What security measures are you taking with breaches on the rise?

[DealerITperson]

With FTC/PCI compliance a major force behind security in a dealership what are you doing?
I wanted to start a discussion since dealer IT is rare and this has been the only place I have seen dealer-specific.
Dealerships are a rare breed in the IT world, from what I have seen. With so many ways to be hacked and or breached, it feels like it's all I do lately.
from salespeople leaving P.I.I. all over the place. Service advisors leaving keys and ROs out. Users clicking on almost any e-mail they get, just stresses me out.
And now MFA is just a speed bump in protecting accounts.
I have witnessed a few breaches over the last few years, and one recently.

Here is some of what I'm doing. Share with us what you do and what you think works.

Currently have EDR/RMM on all machines.
SOC monitors all events. Great company that constantly evolves.
Entra with MFA on almost every computer. If not its a PC on a BYOD wireless
VLAN phones, data, CC terminals, BYOD, and guest networks.
Backup of 365, Onedrive, and SharePoint.
Salespeople use chrome boxes or books they only need the web.
AI-based spam filter

Future: set up and monitor 365 access.

 

[Carsten]

... sees Microsoft and security mentioned together ....

I enjoy walking around a dealership and service area and I can see monitors on, applications on desks,
hey! what's your phone number and email (purpose to fill in crm -- but never told this).
hey! need your license to do a test drive! (gee, we are scared of the dude at McDonalds having my credit card ... but my drivers license is ok???).

Yes, some of this has gotten better but still, I think dealerships have been lucky so far.

 

[Ryan Everson]

hey! what's your phone number and email (purpose to fill in crm -- but never told this).
hey! need your license to do a test drive! (gee, we are scared of the dude at McDonalds having my credit card ... but my drivers license is ok???).

Yes, some of this has gotten better but still, I think dealerships have been lucky so far.

So, do you suggest dealers not ask for a copy of someone's driver's license before they take a test drive?

Or not ask for a customer's phone number and email when they are in the showroom and demonstrating explicit interest in buying a new car?

 

[DealerITperson]

So, do you suggest dealers not ask for a copy of someone's driver's license before they take a test drive?

Or not ask for a customer's phone number and email when they are in the showroom and demonstrating explicit interest in buying a new car?

No, but people typically make a copy of the ID or even better leave it on their desk and walk away. When we are closed, I work on the network walk the sales floor, and find FTC violations. Each is a 10k fine. What are the chances the FTC walks in? ok, maybe it's slim. But I'd rather be safe than sorry. Any customer information left out is a violation.
All information should be shredded once the customer leaves.
Going paperless is what I am working towards.

 

[Ryan Everson]

No, but people typically make a copy of the ID or even better leave it on their desk and walk away. When we are closed, I work on the network walk the sales floor, and find FTC violations. Each is a 10k fine. What are the chances the FTC walks in? ok, maybe it's slim. But I'd rather be safe than sorry. Any customer information left out is a violation.
All information should be shredded once the customer leaves.
Going paperless is what I am working towards.

Agree 100% with you. At many of our stores, we have driver's license scanners that scan directly into the CRM customer record or the salesperson can pull out their mobile app and quickly scan it in with their camera.

But you still have to hand the salesperson your driver's license like you do with your credit card at McDonald's which @Carsten seemed to imply was problematic.

hey! need your license to do a test drive! (gee, we are scared of the dude at McDonalds having my credit card ... but my drivers license is ok???).

 

[DealerITperson]

Agree 100% with you. At many of our stores, we have driver's license scanners that scan directly into the CRM customer record or the salesperson can pull out their mobile app and quickly scan it in with their camera.

But you still have to hand the salesperson your driver's license like you do with your credit card at McDonald's which @Carsten seemed to imply was problematic.

I am working on this process this Friday. We are looking at the current flow of information and trying to make sure no insecure traces are left behind.
During a breach I was involved with they went through email and looked for how many DL's were there, for each one we had to contact them and inform them of the breach. I do not want DL;s on anyone's phone or copies. I have to turn off storing of copies on the copier hard drives just for this reason.
We have an ID scanner but its for fraud. What System do you use to scan into the CRM? what CRM?

 

[Ryan Everson]

I am working on this process this Friday. We are looking at the current flow of information and trying to make sure no insecure traces are left behind.
During a breach I was involved with they went through email and looked for how many DL's were there, for each one we had to contact them and inform them of the breach. I do not want DL;s on anyone's phone or copies. I have to turn off storing of copies on the copier hard drives just for this reason.
We have an ID scanner but its for fraud. What System do you use to scan into the CRM? what CRM?

DriveCentric and Promax both support DL scanning. Becomes tricky remembering to rescan driver's licenses if they come back in a year later though. And for this reason it often ends up still being xeroxed on a test drive agreement form in the deal jacket.

 

[DealerITperson]

DriveCentric and Promax both support DL scanning. Becomes tricky remembering to rescan driver's licenses if they come back in a year later though. And for this reason it often ends up still being xeroxed on a test drive agreement form in the deal jacket.

We have spoken about starting a program where some people are tasked with finding violations and if they find them the violators will pay a small fine. Otherwise, most people don't care. The it will never happen to me attitude.

 

[Tallcool1]

There is no such thing as a Paper Credit Application in my store. Every Credit App comes through my website, even if the customer is sitting in the showroom.

Driver's Licenses come immediately to an office for filing.

I am looking at eliminating he personal information from any Worksheets that go onto the showroom floor, and replace it with the Internal Customer ID from the CRM. Yes it makes it harder but we have access to the ID number and can search the CRM easily.

No wireless machines in the dealership, every computer is hard wired and each has their own cabled slave printer. WiFi is for guests and for the television. It is on a separate network, not a shared router.

2FA on everything that we can put it on.

BitDefender on all machines. That is for me more than for security because I am not sure if it is any better than Win Defender.

I am sure that there are violations laying around my store too. it is really hard to keep all of it under wraps.

I like the idea of completely paperless. That isn't easy either.

DL Scanner Apps for the smart phone...are those truly scanners or are they taking a photo that is being stored on the phone, and then sending that photo in for authentication?

 

[Carsten]

YES!
I am clearly saying that this is problematic.
But, I also did say that it has gotten better over the years.


@Ryan Everson Are you saying my PII is 100% safe with a dealer and that same for their 3rd party vendors?