Dealers Are Flirtin’ With Disaster

Flirtin’ with Disaster—not only is this a great Molly Hatchet song, it also seems to be the norm when it comes to dealerships updating their operating systems or securing their computer networks. The song rightly hints at the impending doom awaiting this flirtation and warns, “When we gamble with our time, we choose our destiny.”

In my job, I travel to many dealerships and quite often engage with either the IT person or the computer network directly. I am constantly amazed by how little is understood about computer networks and how much apathy people display towards this most critical piece of their business infrastructure. The Gramm Leach Bliley Act, Safe Harbor Rules, and Privacy Act all tell us how important it is to protect and safeguard not only our data, but all of the data we have collected from our customers. Ultimately, it is the dealer’s responsibility if a customer’s information gets lost or stolen.

With so much responsibility, you would think we would all take the utmost care to make sure the permissions to access our most critical data is always up to date and has the highest security possible. However, that’s not always the case.

For example, I was in a store not too long ago where I was asked to show how to perform a certain process with our software. I quickly agreed and asked if I could use one of their computers to demonstrate. “Sure,” was the quick response.

I went to a finance manager’s desk and moved the mouse to get the security screen to pop up. I asked the dealership associate to enter the password and he said, “Just hit the return key. The password is blank.” I was stunned. I was sitting at an F&I manager’s desk and there weren’t any security measures in place to make sure that neither customer data nor dealership data was compromised. When I hit the return key, the screen came to life, and there I was, looking at an online credit application that had all the information I would have needed to do some major damage to a customer’s credit file. I asked why they didn’t have the PC secured. Apparently the F&I manager had a hard time remembering all his passwords and felt this particular one was a nuisance. How much was that fine for losing customer data?

At another dealership, I was allowed to log on to one of their PCs remotely. I immediately noticed the start button wasn’t Windows 7 and asked to check the system’s properties. Turned out, their machine was running Windows XP and wasn’t even up to date on its service packs. I asked the dealer if he knew that Windows XP was no longer supported by Microsoft and hadn’t been since April 8,2014, over a year ago. The dealer seemed shocked and told me most of his machines still ran XP!

Another too-common occurrence that astounds me is when I look at the system tray on a PC and don’t see a business-grade anti-virus running. Recently, I found a network that was running the FREE version of an anti-virus program. When I asked why the dealership was using that version, the GM told me it was cheaper than paying for one. I agreed but reminded him that the free license didn’t include commercial applications and wouldn’t pay for any damage or liability caused by using a personal anti-virus solution in a commercial setting. I also showed him that he was running a two-year-old version of the program that hadn’t been updated in that same amount of time!

Another opening for disaster comes through the wireless access granted to customers when they are in the dealership. Once, while getting my car serviced, I asked the cashier for a Wi-Fi password. She was very quick to give me the password and pointed out that it also happened to be on a display sitting two feet from me. I thanked her and logged on to my laptop to get some work done. Imagine my shock when I saw that every workstation, printer, and network drive throughout the entire organization was accessible on this network. Apparently, the network router they had was wireless, so they turned it on and gave customers access. They didn’t realize this access was behind the firewall and gave customers access to everything in the dealership. Once I pointed it out, it quickly got resolved.

Lastly, we also flirt with disaster when we don’t keep up-to-date backups of our systems, like one dealer who asked me if I could help him fix some customer files that were either damaged or had been somehow changed. I told him “Sure, no problem. All I need is your last backup and we will gladly restore it.” From the look on his face, I already knew there was an issue. The last backup of his system had been over six months ago. Fortunately, the customer information he was looking for was on there, but imagine if it hadn’t been.

To put this all into perspective, let me tell you how quickly bad things can happen. Imagine one of your customers in the service lane logging on to your network with the Wi-Fi password. They get a little bored so they start surfing the net. One of the sites they visit happens to have a ransom virus embedded in it, so when they view the page, the virus automatically downloads and gets proliferated throughout the dealership’s network. The customer finally logs off, but by that time, the virus has spread to the service advisor’s computer and starts to branch out to the other workstations until, uh oh, it finds a server on the network. The ransom virus then does what a ransom virus is supposed to do and encrypts portions of the server’s files and asks you to send money to some offshore account to unlock your data.

You consider sending the money because your entire network is down and you are basically out of business. In a stroke of genius, you call for IT support. No issues, they’ve heard of this virus before. They just need your latest backup to put everything back together. Ugh. The last backup was from six months ago. So when your IT people do restore your data, you’re missing the last six months’ worth of business data.

This all sounds horrible (and it is), but it doesn’t even include the fine of $10,000 per instance of illegal software on your machines (for using a “free for personal use” anti-virus solution in your business, for example) or the fines and lawsuits for letting personal, confidential information get out into the public domain.

Imagine when you realize this whole predicament could have been avoided had someone taken the time to understand and protect the network.

So, what should we do?

Here are some pointers:

  • Be sure you are utilizing the latest firmware for the hardware you have.
  • Make sure you are not using out-of-date software or out-of-date anti-virus subscriptions.
  • Run your backups as scheduled and be sure to have two copies—one on site and one off site—just in case the building burns down, washes away, or is taken out by an EMP!
  • Know the end-of-life for any operating system you are using and have a plan to upgrade before that end comes.
    • Windows Server 2003 is not being supported any longer and should be immediately upgraded.
    • Windows Server 2008 is due to sunset in January of 2020 (still have some time there).
  • Know the law. Get a good understanding of GLB, Privacy Act, Red Flags, OFAC, and all the other laws that the dealership is responsible to follow.
  • And, for goodness sake, make sure you have a guest wireless network that is in front of your firewall and completely separate from your company’s IP scheme.

Bottom line, if you don’t understand computer networks, the maintenance of a network, or the laws that govern business in a car dealership, I would highly suggest you find someone who does and either hire them or pay them for their service. In the long run, it will save you a ton of money and distress!

Author

Mark Begley

Mark Begley

About Mark Begley About Mark Begley

Author

Mark Begley

Mark Begley

About Mark Begley

Stay up to date

Subscribe to get the latest auto industry insights from Autosoft experts