Dealers everywhere face the same dilemma when it comes to choosing a vendor. How can you find a vendor that you can trust? What should you look for in a vendor before granting them access to your Dealership Management System?
The truth is, the best way to ensure data security is to start at the source – your dealership. The policies, processes, and procedures you establish to protect your DMS are key to increasing your data security.
[bctt tweet="9 Things Dealers Can Do Right Now to Increase Data Security" via="no"]
The following steps are meant to help you improve the security and integrity of your dealership’s data quickly and effectively.
1. Conduct Background Checks
Any employee you bring on will have access to (or will be in the vicinity of) customer data. It’s important to conduct background checks and contact references as well in order to ensure that each member of your staff is as trustworthy as you are.
2. Establish a Confidentiality Agreement
Establish and enforce an agreement that states confidential and proprietary information belongs to the dealership—and have all employees sign it.
3. Limit Access to Data
Determine which employees will be granted access and/or administrator duties to what resources, including CRM, DMS, Intranet, social media, website and email. Document user names and passwords.
4. Institute Password Best Practices
Passwords should be unique to each individual, at least eight alphanumeric characters in length, and account access should be blocked after the fourth invalid password attempt. Password changes should be scheduled and not permitted to be the same as the previous four passwords. Passwords should not be displayed near workstations, shared with other staff, or transmitted via insecure technologies (email, IM or fax).
5. Invest in Data Protection Software
Invest in protective software, including anti-virus, anti-spam, firewall, data encryption and virtual private networking (VPN). Institute protective data measures as well—servers should be at a separate location or in cages, backups should be performed, and data retention and destruction policies should be established.
6. Disable Access upon Termination
When an employee is terminated, make sure to collect and/or disable their key, security code, remote access to any systems, Intranet access, email access, and phone extension and voicemail. For the benefit of both the employee and the dealership, conduct an exit interview if possible.
7. Require a Non-Disclosure Agreement
Require all vendors that you share data with to sign a non-disclosure agreement.
8. Partner with an SSAE Certified Vendor
Our industry has not yet established a standard for policies, processes and procedures that work to ensure data security and protect the privacy of consumer information. The financial industry, however, has—SSAE-16 Certification, developed by the American Institute of CPAs.
By partnering with vendors that have achieved SSAE-16, you know they passed a vigorous independent audit that upholds the highest level of security and can protect and secure your data; guard its integrity and confidentiality; and prevent unauthorized access to it.
9. Require Documentation
If a vendor is not SSAE-16 Certified, request and require that they provide documentation of restricted access to buildings, data, computers, technologies, resources and systems; scanning technology at entrances (cards, fingerprints or retinal scan); government-issued ID required of visitors; password policies and best practices; firewall, anti-virus, anti-spam and data encryption software; equipment monitoring; data retention and destruction policies; backups; and a business continuity and recovery plan in case of disaster.