by Adam Dennis

When I was 16, I worked in an ice cream parlor scooping ice cream.  I worked 5 days a week after school saving money for college.

During this time in my life, I had no other responsibilities other than getting to work on time, being polite, and making customers happy.  As time passed, and I gained experience, I learned how to close the business from cleaning and doing a walk through, to locking up.  There were steps required for each area of responsibility.

How I treated my customers, and what I did to lock up were all taught to me by the owner.  In many ways, he taught me, and those I worked with, a corporate culture of service coupled with secure thinking at close-up time.  It wasn’t complicated; it was what we did.  A company’s security policy, and the requisite training doesn’t need to be complicated either. It just needs to be something that is built into what you do at work every day.

Part 1: A Best Practice Based Security Policy

Any good security policy must be rooted in the law and industry best practices.  For example, the US FTC’s Safeguards Rule defines what you, as a car dealer, must do to ensure that your customer’s private information is protected.  Consequently, your security policy should cover these requirements.

Security policies can be quite broad depending on what your company does, but most cover some relatively predictable areas.  Let’s take a look and then talk about security awareness training too.

 Your policy should cover these critical areas:

• Data Protection:
  • Customer Information: Strictly manage and secure all Personally Identifiable Information (PII) and financial data.
  • Data Storage: Only store sensitive information on approved, secure company systems. Never on personal devices or unapproved cloud services.
• Access Control:
  • Password Rules: Enforce strong, unique passwords for all employees and use a reputable password vault to manage your passwords, monitor data breaches, and create long and complicated passwords for your accounts.
  • Physical & Digital: Restrict access to sensitive areas like server rooms and finance offices.  Ensure “least privilege principle” where employees only have access to the data and services they need to do their jobs.  (There’s really a lot more here, but this is just a short blog so I’m keeping it brief.😂)
• Acceptable Use of IT:
  • Set clear rules for using company-owned computers and networks.  Prohibit installing unauthorized software or accessing malicious websites.  
• Phishing & Email:
  • Train your team to recognize and report suspicious emails and links immediately.  Establish a clear reporting process to your IT manager for when staff are phished, or other similar types of events occur.  If this piece is done right, this is where you can build a good security culture.
• Incident Response:
  • Have a simple, clear plan for what to do in a security crisis, from a data breach to a ransomware attack.  Define who is responsible for reporting and how to contain the issue quickly.  Run a test of your setup when possible.  It’s never good to go into a bad situation unprepared.

Part 2: Cultivating a Security Awareness Culture

Building a healthy, productive, and committed culture is critical for any business’ long term success.  The ideal goal of a good policy is to have become a habit so it is not a burden, but just a part of how you do your work.  This is what my old ice cream parlor boss taught me, and I hold that rule to heart to this day.  Build that culture can be done — over time — via these 5 ways:

• Make it a Transparent Education: Explain the “why” behind every policy.  Show your team how a data breach can personally affect them and the dealership.  Don’t breed fear since that can cause disengagement. Instead teach and reinforce over time.  
• Ongoing Training: Don’t just hold one or two sessions per year, but instead conduct regular, interactive training, including simulated phishing attacks, to keep security top-of-mind.  If possible, make it fun and memorable.  The more memorable the training, the more likely people are to remember.  Within this model, promote the “Zero Trust” rule where all requests to click something, download a document, or respond to a call, are subjected to independent validation.  
• Lead by Example: Managers and owners must champion the policy but how they behave, not by just what they say. When leadership takes security seriously, the entire team follows suit.  Moreover, this approach is also critical since leadership will likely be the target of any sophisticated attack.
• Positive Reinforcement: Frame security as a shared responsibility. Celebrate when employees spot and report threats.  This fosters a positive, proactive mindset instead of fear.👍👍
• And, Finally, Keep it Simple: Make security procedures easy to follow. The easier it is for your team to do the right thing, the more likely they are to do it.

Final Thoughts

This stuff isn’t rocket science no matter how much it might appear that way.  You just have to take it seriously the same way you do in managing physical security at your business, or in paying your bills on time.  My old ice cream parlor boss, if he was faced with these issues today, would approach them much like I outlined above…  He would identify what he needs to do, and then calmly and positively motivate his workers to execute on the security plan.  A car dealership is not an ice cream parlor, but these days the threats are roughly the same.

As usual, feel free to reach out with questions at any time!

– – –

For more reading along the same lines, check out:

• The Stolen Dealership’s Story: One Dealer’s Journey to Reclaim Their Online Identity
• How Prepared are You for a Ransomware Attack?