Seven Mistakes Employees Make That Could Cost You Millions

Recently an auto dealership experienced an all-too-common security breach. An employee in the accounting department received an email from someone who he thought was the dealer asking him to initiate a $30,000 transfer from the dealership's bank account to another bank account. The accounting employee complied with the request and it was discovered later that the email was a scam. Unfortunately, there was no way to retrieve the funds.

This dealership has a state-of-the-art firewall and security software, but today's increasingly sophisticated hackers are finding ways to get through even the toughest defenses. The most common method for gaining access to a dealership's network and data is to trick or 'scam' employees.

That's why it's so important to have a corporate security policy in place and to train your employees, so they don't make these mistakes:

1) Not verifying email addresses. Any time an employee receives a request to transfer money, check the sender's email address and be sure that it matches the one on file. If the request is above $1,000, you may want to require verbal confirmation over the phone. These steps would have prevented the transfer just mentioned.

2) Click on an email attachment from an unknown source. Attachments can contain malware. In one instance, a dealership employee downloaded malicious code that allowed a hacker access to online credit apps, social security and credit card numbers from over 200 customers before discovery. This ultimately cost the dealership more than $150,000.

3) Click on website links within emails. Known as typosquatting, this approach involves sending links to bogus websites that steal login ID and password information. In one instance, an accountant received an email notice from the dealership's bank. The accountant clicked on a link in the email and was taken to what he thought was the bank's website, where he logged in. Result: A $450,000 wire transfer was initiated from the dealership's bank; however, this dealer was lucky because the bank caught the error before the money was transferred.

4) Bringing Their Own Devices. Your dealership should have a policy that prevents employees from copying customer records onto USB drives and other devices. Your employees' intent may not be malicious; perhaps they want to work from home and they need contact information. Nevertheless, having your customers' data on an unsecured residential computer makes it vulnerable to theft from another party.

5) Believing that phone representative is who they say they are. What if you got a phone call from a Microsoft representative who told you they're working with your IT company or employee (naming them correctly), and that you need to go through some troubleshooting steps? Would you believe them? Unfortunately, some employees fall for this scam and proceed to give away information that allows the network to be hacked. If you receive such a call, ask the rep for their number and tell them you'll call them back once you check with your IT staff.

6) Password violations. Employees should create passwords with a combination of letters, numbers and symbols, and they should change passwords every 90 days. Never share or give login ID or password information to anyone.

7) Visit personal websites while at work. Your corporate security policy should disallow employees to visit social media sites, online shopping or gaming sites at work. This is not about productivity or privacy; it's about your network security.

The consequences of a security breach can be hugely expensive. Stealing money from a bank account is only one part of it. Once hackers gain access to your network they may be able to breach your database and steal your customer records, including social security, credit card and bank account numbers.

One of the biggest expenses dealers incur from such a breach is the cost to contact all customers and then manage and monitor their credit to ensure they are not adversely affected. Additional consequences may include investigations, audits, lawsuits and FTC action for non-compliance with the Gramm-Leach-Bliley (GLB) Act. Violations can add up to hundreds of thousands of dollars per incident.

According to the Ponemon Institute, the average cost per stolen record is approximately $200. If your dealership has 100,000 customer records that means you could be on the hook for $2 million.

Firewalls and security software are the first line of defense against hackers who want to steal your data. Your employees are the second line of defense, so be sure they are trained in the latest cyber warfare tactics!

Views: 76

Comment

You need to be a member of DealerELITE.net to add comments!

Join DealerELITE.net

Comment by steven chessin on February 15, 2016 at 1:06pm

The free WiFi set-up for customers was available for all to use that was un-restricted and with excellent security programs and no further problems were encounters except from email attacks. 

Comment by Erik Nachbahr, CISSP on February 15, 2016 at 11:00am

Steven, yes that would be fine, as long as they don't connect to the business wi-fi

Comment by steven chessin on February 11, 2016 at 3:33pm

Isn't there away that # 7 can be accommodated safely such as only from personal wireless devices not connected to the business network? .  

© 2024   Created by DealerELITE.   Powered by

Badges  |  Report an Issue  |  Terms of Service