Dealing with a Cyberattack? Access Expert Help Here >

May 22, 2023

Demystifying FTC Safeguards: What Small and Midsize Dealers Really Need

With the June 9th deadline looming, many small and midsize dealerships are struggling to implement the regulatory items included in the FTC Safeguards Rule. An important element of this is information security: protecting your data, systems and infrastructure with the correct cybersecurity tool sets and having the right people, processes and reporting mechanisms in place.

The good news is, while this sounds like a heavy-lift for small and midsize dealerships already struggling with controlling costs and maintaining staff, it doesn’t need to be complicated, cumbersome or expensive.

What do you really need to meet security safeguards?

A letter from representatives of the U.S. Small Business Administration requesting a deadline extension lists supply chain delays and a talent shortage as top concerns for meeting requirements. While these problems are real, there are solutions available that are not complicated, or expensive to implement.

Software-As-A-Service (SaaS) and Automation

Using SaaS platforms allows you to avoid lingering supply chain issues and address several of the FTC requirements quickly and easily. With an abundance of products to choose from, sourcing software can be overwhelming (and expensive), but most small and midsize dealerships can meet several of the FTC requirements with just a few tools–even fewer if you implement versions that can automate tasks or check more than one box.

SaaS-based solutions that are readily available, and the Safeguards they address:

Multi-factor Authentication (Access Management/Protecting Your Systems)

Multi-factor Authentication (MFA) helps to ensure secure access to your data and systems. It does this through a process of confirming your identity through combination of two or more of the following:

  • Something you know (a password or PIN)
  • Something you have (your smartphone or other secure device)
  • Something you are (biometrics such as facial or fingerprint recognition)

A Business Password Manager (Access Management/Protecting Your Systems)

A business password manager is the most secure way for teams to create and store passwords used to access company data, systems and applications and helps to eliminate breaches caused by human error.

Look for solutions that offer an end-to-end encryption and auditing of password strength to help users improve security behaviors. Integrated multi-factor authentication is a plus, especially versions that allow for passwordless access.

Endpoint Detection & Response (Protecting Your Systems)

Endpoint Detection and Response (EDR) is the next-generation of what most people know as anti-virus software. The best options leverage advanced technologies like AI and machine-learning to continually monitor users’ devices and behaviors to detect and respond to cyber threats like ransomware and malware.

Look for solutions that require minimal management and provide reporting that can easily integrate with compliance reporting requirements.

Cyber Security Training and Anti-Phishing Tools (Empowering your Employees)

One of the best ways to reduce risk caused by human error is to train your team on security best practices. These should include how to spot a phishing email, safe online behaviors and how to avoid scams like social engineering.

The best SaaS-based tools should include short, engaging and insightful videos and training exercises that can be easily managed and deployed.

Security Information Event Management & A Security Operations Center (SIEM and SOC) (Protecting Your Systems)

Security Information and Event Management (SIEM) is a powerful tool that analyzes and aggregates activity from various resources across your entire IT infrastructure to provide a comprehensive view into what’s happening in your digital world, monitoring for and detecting threats in real time, 24/7, and also keeps a record (or logs) of that activity for up to 365 days.

A Security Operations Center (SOC) is that live team of experts who leverage tools like SIEM to monitor and respond to threats when those actions can’t be automated.

Until recently, both of these functions (which are critical to meeting FTC requirements) were out of reach for small and midsize businesses due to the expense and complexity. And while SaaS-based versions can still come with similar challenges, there are more options that are accessible and affordable. Look for solutions that integrate EDR, SIEM and SOC (oftentimes referred to as XDR) that are automated and provide the reporting you need to demonstrate compliance.

Automated Compliance Mapping (Risk Assessments/Reporting)

Anyone who has ever had the daunting task of managing compliance reporting, will tell you that it’s cumbersome and time consuming. And while there are an abundance of consultants who will do it for you, that can be cost prohibitive.

The good news is that there are SaaS-based solutions that will automate many of these tasks and reporting making it much more cost effective and efficient. Ideally, you want to source a solution that integrates well with your other security tools and can provide risk assessment capabilities as well as reporting.

Do you really need to hire an in-house expert to manage it all?

Due to the high price tag associated with security expertise, along with a nationwide talent shortage, the FTC requirement to “designate a qualified individual responsible for overseeing and implementing your information security” has caused a great deal of alarm across dealerships of all sizes.

The tools you use to build your information security program will determine how much help you’ll need from either an in-house champion or an external consultant or managed services provider.

If you choose tools that are designed for the SMB with easy user-interfaces, good automation and reporting, there’s no reason you need a high-paid security team member, or even an IT expert. Most of these tools can be easily managed by a business team member, oftentimes someone in finance or operations. And if you have a trusted managed IT-services vendor, they should be able to leverage similar tools to help you manage all of it, without breaking the bank.

Getting compliant will save you money and help you avoid disaster down the road

No one likes to be told what to do – that’s a universal truth. But like taking your medicine can help you feel better, taking the necessary steps to protect your customers and your business is a worthwhile investment.

Threats against businesses of all sizes are on the rise, and regardless of compliance requirements, doing nothing to protect your business, your brand and your customers means it’s only a matter of time before disaster strikes. The average annual cost of a cyber attack for a small business owner according to Hiscox Cyber Readiness Report is $25,000. And while you will have to budget for these tools and services, you can’t put a price on the peace of mind that comes with proactively securing your entire organization.

Learn more about AaDya Security’s Judy, an all-in-one cybersecurity platform that can help dealerships of all sizes meet the FTC regulatory requirements mentioned above – without the cost or hassle of traditional solutions and services.

This blog originally appeared as a guest commentary in Automotive News.