Over the past 12 months, many in the industry have had cyber-attacks which have been extremely painful for those concerned and have put fear into many others. For the directors of any group or dealerships, it is very difficult to understand how safe your own organisation is when you do not have any qualifications in this area.
As a data company, we have learned many lessons over the years that I think are worth sharing. In the early years, we got PwC to assess our security match fitness and it was very clear then that best intentions were no substitute for a myriad of security controls to protect the company. We agreed at that point that we would go for an ISO27001 certification that is audited every 6 months by an external examiner to give the Board that reassurance that our controls are indeed fit for purpose and being layered up all the time. We appointed an external CISO and put in place over 12 months all of the necessary controls to achieve certification. For us, it was one of the best things we ever did, we did not lose our agility, but we work in a very safe environment and we can sleep better at night. For a dealer group, it would be a good thing to do to get certified and get assurance from external structured audits.
The steps involved are:
- Appoint a part-time external CISO (Chief Information Security Officer) who will both advise you and also help critically appraise where there are weaknesses.
- Conduct a risk assessment of risks associated with your information assets and processes. This will help in determining the scope of the ISO 27001 implementation.
- Define the boundaries and extent of the Information Security Management System (ISMS) to be implemented, I can’t think of anything that should be excluded.
- Develop and implement ISMS policies and procedures. This starts with a policy statement. Then perhaps, 20 policies cover all aspects of information security, such as access control, asset management, incident management, and business continuity.
- Training to ensure that all employees, contractors, and other stakeholders are aware of the ISMS policies and procedures and understand their roles and responsibilities. Build a culture of security in your company by having it on the agenda of all of your regular meetings.
- Implement controls: Implement technical, physical, and administrative controls to mitigate identified risks.
- Regularly monitor and review the effectiveness of the ISMS, update policies and procedures, and conduct internal audits to ensure continuous improvement.
- Seek certification: Engage a third-party auditor to assess and certify the ISMS to the ISO 27001 standard.
This is not a massively expensive process and is one that will protect you for many years to come. Life will be easier too if you only use or prefer ISO27001-certified suppliers.
Finally, one word on a risk that you may not have thought about: availability of data and information is just as important as protecting sensitive data, this includes access to your data in your DMS and other systems. Before you renew any of the contracts with software suppliers make sure that you have a good understanding of how you or your subcontractors can access your own data, and at what cost. It is your data and not having access will either layer on a lot of hidden costs or reduce your competitiveness in a way that may not be apparent until it’s too late. Feel free to chat with us if we can help in any way on the topics above.
John Hogan is the CEO and Chief Data Scientist at Real World Analytics (RWA). RWA helps dealer groups become more efficient with actionable drillable dashboards and reports. Visit realworldanalytics.com/automotive/our-solutions for all our solutions, or check out our customer stories. If you want to find out how we can help you drive your dealer business forward, contact us here or email email@example.com
This article is previously published in Auto Retail Bulletin
About RWA Automotive
RWA Automotive provides a cloud-based Business Intelligence (BI) solution that helps you become a complete data-driven dealer group. By bringing all your data into one place and delivering actionable insights to different levels in the business, everyone has the right information at the right time to do their job efficiently. The management will be presented with executive dashboards where they can drill down to the details for further investigation. Your managers in the outlets get reports such as DOCs delivered to them automatically so that they can action issues on the spot. The solution is designed to help you stay on top of your business with all the information you need at your fingertips.