate further attacks in the never-ending search for data to be exploited. Your data is at risk 24/7/365. With these dangers constantly present, how do you know if your data is protected? What steps should you take to ensure your sensitive customer information and your computer systems are safe? How do you avoid going overboard with expensive solutions you don t need? Answering these questions may be easier than you think. This Issue Paper explains how to determine what you need to keep your information and computer systems safe. To start, we will break this process down into three basic steps: Gather background information. Develop and implement data security policies, standards, and procedures. Maintain and audit policies, standards, and procedures. These steps are discussed on the following pages, along with the reasoning behind each. Useful suggestions to help you get started in evaluating the security of your systems and information are also included. Step 1: Gather Background Information To improve your information security, you must first understand where you are vulnerable. Create an inventory of your business-critical information assets. These assets include computer hardware, software, databases, and physical documentation (e.g., contracts and employee records). It may be best to create this list in a spreadsheet for easy addition to and reorganization throughout the rest of the process. Be sure to include notes about your inventory as you go along. When your research is done, this inventory list becomes the basis for your plan of action. Next, go back through the list and prioritize the items from most to least important. To help you prioritize, ask questions like: How does this information relate to my business objectives? Is the information critical for my business operations? What are the consequences of a competitor, hacker, or thief obtaining the information? These questions help you determine which assets are most important to your business and pose the greatest risk to you if compromised. For example, any paper or electronic record containing non-public information about a customer, vendor, or employee would clearly be a higher security priority than last month s parts inventory. Once you ve prioritized your assets, look at how each one is used, by whom, and for what reason. This includes your staff and third parties who access your system. Ask yourself: Who needs to have access to that information? Are the appropriate unique usernames and passwords in place? Are they changed regularly for added protection? Are they disabled when employees leave? Once your inventory is complete, identify the assets on the list that have adequate security features in place and which ones do not. You may want to do this step with a partner to verify your categorization. Some things to look for are: Firewalls and Virtual Private Network (VPN) access. Authorization and authentication controls. Updated antivirus tools and spam filters. All businesses, big and small, need to protect themselves from computer viruses, hackers, spyware, crimeware, spam, phishing sites, and even pop-ups. Your data is at risk 24/7/365. To improve your information security, you must first understand where you are vulnerable. 2
Internet content control. Network security policy compliance tools. Cryptography tools. Intrusion detection systems. Locked cabinetry, room space, or offsite storage for paper documents and back-up data tapes (e.g., your daily DMS system back-up tapes) that are safe from potential disasters such as floods or fires. Reviewing existing security features may be the most time-consuming part of the process. Don t be afraid to ask others to help identify which security features you have. Most managers don t know this information off the top of their heads. Once you ve identified existing security features, cross off the assets that already have adequate security features. Since those assets are already protected, they should not be your priority. However, a periodic review is recommended to ensure today s measures are sufficient tomorrow. When finished, the remaining inventory list may look overwhelming, but don t panic. Your Dealership Management System (DMS) provider should be able to help you. If you are unsure about this, contact your local DMS representative and ask these questions: Has a security officer been designated to coordinate the safeguarding of customer information? Have the risks to customer information been identified and assessed? Have safeguards been implemented to protect customer information? This should assure you that your DMS partner is taking adequate steps to protect your information and minimize losses in the event of a security breach. If the answers to any of these questions is no, you should demand that they play a more active role in assisting with data security to earn your continued business. They may even offer security checks to help identify potential risks specific to your system, including who is accessing your system, what information they are accessing, and whether they are authorized accordingly. If it is offered, take advantage of this service. It will save you much time and effort during your background information research. Even though your business partners should help you keep compliant, it is your responsibility to stay informed of current legislation and to make sure that you are not in violation. In the event of a lawsuit, your dealership is liable, not your software and hardware partners. Be proactive in ensuring compliance with all applicable laws. Finally, research the solutions available to you for each item on your list. Some of the items can be fixed by a simple process or procedure change, while others may require the additional hardware or software. Your DMS provider may have many of the products or services you re looking for. If not, try a third party vendor or consult an electronics store. NOTE: Beware of vendors who claim they have methods to extract data from a PC at your dealership. This emerging trend is used by service providers to bypass security features built into your DMS software. Dealership IT professionals agree that running server software on a PC at the dealership is not a secure solution, and leaves the DMS vulnerable to: Data Corruption Via viruses from a third party, which are most often unintentional. Spyware Service provider software requires a DMS ID and password, so any spyware can capture dealership or customer information. Unauthorized access The service provider accesses and utilizes more DMS data than was authorized. Step 2: Develop and Implement Security Policies, Standards, and Procedures Now that you have an information asset inventory and have found products and services you need to purchase to help be compliant, you are ready to start implementing. This consists of two parts: 1) purchasing and installing new hardware and software, and 2) developing your Reviewing existing security features may be the most timeconsuming part of the process. Be proactive in ensuring compliance with all applicable laws. Beware of vendors who claim that they have methods to extract data from a PC at your dealership. 3
dealership s security policies. We ll touch on purchasing and installation, and then focus on how to develop effective security procedures. When you purchase hardware and software, ask vendors about their capabilities and experience. Communicate your security objectives to ensure the vendor has the right tools to meet your needs. Ask questions, and ask for references. Once you ve made a decision, your vendor should handle installation to make sure your system runs properly. When developing security policies, keep them simple and short. Your employees will not read and comprehend a 100-page security manual. Rather, develop concise and to-the-point policies. Your goal is for employees to read the policy, understand it, and, most importantly, abide by it. Security policies should include a list of information to be protected, plus standards for physical security, access controls, security technology, personnel actions, and security incidents/response. We ll briefly review some of these areas to explain which types of standards should be included: Physical security: Includes locks on the building, locking cables on PCs and laptops, fire-proof and water-proof containers for information storage and back-up, and use of paper-shredders. Also includes access control measures for the physical or electronic storage of sensitive information such as financial applications and customer records. These measures help prevent the theft and/or destruction of sensitive information. System access controls: Good control measures include unique hard-to-guess passwords for each employee, frequent password changes, and never sharing passwords. This allows you to maintain accountability by managing information access. The same measures apply to CPAs or service providers you have authorized to access the DMS. Security technology: Refers to firewalls, antivirus software, and intrusion detection systems. These tools protect you from anyone trying to get into your system to steal or corrupt your information. Your DMS provider can give you details about which security systems are available to you and how to implement them. You should also regularly perform data backups of your business-critical information on the servers. Nightly backups are preferable. Remember to keep those tapes in a secure place. Personnel actions: These standards state your guidelines for appropriate behavior by employees and the actions to be taken if an employee breaches the security guidelines. This standard gives you consistency and accountability in upholding the ethical values of the dealership. These policies should range from physical security to Internet access and network security. Security incidents and response: Includes guidelines for reporting unusual requests for information, visitors in secure employee-only areas, atypical computer activity, and computer slow-downs. A manager should contact the DMS provider and/or local authorities if the security breach involves customer data. The general rule is: If in doubt act! Step 3: Maintain and Audit Security Policies, Standards, and Procedures Now that you ve developed new security policies, you must enforce, reinforce, audit, and update. You enforce by thoroughly training all of your employees on the policies and making sure they understand not only what the policies are, but also why the policies are in place. Reinforcing means that you live and work by these standards. Infractions must be addressed immediately. When doing so, make sure your employee knows why it is an infraction. Next, audit the process. Have you reviewed your DMS security file? Are there user IDs that you do not recognize? If so, delete them to stay in control of your data. Are your paper documents securely stored all of the time or just some of the time? Lastly, your standards are not set in stone. Every six months, review and update your policies and standards, and retrain your employees. When you purchase hardware and software, ask potential vendors about their capabilities and experience. When developing security policies, keep them simple and short. Security policies should include a list of information to be protected, plus standards for physical security, access controls, security technology, personnel actions, and security incidents/response. Once you ve developed new security policies, you must enforce, reinforce, audit, and update. 4
Through these reviews, you can proactively identify new potential threats and identify outdated standards. If any standards are out of date, employees may lose confidence in the standards and ignore all of them. Conclusion We live in a time when customer and employee information is a valuable asset. It is critical to your business that you do everything you can to protect this important asset. While you work hard to protect your systems and information, others are working equally hard to access it. You need to have processes in place that protect both your systems and information. A security breach can be more damaging than a physical break-in, affecting your dealership s credibility and trustworthiness. Security breaches can be subject to consumer lawsuits, federal and state penalties, and lost sales. By law, a security breach forces you to contact your customers and advise them accordingly. You have invested years building long-term, trusting customer relationships. All of this can be unraveled in a matter of minutes. Ask yourself this question: With all the choices available in the marketplace, would you continue to deal with a company that did not do everything possible to protect your personal information? It is critical that information systems are monitored continually against unauthorized network (and wireless) intrusions. This paper discussed a three-step process for securing your dealership s information: 1) gathering background information, 2) developing and implementing security policies, standards, and procedures, and 3) maintaining and auditing these policies and processes. Information security will continue to increase in importance and complexity. By following the steps covered to implement the right hardware and software systems, and create and establish security standards and procedures, you can keep your dealership, employees, and customers protected from major threats. Now that you have a game plan, it s time to put it into action. Think of who can help you compile your inventory list. And get started on your path to a more secure dealership. Every six months, review and update your policies and standards and retrain your employees. Information systems must be monitored continually against unauthorized network (and wireless) intrusions. About the Author Rob Gibbs is vice president of IT Engineering and Operations at Reynolds and Reynolds. He is responsible for infrastructure, engineering, and networks in all Reynolds internal IT and Hosted environments that support customer applications. Prior to joining Reynolds, Gibbs worked with Overwatch Systems, a company that develops and supplies software and intelligence solutions to the U.S. Department of Defense. Additionally, Gibbs background includes independent consulting and corporate work in network engineering and architecting, as well as infrastructure and secure data center operations. Reynolds and Reynolds is the automotive industry s largest and most trusted provider of automobile dealership software, services, and forms to help dealerships maximize sales and profits and improve business results. The company is headquartered in Dayton, Ohio, with major operations in Houston and College Station, Texas; Celina, Ohio; Mississauga, Ontario; and Montreal, Quebec. (www.reyrey.com, www.reyrey.ca, www.reyrey.ca/fr). 5