Outsourcing Information Technology to Insecure Service Providers
Many organizations today choose to outsource some or all of their information technology needs to external service providers. This can be a time and cost-effective strategy to allow a business to focus on its real goals, while letting someone else worry about security and system down time. For some, this means engaging with a service provider to take care of the day-to-day administration of locally-hosted business systems. For others, it means contracting a service provider to host, secure, and manage the entire infrastructure, often in the cloud. While these managed services can take most of the administrative burden off of the business itself, it also introduces a source of inherent risk.
Information Technology in the Automobile Dealership Industry
Automobile dealerships are an excellent example of businesses that are often placed in this position. The industry requires accurate vehicle and parts inventories, precise sales records for tax purposes, and the all-important customer information used for warranties and billing. This data is proprietary business information, and in several cases, can also be classified as personally identifiable information (PII), which by law, requires heightened security controls to prevent unauthorized disclosure. It makes sense that many dealerships would choose to store this sensitive information offsite, with a service provider who is capable of providing the necessary protections. This allows the dealership to focus on sales and growth, instead of building and implementing a comprehensive information technology security plan.
However, in August of 2016, it was discovered via an entirely public mechanism that a popular Dealership Management System (DMS) provided by dealerbuilt.com was exposing client and customer information directly to the internet. Shodan, a special internet search engine which indexes devices/computers rather than websites, was used to uncover this leaking database. Once a certain vulnerability or issue is uncovered, attackers and researchers can immediately locate examples of those vulnerable devices with a targeted query through Shodan. The dealerships affected by this breach were under the impression that the DMS they paid for included the security measures necessary to protect the PII and payroll information. In reality, either by a misconfiguration or outright negligence, hundreds of thousands of records were made public.
While the blame for such an oversight should (and will) fall on the service provider, the real damage applies to the dealerships themselves. Now, the dealerships become responsible for communicating the breach to their customer base. No matter the circumstance, from the customer’s point of view, the dealership was acting as the custodian of their personal information. Therefore, through no real fault of their own, the dealerships themselves will be taking the brunt of the kickback for such a pervasive breach of their information technology. While there will certainly be monetary trouble as dealerships scramble to find a new secure DMS, the loss of consumer confidence and reputation is a more significant loss to the business.
Protecting Your Information Technology
It is never a bad idea to check up on your service provider. During the vendor selection process, formal risk assessments are the only way to determine the levels of risk acceptable to the business. The business should carefully review any documentation available from the service provider, up to and including SOC1 & SOC2 reports. While the purpose of using a cloud-based DMS is to remove the burden of systems administration from the business itself, it is still crucial for the business to understand the security controls that are in place. In light of the recent database leak, maybe it is time to have a discussion with your DMS provider to discuss where your data is stored, and how it is protected, especially if this the first time such a conversation will have taken place. After all, your data does not belong to the service provider, and a breach of that data is far more devastating to your dealership than it is to the DMS provider.
For more on how to protect your information technology from vulnerability attacks, contact OCD Tech today! 844-OCDTECH