Home Depot. Target. Ebay. Anthem.
These companies – successful retailers, online auction authority and healthcare giant – have many positive business attributes, to be sure. But during the last 12 months they have also been victims of significant data breaches caused by hackers.
No company of any size is truly safe from those seeking to access customer and company data. And if a large, multi-billion dollar corporation’s systems are vulnerable to attack, then surely a local retailer – like a tire dealership – can easily fall victim.
Luckily, there are many ways to protect your business against data breaches and hacking, from computer security tactics and software programs to employee education and even insurance policies.
Assessing the Risk
While the national media tends to focus on breaches of high-profile firms, smaller businesses are certainly at risk.
“Data security and privacy is a concern for any business or organization that collects, shares, uses or transmits any personal information of clients, customers, employees or others,” explains Evan Fenaroli, underwriting supervisor and cyber product manager for Philadelphia Insurance Co.’s Cyber Security Liability program. “While the vulnerabilities and threats are similar, smaller businesses are often less sophisticated when it comes to cyber security and may be less prepared to handle a breach or attack than a larger company. Given all of the costs associated with a data breach – legal fees, computer forensics, notification costs, credit monitoring and public relations – even a small-scale breach can have a significant impact on a company’s bottom line.”
Gerald Cecil, vice president of sales and marketing for business-insurance administrator Arrowhead Automotive Aftermarket, draws the following analogy:
“It’s almost no different than walking away from your business and leaving the front door unlocked,” he says. “We’ve gotten to a point where electronic exchange of information is most convenient. Folks are embracing it because it makes business so much easier to do, but it comes with a downside because people take it for granted.
“In the old days, you could walk away and leave the door open, but that’s probably not a good idea today,” Cecil continues. “That’s what many business owners are doing today with electronic information; they’re leaving themselves open to exposure that they never intended.”
Computer attacks come in many forms, including installation of malicious code on a dealer’s system, a denial of service attack that shuts down a website, or an unauthorized party accessing databases containing sensitive information.
“From a privacy perspective, dealers should be concerned with the safeguarding of customer or employee information, such as Social Security numbers, credit card information or even driver’s license numbers,” Fenaroli says.
“Aside from data breaches, a computer virus or attack may affect the functionality of a company’s computer system. Dealers may rely heavily on their website for product sales and service appointments, or even use mobile technology and software to dispatch roadside assistance, so an interruption or outage can negatively affect revenue.”
Even if no financial damage occurs with a breach, a company runs the risk of negative publicity.
“Notifying customers can result in very negative customer perceptions of the business,” Cecil says. “When Target had a breach, there was a significant impact on financials in that particular quarter. Every small business is working very hard to build the most positive image possible in the eyes of the customer, and these cyber threats can give quite a kick to the stomach in that regard.”
Whether intentional or not, employee actions can play a large role in data breaches and other cyber events.
“Lost or stolen laptops and mobile devices – which may hold unencrypted customer information – continue to be one of the primary causes of data breaches,” Fenaroli says. “Unsuspecting employees may also become victims of phishing or other social engineering attacks, divulging usernames, passwords or other confidential information to criminals.”
Cecil agrees, adding, “More and more employees are being allowed to use their own devices, but allowing folks access without controls creates challenges. It’s important to have a protocol that employees are required to follow – and there needs to be security to monitor that and alert a business owner if there’s something unusual going on with respect to accessing the data.”
On the other side of the coin, disgruntled or recently terminated employees may use their credentials and inside knowledge to install malicious code, steal sensitive information or otherwise harm the computer system, Fenaroli notes. And let’s not forget about those employees with access to dealership bank account information or credit cards, where accounts can be emptied and credit is run up in a flash.
Guarding Your Shop
Protecting your dealership against cyber threats is largely an issue of employee education and having the proper electronic safeguards in place.
Let your staff know that the most prevalent source of cyber attacks comes from simply browsing the Internet or checking email, according to Bryan Coleman, technical support specialist at Net Driven.
“Malware – malicious software – is often disguised as a normal file like a Microsoft Word document or a PDF file,” he continues. “It can also accompany downloaded files from the Internet or be embedded into what may appear to be a normal piece of software. Malware’s purpose is to infect your computer to spy, steal information, or even damage the system itself.”
“Train employees about the dangers of phishing and specifically to not open suspicious attachments that they are not expecting to receive,” notes Mike Giblin, president of U.S. operations for Kukui Corp.
He also recommends making sure all shop software is up to date, and purchasing and installing the latest anti-virus software on computer systems (top programs include Bitdefender Antivirus Plus, Kaspersky Anti-Virus and Norton Security).
Social engineering – relying on human interaction and often tricking people into breaking normal security procedures – is another cyber risk, according to Dave Vogel, vice president of sales and general manager of ASA Automotive Systems.
“These people are really, really good at investigating people,” he says. “CIA level skills of investigating are not uncommon, but often the criminals just search social media and phone employees for easy clues.”
To protect your dealership, Vogel recommends having employees role-play social engineering activities so your staff understands the type of questions a criminal may ask. Share ways to avoid responding to the criminal’s questions, he adds.
Avoid weak passwords (“1234” or “password,” for example) and require a secure and complex password reset process, particularly if customers or vendors access confidential information on your system.
“Traditional questions for reset are too easy to hack – just go to Ancestry.com and you’ll find lots of mothers’ maiden names,” Vogel explains. “Create a password policy and implement it across the organization. No one user should ever know another user’s password.”
Make sure you have a backup system in place so that if all else fails and a cyber threat or other event causes you to suffer a data loss, you can restore your data, notes Giblin.
“We recommend having at least two backup systems in place,” he explains. “First, something like an external hard drive backup, which is very low cost and relatively easy to set up. Western Digital is a good provider of external backup hard drives. Second, it is very helpful to also utilize a cloud-based backup provider such as Mozy, which can encrypt and back up your data over the Internet. This will protect your data in the event that there is a physical theft, a natural disaster or a fire.”
Insurance and Recovery
Lastly, consider a custom-built insurance policy specifically designed to offer protection in the event of a data breach or other cyber attack.
“It’s important to note that most traditional insurance policies – including property, general liability and products liability – do not provide coverage for either the first party expenses or third party claims that can result from a cyber incident or data breach,” Fenaroli says. “While strong policies, procedures and controls can help protect a business from cyber attacks and improve resiliency to such attacks, cyber insurance is becoming an increasingly popular option to help transfer some of the risk.”
“Today, cyber coverage should be entertained just as if you would entertain and purchase a crime policy,” Cecil says, adding that because the policies are a relatively new concept, they can be custom-made for businesses of any type and size.
“There are multiple data and cyber liability exposures, including emergency response services, that can be covered under an insurance policy. In some cases, the onus of protection is very great due to regulations and laws, so an insurance policy that can help offset costs incurred for answering breach protocol, customer notice, etc., is essential.”
Premium costs range widely based upon carrier and coverage enhancements purchased, as well as business size. Cecil estimates the annual premium for a smaller business with a basic policy could run between $500 to $1,500. It’s a relatively small price to pay, considering the average cost of recovery from a data breach is roughly $250 per affected customer, he adds.
With laws on the books in 47 states regarding cyber attack liability, notification and business protocol – as well as some federal laws – recovering from an event can be time-consuming and costly.
“If there is an actual or suspected data breach, the first step is notifying the cyber insurance carrier and engaging an experienced attorney (often referred to as a breach coach),” Fenaroli says.
“The breach coach can work with a tire dealer to understand the potential scope of the breach, which statutes or regulations may come into play, and whether a computer forensics expert is needed to further assess the situation and contain any damage,” he explains. “One benefit of purchasing cyber liability insurance is that the carrier will often have relationships with and access to some of the most experienced attorneys and vendors, ensuring that the situation is handled effectively from the beginning.”
Software Options for Added Protection
Many cyber safety features are built into today’s shop software systems. When considering a new provider – or reviewing your current system to ensure it still meets your dealership’s needs – consider the following.
“A few of the safety measures found in Web-based software systems today include capabilities for encrypting private data such as usernames and passwords; firewalls to block suspicious IP addresses to prevent denial-of-service attacks and other malicious bot activity; and the ability to use SSL (secure sockets layer) protocol on websites where private information is entered (such as credit card numbers and Social Security numbers) to prevent theft,” explains Holly Biondo, marketing coordinator for Net Driven. “Using a VPN (virtual private network) tunnel to access an API (application program interface) where private information is passed can also provide an extra layer of security. The servers where the software is deployed to should have up-to-date virus definitions and all of the latest Windows security patches.”
Biondo explains these technical terms below:
Encryption: A method of protecting information from people you don’t want to see it. Basically, you have a code with a specific cipher or key, and only those with the cipher can read it.
Firewall: A software program or piece of hardware intended to screen for and blocks viruses, hackers and worms that are trying to get into your computer. Think of it as a security system for your computer.
SSL (secure sockets layer): A method of encrypting information that is sent between a Web browser (Internet Explorer, Firefox, Chrome) and a Web server. Without it, anything sent back and forth is vulnerable to attacks in between. One way of knowing if a website or Web-based software is secure is by looking at the URL. If it begins with “http,” it is not secure; if it begins with “https,” it is a secure connection.
VPN (virtual private network): A way to create a private tunnel or connection between two sites on the Internet. The information shared is protected from end to end.
1. Phishing emails – “In this type of attack, attackers create an important-looking email and send it to a huge mailing list, or specifically to an employee within your organization. The common goal with this type of attack is to get someone to click on a link or to open an infected file attachment. Once that happens, the hacker can often gain access to or control of your computer. These types of attacks are successful at a surprisingly high rate. Email filters and anti-virus programs are a big help in preventing this type of attack, but training employees to not open suspicious attachments is probably the single best thing you can do, since email filters and anti-virus programs are not able to catch all of these attacks as they evolve in real time.”
2. Software vulnerabilities – “Software bugs continue to be a point of major vulnerability, especially to smaller businesses that don’t have full-time IT staff. Outdated Internet programs such as your Web browser and Java can offer up easy access to your computer systems. Over the years, hackers have been able to take over computers simply with a visit to an infected Web page. The best defense against this type of attack is to make sure all of your software is up to date, especially Windows, your Web browser, and any other applications that work primarily over the Internet, such as Java and Adobe Flash.”
3. Simple passwords – “Hackers utilize powerful programs that can automatically scan huge numbers of systems on the Internet and then attempt to gain access to them by attempting common passwords. There are several ways you can protect your dealership from this type of attack. First, make sure the passwords you use are complex. They should have an upper and a lower case letter and be as random as possible. Second, make sure you use a firewall to protect your entire network. This may require a visit from a local IT consultant to assess, but is a very worthwhile step to help ensure that your network is safe.”