3 Key Steps To Preparing

For Cyber Attacks

An old aphorism states “if you fail to prepare, you are preparing to fail.” It’s a mindset many people may feel they don’t have time for with regard to cybersecurity. But  it’s an issue everyone has to be concerned with. Every dealership using credit reports (either through us or through another company) must have an Information Security Policy (ISP), Incident Response Plan (IRP), and Risk Assessment Report (RAR) according to their agreements with the Credit Reporting Agencies (CRAs).

The Information Security Policy is a written policy which outlines the dealership's security practices. Key items to look for in an ISP are system and network security practices, employee security awareness, safe computing practices, and periodic reviews of the policies and procedures used by the dealership. The written policy is the first step. After you have the policy, you must implement it and document the implementation, for example a security awareness training form or software solutions which prove it’s been completed.

An Incident Response Plan is a written plan to resolve any type of security incident, ranging from theft of property to unauthorized access of consumer personal information. Most IRPs include a method for identifying an incident, responding to an incident, and a practice to prevent the incident from reoccurring. It’s a simple process but it can cover a vast amount of territory. One incident may involve employee theft, and another may involve a cyber attack on a specific computer.

That is where the Risk Assessment Report comes in. Its purpose is to review your current practices, identify potential risk and find resolutions to the threats you can anticipate before they become incidents. There are many methods for conducting a risk assessment and almost all of them include the formula “Threat * Vulnerability * Asset Value = Risk” to determine how susceptible a dealership is to a specific area of concern. Assets can be property, information, data, or intellectual property, just to name a few. We also include an executive summary and a conclusion in our RAR. This report is very useful for the executive branch of any dealership to review and use as a budget guide for the risks the dealership faces each day.

All of this may sound like a daunting task, but it’s not as hard as it appears. Start with documenting the steps you are performing today, then perform your risk assessment, and finally change the policy and plan. The ISP and IRP are living, breathing documents; they must be flexible to be pertinent. The threats which exist will change, and you must keep reviewing and reporting the changes. If you have any questions regarding your ISP, IRP or RAR you can provide a copy of it to your Dealer Support Specialist for review. We’ll look it over and help you identify any gaps. It’s always a good idea to have your attorney review the regulations which govern your business practices as well as these documents just to ensure you are complying with any regulations.