As we discussed in last week’s article, Schedules, Orders, and Inventory: The Dealership Information Horde Thieves Can’t Wait to Steal, there’s a lot to lose if you can’t get your dealership’s information security up to snuff. After all, what happened to Equifax can happen to your business, too. So this week, we’ll review some basic ways in which everyday users of your technology systems can help insulate your dealership’s digital databases from hackers and identity thieves.
All the rules digital security experts have preached for years still holds for your dealership, even in today’s world. We don’t want to beat a dead horse, but the basics are worth repeating. Are you ready for your digital security check-up?
Password Security Rules
- NEVER keep the default username or password. That’s the first thing hackers try, like when a security firm accessed Equifax’s Argentinian accounts using both the password and username of “admin”. (You’d have thought they’d know better by now.)
- Never reuse passwords or usernames between applications.
- Err on the side of longer passwords over shorter ones. For example, all of Eyewitness’s mobile applications require longer-than-usual passwords for the client-side access. Things like our website and our servers have enormous
- Use upper- and lowercase alphanumeric characters, as well as “special” characters like punctuation (!?”) and other symbols (@#$%^&*) if your system supports them.
- Avoid recognizable words or years inside your passphrase. (The more complex a password is, the harder it will be for a hacker to reverse engineer from its “hashed,” or encrypted form.)
- Don’t write your password down (ever), but especially don’t scribble it on a sticky note on a computer monitor. (On that note, don’t give your credentials to anyone, ever.)
- Don’t use the password manager on your internet browser. Otherwise, anyone who gains access to your computer can automatically access any web-based application, too, with the saved login information.
Computer and Mobile Device Security Rules
- Update your computer’s software and operating systems every time a new patch is available.
- Back up your data and files on a regular basis, either on physical memory sticks or to an online (but still secure) backup system.
- Don’t leave your computer or device active and unattended.
- Have your desktop or mobile device automatically lock after 30 seconds of inactivity—and require the input of a (secure) password to unlock it.
- Don’t download software or applications without running it through a firewall or virus scanner. (And don’t disable those security protocols because they’re cumbersome. Better a little extra time spent getting that information than exposing your customers and your business to malware.)
- Remember that data sticks around longer than you might expect, even if you think you’ve “cleaned” the computer and “deleted” files. If you want to repurpose hardware after it’s had access to sensitive data, factory resets and hard drive wipes are a must.
Email Security Rules
- Never email sensitive documents containing dealership, employee, or customer information as unsecured attachments.
- Install and calibrate a malware detector on your email client—and then don’t open emails it flags as suspicious.
- Convert suspicious files to a new format (like a .doc to a .pdf) to “scrub” it of any possible malware.
- Block large email attachments over 10 MB. Anything someone needs to give you that’s that big probably needs to be sent in a more secure format.
- Don’t click on weird links from Nigerian princes in your spam folder. A more recent form of this phishing attack comes from emails allegedly from the IRS claiming your income has been “flagged for review” while prompting you to login to a portal to discuss your case with an “advocate.” This is a scam, and you’ll be handing over your personal information to a scammer-hacker.
Frankly, these rules are like going the dentist: You need to floss, or you’ll get a cavity. Except instead of a cavity, you’ll get a lawsuit when a hacker steals your sensitive information (or your inventory). Next week, we’ll review more technical options for data security, including BYOD best practices and the importance of frequent server updates. Subscribe if you want to receive the next article as soon as it comes out!