As data breach threats continue to grow, CCi Global Technologies shared some data privacy and security tips Thursday during a Collision Industry Electronic Commerce Association (CIECA) webinar that can be applied in the collision repair industry.
Ransomware attacks are a huge problem for the collision industry right now, according to CCi Business Development and Client Experience Vice President Brandon Laur. Many centers are being frozen out of their systems, and over the last year logistics companies in the parts supply chain have been impacted as well leading to delivery delays, he said.
“…there are so many different SaaS [software as a service] organizations and industry stakeholders sharing data right now that if one of us drops the ball, we all drop the ball. And that really comes from the evolution of body shops to collision centers as well. We try to be the trusted industry and sometimes we’re looked [at] as a dirty industry or one that’s not as sophisticated, but we’ve seen the industry grow and develop into this sophisticated collision ecosystem from all of us doing our part to repair vehicles properly. We need to carry that onwards in ensuring we’re doing that with data security and making sure we’re protecting data.”
CCi Chief Information Security Officer Steve Driz said ransomware has recently become more sophisticated. Attackers are making a copy of the data they gain access to and are threatening to publish and/or sell it. He and Laur noted that no one in a business should be given full administrative control and access to data because if they become compromised, everyone will be. It can also be detrimental if an employee isn’t happy with their job and decides to harm the company by abusing the access they have to data or, for example, could be an issue if an employee is working from home and someone in the household accidentally publicly releases trade secrets.
Most importantly, they said the best practice is to only gather data that’s necessary and authorized for use rather than consuming all of it just because it’s easy. However, if a business decides to pull all of the data, they need to have a data destruction process to get rid of what they don’t need.
Policies and procedures need to be in place for how to prevent attacks and what to do if one. “We know it will happen,” Driz said. “We don’t know when, but we know it will.”
The establishment of a cybersecurity framework is a must, according to CCi. They recommended downloading free frameworks on the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) website.
Because of the likelihood that an attack could happen, employers need to make sure their employees not only understand the policies and procedures, but why they’re important, what they should and shouldn’t do, and complete security updates on their computers and systems, he said. Policies should be backed by preventative controls, such as end-point protection software that incorporates anti-virus protection against malware and web threat protection – many of which cost $50 or less a year. An incident response plan should also be in place and practiced often.
“We can implement all the frameworks we want – policies and say we’re following these guidelines, but ultimately it starts with the people,” Laur said. “It’s not the technology that’s the risk. It’s always the people in following those processes. …We know how to prevent fires – we know not to leave matches lying around. We have to start taking that same approach with data security and our technology solutions.”
Driz recommended monitoring of everything employees do when they’re connected to the business’ network by using an Extended Detection and Response (XDR) platform. “We need to be very, very granular and implement in zero trust, meaning that we know even if I’m on the network and it seems like it’s me it could be malicious,” he said, adding that over 50% of all attacks today are email phishing attacks where malicious links are clicked on.
And it doesn’t matter what size your business is, Laur said. Everyone is at risk because the goal is to gain access to data, which can be everything from names to Vehicle Identification Numbers (VIN), known as Personal Identifiable Information (PII) or machine-to-machine data, that are carried out by software and program bots. Machine-to-machine data are, for example, information that is shared between a spray booth and tools, tools and systems, and between estimating systems and management systems, Laur said.
“We are custodians of the data,” he said. “We all owe it to ourselves to protect the best interest of the data and who it may or may not represent because we’re all connected through it. …Breaches are going to happen. Readiness is a choice. … What are we doing before and what are we doing afterward?”
Featured image credit: NicoElNino/iStock
(Left to right) CCi Global Technologies Chief Information Security Officer Steve Driz and Business Development and Client Experience Vice President Brandon Laur (Webinar screenshot)