Dealerships have more to worry about today than ever before and one of those concerns is data security. Data security is a constant topic of conversation and for good reason. We will go through some basic principles and discuss how a dealership can help ensure their customers’ data is safe and secure.
For the purposes of this blog post we will specifically discuss customer PII (Personally Identifiable Information) but the concepts would apply to any sensitive data one would wish to keep secure.
Let’s get some of the boring stuff out of the way.
First, let’s establish some basic principles of data security. Understanding these principles will help guide dealers on the path to ensuring data is safe and secure.
- Encryption - Encryption is a process in which data is transformed into a form in which only the person or persons with the correct secret key can read the data. Inversely, unencrypted data is readable by anyone who has possession of that data. This is a critical principle in protecting data.
- In Use - Data is “In Use” when the data is being viewed, edited, or deleted. For example, opening an excel spreadsheet in Microsoft Excel or viewing an PDF in a PDF Viewer.
- At Rest - Data is “At Rest” when the data is not being used and is simply being stored. For example, data at rest could be stored on a hard drive, USB drive, cloud drive, server, database, or on a smart phone. Data “At Rest” is not currently being used or transmitted in any way.
- In Transit - Data is “In Transit” when data is being transmitted or sent from one person to another or one system to another or any time that data is being transferred from one digital location to another. Examples of this would be emailing an unencrypted spreadsheet of Customer PII to another individual, a server transmitting data from one database to another database, or even loading data to a smart phone app.
The single greatest thing a dealership or any user can do is to simply be aware of the importance of data security and how to keep data secure. Awareness is the first step to securing data. Here are some questions you should be asking yourself about sensitive data or Customer PII.
- What sensitive data do we store, send, or use?
- Who sends personal information on behalf of your dealership?
- How does your business receive sensitive information?
- Who DOES have access to the sensitive information?
- Who COULD possibly have access to sensitive data?
- Who SHOULD have access to sensitive data?
- How long are we retaining Customer PII or other sensitive data?
Being aware of the data you do have and how you handle that data is step one.
SECURE ACCOUNTS FIRST
One of the most critical steps in securing data is to secure the accounts accessing, using, and storing data first.
- DO NOT SHARE ACCOUNTS!
- Use Multi-Factor Authentication: If ANY account you have, whether personal or business, supports Multi-Factor Authentication (MFA), then USE it! MFA is one of the best ways to ensure accounts stay secure. Microsoft, Google, and others offer very secure MFA applications. Even MFA through Text/SMS improves account security!
- Be smart with your passwords! “12345” is a terrible password. “One2Thr33F0urF1ve!” is a much better password! Strong passwords are both complex and long! The more possible characters in a password, the better. Use lowercase, uppercase, numbers, and special characters in your passwords and make them long. Consult a trusted IT professional about password security, including best ways to store passwords (such as a password manager).
- Remove / disable former employee accounts: In the event that an employee leaves the company or is terminated be sure to remove or disable any user accounts associated with that employee immediately.
- Keep accounts up to date: Keep your account security and recovery information updated at all times!
USING DATA SECURELY
Using data in a secure manner is important. Dealerships need to be aware of the software, users, and technologies that “Use” sensitive data such as Customer PII and how to ensure such usage is secure. Take the following steps to ensure proper data usage:
- Limit data in scope and time: Only use data critical to the function of your business. Do not pull in extra fields. Do not store or use data longer than you need it to solve your business need.
- Ensure all software is up to date: Ensure all software is up to date, including your operating systems, antivirus software, and anything else that plays a role in the usage of your data.
- Only use trusted software: Only use software from trusted companies that have proven technologies and a proven track record of data security.
- Use a firewall: Use a firewall to protect your business or devices from intrusion. Using data on a compromised device could unknowingly expose sensitive data. A firewall helps keep the “bad guys” out of your business and devices in your network. Consult a trusted IT professional for recommendations on firewalls.
STORING DATA SECURELY
How data is stored is often an overlooked risk for data security. Storing data securely relies on two key concepts – securing access to the data and ensuring the data is stored in an encrypted manner.
- Encrypt drives that contain sensitive information: Ensure that the physical storage location that you are storing the confidential data in is encrypted. In Windows 10 Professional you can use BitLocker to encrypt drives.
- Encrypt Files and Folders: Windows 10 Professional and Enterprise users can also utilize Encrypted File System (EFS) to password protect and encrypt files and folders
- Use Microsoft Office Encrypted Document: Microsoft Office users can encrypt most documents right in Word or Excel using built-in password protected encryption options (found under File, Info, Protect Document). This requires a password and encrypts the file when stored. The password is required to decrypt and open the file.
- Use Encrypted Cloud Services: Most cloud storage services, such as Microsoft OneDrive or Drobox, come equipped with encryption at rest for all files and folders. Consult an IT professional to confirm your cloud storage service encrypts your data at rest.
- Restrict Access: Ensure that all confidential data is restricted to ONLY the individuals that are required to access the data. For example, when sharing folders or files in a cloud storage make sure to review all settings when creating the share to ensure you are not publicly exposing data or exposing data to a larger audience than intended. Consider setting expirations on any shared links, folders, or files.
SENDING DATA SECURELY
Sending data is often a critical, required part of doing business for many people, including dealerships. Here are a few items to keep in mind or consider when sending or receiving data.
- Sending data by Email: Sending Data by Email is one of the easiest ways to send data but often one of the worst in terms of security and data exposure. As a rule of thumb, never use Email to send data that contains personal information about yourself or customers. If your data contains names, contact information, or any identifying information then find a better way to send data. If you MUST send data via email, store the data in a secure cloud folder as described above and use encrypted emails. Additionally, if the data is in an Office document, use the built-in Office document encryption as described above as well.
- Make sure connections are secure: Most all technology today is capable of sending data in a secure, encrypted manner. Web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox all have indicators telling you if a website you are visiting is secure (usually a locked pack lock in the URL / Address bar). Familiarize yourself with any tools you use to send or receive data and ensure the connections are encrypted. Consult a trusted IT professional for help.
- Use a secure VPN: Ensuring the connections going in and out of your device are secure – such as Wi-Fi or cellular connection – is incredibly important. Consider a secure VPN (such as Norton VPN, Nord VPN, or IP Vanish) if unsecure data connections such as public Wi-Fi are necessary. Consult a trusted IT professional to ensure your dealership has secure data connections in and out of your building, devices, etc.
- Physical Copies of Data: If Customer Data/Pii must be printed to paper, be sure to destroy the paper containing the sensitive data after the business needs are met. Make sure to control who has access to the physical media in this scenario.
Here are a few other good additional measures to help keep your devices and data safe.
- Make sure all protective and preventative software, such as Antivirus and Malware Protection, are up-to-date and properly configured.
- Use Multi-Factor Authentication (MFA) on all accounts that support this! Consult a trusted IT Professional for help with setting up MFA!
- Ensure your computer or device locks when not in use. Computers and mobile devices alike are capable of requiring a password or some security verification to access a device – such as passwords, thumb prints, retinal scans, and more. Lock your devices!
- Consult a lawyer to review any agreements or contracts you sign in regard to software that may access, store, or use sensitive data. Dealerships need to ensure vendors are held to a high standard.
- Consult a trusted IT professional to establish data security auditing practices!
- Seek out a trusted IT professional to help review any questions you may have around data security!
- Protecting Personal Information: A Guide for Business | Federal Trade Commission (ftc.gov)
- Microsoft Authenticator
- Google Authenticator
- IP Vanish