October 2016, Auto Dealer Today - Feature
Earlier this year, a Colorado dealer sued two former employees in federal court for stealing data. The store’s general manager and F&I manager had left the dealership to go work for a competitor and, according to the lawsuit, the pair accessed their former dealership’s network using their prior usernames, passwords, and company email addresses. Once logged in, the suit alleges, they accessed data, confidential information, and trade secrets.
This dealer was fortunate that the intrusions from the former employees were detected. But the fact that it happened in the first place has clearly caused him many headaches, including having to pay for a computer forensic investigation and now a lawsuit.
It is much easier and less expensive to prevent ex-employees from accessing your data — and, by association, the personal data of your customers and prospects — in the first place. Let’s review how this happens and walk through five simple steps you can take to stop it.
The Perfect Crime
When an employee leaves the company, many dealers don’t remove or disable all their old accounts. Even if you remove them from your DMS, they still may be able to access Windows or other Web portals that can get them into your CRM or OEM systems.
Also, employees can easily gain remote access to your network when they install off-the-shelf software such as logmein or gotomypc. This software is installed on their work PCs, with or without your permission, so they can access them from their home computers when they need to work remotely.
Unfortunately, this means former employees also can use their home computers to access their old work computers. Worse yet, these remote access software programs run in “stealth mode,” which means the average user doesn’t even know they’re installed.
The good news is that locking out ex-employees is a pretty simple and inexpensive process. Here it is in five steps:
1. Use Microsoft Active Directory.
Most dealers purchase PCs off the shelf, which means that all administrative rights for that PC are on the PC itself. Leaving it that way creates an inherently bad security setup. Employees can do anything they want to those computers.
Active Directory is a centralized administrative software program that has been used by major corporations nationwide for decades. The program keeps every employee in a directory and allows administrative rights to be assigned to each individual. With Active Directory, you can prevent employees from installing any new software of any kind onto their computers, which is highly recommended. The program also happens to be a very effective tool for monitoring and stopping intrusion and remote access attempts from unauthorized users.
When an employee leaves the company and their account is disabled in Active Directory, they will no longer be able to access their former PC or your dealership’s network, even if they have remote access software.
2. Don’t Allow Personal Devices.
Some dealers allow their sales and service pros to bring in their own personal laptops to use at work. This is such a bad idea on so many levels that it’s somewhat mind-boggling.
Can you imagine walking into a bank and being greeted by a teller who is using their own personal laptop to access their bank’s software system? No, you can’t imagine it, and you don’t have to, because a bank manager would never allow that to happen. Neither should you.
Employees who use their own laptops at work can easily download all kinds of data from your DMS or CRM onto their computers. They could also inadvertently bring in a malicious virus or malware that could shut down your entire network. All of the security software and firewalls you pay for won’t do a lick of good if someone plugs an infected device into your network.
3. Keep a Checklist of Accounts.
Every time a new employee is hired, there is a checklist of new accounts they will need to set up. They may need login credentials for Windows, for your DMS and CRM, and other Web portals that allow access to OEM programs. When an employee leaves, someone needs to take that checklist and go through it in reverse, deleting the ex-employee from every single account they had access to.
4. Don’t Game the System.
I have met more than a few dealers who only have one or two users registered on their CRMs but allow access to groups of five or more people. They do this because CRM providers charge by the user. To make this setup work, dealers use generic, easily remembered usernames and passwords like “sales1” and “1234.”
Not only is this dishonest; it’s a really bad idea for security purposes. Unless the username and password is changed every time a salesperson leaves, ex-employees can easily access the CRM to pull new leads and track sales activity. The best solution is for everyone to have their own account.
5. Never Share Usernames and Passwords.
Sometimes employees share their usernames and passwords for other reasons. An office manager, for example, may give their DMS login information to an employee in order to allow them to perform an administrative function. Again, this is a bad idea. You don’t know who else could get hold of that username and password, especially if it’s written down on a piece of scrap paper somewhere.
Following these steps will greatly reduce the likelihood that an ex-employee will steal your data. Unfortunately, you may not be able to protect against every kind of theft. I know of one dealer who discovered that a former sales manager was paying the receptionist to feed him leads out of the CRM. This type of “theft” is harder to prevent. But most ex-employees are more opportunists than outright thieves. Their attitude is, “Well, if they didn’t want me in the system, they would have locked me out, right?”
Right. So if you don’t want your ex-employees in your system, lock them out.
Erik Nachbahr is the founder of Helion Automotive Technologies and has expertise in transforming dealer networks into vehicles for mission-critical applications. Email him at firstname.lastname@example.org.