Employees are your biggest risk in data security. A well-trained employee is your best protection against internal hacking. An untrained employee is your worst nightmare.

What is Safeguards Training?

A great deal of consumer nonpublic personal information (NPI) flows through your dealership, and it’s up to you to protect it. To do this, your employees must be trained on the relevant aspects of the Safeguards Rule as it applies to their relationship with customer data in their role at the dealership.

The Federal Trade Commission considers failure to follow the Safeguards Rule to be a deceptive trade practice, with potentially devastating results for you and your dealership, so training employees to follow the Rule is paramount. Employees should take the time to read your dealership’s Information Security Program (ISP) or Safeguards Policy and should receive training that reflects your policies.

Mosaic has trained dealers and their employees on the Safeguards Rule for over 15 years. Our online, video-based, interactive training modules cover all the federal regulatory topics applicable to the retail automotive industry, but we have always put a particular emphasis on the FTC Safeguards Rule because of the ever-growing importance of protecting customer data and the fact that so many employees within the industry interact with sensitive customer data in the course of their job.

Mosaic’s Safeguards training covers the following topics and is broken down into several levels or “paths” depending on the role of the employee who will be taking the training.

All employees receive training on the following topics:

• What is Non-Public Personal Information?

• Recognizing NPI in the dealership

• Employee responsibilities to protect customer data

• Understanding your dealership’s computer network and how to safely use it

• Internet safety, including password best practices and how to identify and avoid phishing email attacks

GMs, Ownership, and Compliance Officers receive the above training along with training on the following topics:

• Conducting a security risk assessment

• Assessing risks of internet and phone sales

• Storing nonpublic personal information

• Conducting a network vulnerability assessment on your computer network

• Educating employees

• Understanding physical, technical, and administrative Safeguards

• Identifying and overseeing service providers

• Ensuring service providers comply with the Safeguards Rule

• Testing your Safeguards Program for effectiveness

• Reviewing your Safeguards Program

• Auditing your Safeguards Program

• Obtaining a contractor to conduct a network vulnerability assessment

• Reacting to data breaches

• Handling employees after a data breach

• Notifying affected customers after a data breach

• Learning from a data breach

IT personnel and your Qualified Individual receive additional training and the Qualified Individual will receive ongoing monthly training updates in accordance with the ongoing training requirement of the Revised FTC Safeguards Rule.

Unlike the original Rule, the revised Rule requires certain dealership employees to receive ongoing training that covers new threats to customer data as they evolve. Mosaic accomplished this by monthly video update episodes that are coupled with brief tests that confirm the relevant employees understood the content. All of this documentation rolls up into the mandatory annual written reports.

Mosaic is partnered with Automotive Compliance Education (ACE) to provide the ACE Safeguards Specialist Certification. This certification program is intended to address the Safeguards Rule’s requirement that dealers provide Qualified Individuals and IT personnel with “training sufficient to address relevant security risks.” It also supports awareness of the Rule’s requirements and compliance with its applicable terms.

What is a Qualified Individual?

The dealership must designate a single individual to fill this role and bear responsibility for the program. That person doesn’t need to be qualified to perform the necessary duties, just qualified to competently oversee that the necessary duties are performed and documented. The actual duties may be performed by a third party, such as a Managed Service Provider (“MSP”), but responsibility will remain with the designated dealership representative.

The FTC Safeguards Rule requires your dealership to conduct a risk assessment, design and implement a safeguards program, train your employees regularly on safeguards, oversee your service providers, and regularly test the effectiveness of your program’s key controls, systems, and procedures.

The Safeguards Rule does not require the Qualified Individual to perform these tasks personally – an outside consultant can do it. But the Qualified Individual is responsible for either doing it or seeing that it is done right. Therefore, this person should have a very good understanding of the Rules requirements, your dealership's Safeguards Program, and emerging threats.

The revised Safeguards Rule requires enhanced training of all dealership employees, with particular emphasis on IT workers and the dealership’s Qualified Individual. To meet this need, Mosaic offers its award-winning training program that addresses the Rule’s requirements and the NADA approach to addressing those requirements.

Do I need to train all my employees?

Employees are your biggest risk in data security. Phishing attacks using emails with attachments or links to malware-infested websites or spoof calls or texts seeking an employee’s password are the primary means used by attackers to gain access to your system.

Employee education on best Internet practices (not clicking on links or attachments, not using Web-based email on dealership networks, monitoring for spikes in user access to NPI, etc.) is critical. A well-trained employee is your best protection against internal hacking. An untrained employee is your worst nightmare.

Training your employees can be time-consuming and a hassle without the right tools. If you need help getting started, Mosaic can help. If you would like to learn more contact us for a Safeguards Consultation today or get started now by filling out our Network Status Questionnaire.

What is continuous network monitoring?

Continuous network monitoring is the process of continuously monitoring your dealership's computer network in order to detect cyber threats and anomalous activity.

It also monitors for changes in performance to provide real-time data on the overall health of your IT infrastructure, including networks and cloud applications like your DMS and CRM.

Central to the Mosaic Safeguards Solution is a robust network monitoring system that both identifies anomalous activity and, if desired, stops it in its tracks.

This software application is managed through a user-friendly dashboard that provides meaningful real-time insight into current network security status, identified

vulnerabilities and their associated patches, and documentation that supports the Rule’s reporting requirements.

How does continuous network monitoring work?

Mosaic’s continuous monitoring platform uses anomaly detection to analyze time-series data by creating accurate baselines of normal behavior and identifying anomalous patterns in your dataset.

The platform is proven to detect cyber threats faster and more accurately across your entire digital infrastructure and cloud. It provides 24/7 monitoring, threat detection, cloud-based SEIM, and response to identify a breach before it occurs.

Machine Learning

Machine learning features automate the analysis of time series data by creating accurate baselines of normal behavior in the data and identifying anomalous patterns in that data in real-time data feeds from your entire tech stack. Using proprietary machine learning algorithms, the following circumstances are detected, scored, and linked with statistically significant influencers in the data:

• Anomalies related to temporal deviations in values, counts, or frequencies

• Statistical rarity

• Unusual behaviors for a member of a population

After machine learning creates baselines of normal behavior for your data, you can use that information to extrapolate future behavior. Behavior Analytics extends detections by observing patterns and anomalies for other entities, such as network devices and servers, and not just individual users. Some threats can only be identified when looking at the behavior of an entity or a chain of events, they can be considered anomalous when:

• Their behavior changes over time, relative to their own previous behavior or

• Their behavior is different from other entities in a specified population

Application Monitoring

The Mosaic CNM platform is built around you: all your data, all the time, against all your threats. We leave no vulnerability unchecked. With our application monitoring, we detect cyber events in your business-critical applications.

• Monitor your existing Endpoint Security Platform

• Up-to-date alerts for:

  • System security logs

  • External attackers or malicious insiders

  • Unauthorized access or account takeover

Cloud Monitoring

Our services don’t sleep, which means that you can. With cloud monitoring, we are able to monitor all data for AWS, Azure, and Google Cloud platforms.

• Support for productivity suites Office 365, Google Workspace

• Enables ultra-fast event gathering of log events

• Support for hybrid and multi-cloud

On-Prem Monitoring

We custom fit the platform for your dealership so you not only get the best technology but the right technology. With our on-prem monitoring, we are able to monitor multiple sources for greater visibility and security.

• Servers/ Workstations/ Firewalls

• Hundreds of supported integrations

• Supports key industry and regulatory compliance standards

Endpoint Detection and Response (EDR)

We provide fully managed endpoint protection backed by our 24/7 U.S.-based SOC. Our Endpoint Detection and Response (EDR) provides centralized detection with a fast and informed response.

• AI and behavioral-based prevention and blocking

• Avert threats such as Malware and Ransomware

• Secure hybrid environments and protect while offline

• Protect your Windows, macOS, and Linux endpoints

Why choose continuous monitoring over penetration testing?

Dealers may include in their ISP either continuous network monitoring or annual penetration testing and twice-annual vulnerability assessments. What’s the difference?

Continuous monitoring does just that - it monitors a computer network 24/7 and immediately detects breach attempts, allowing rapid response. Vulnerability assessments (VAs”) just take a picture of network risks at a specific moment in time.

Put another way, continuous monitoring actually protects a network, while VAs periodically identify risks to the network. In fact, continuous monitoring functions as a continuous VA.

VAs may seem an attractive option because that approach is cheaper than continuous monitoring. But penetration testing, which is required if VAs are used, is quite expensive if done right.

A meaningful external penetration test requires both a VA and at least 40 man-hours of human attention at $150 - $300 per hour, so going that route may be a false economy.

Continuous Monitoring or Vulnerability Assessments

Regular testing and evaluation of your Information Security Program is a must. Of all the safeguards the Rule mandates, this one may do the most to actually protect customer data – if it’s done right. This requirement can be satisfied by employing either continuous monitoring (often called “EDR” – for endpoint detection and response) or twice-yearly vulnerability assessments and a penetration test once a year. While both approaches satisfy the Rule, continuous monitoring is the way to go if your intention is to actually protect customer data. That’s because continuous monitoring does just that – it monitors attempts to breach your network 24/7/365, allowing rapid response in real time if an attack is detected. Just running a vulnerability scan twice a year only gives you a semi-annual snapshot of what your vulnerabilities are. EDR gives you an ongoing movie of your security posture.

Defensible and Insurable

And this leads to an important concept: your ISP must be both defensible and insurable. Although satisfying the bare minimum requirements of the Rule may protect your dealership from a deceptive trade practices claim, it won’t protect you from a negligence claim if a preventable breach occurs that your semi-annual vulnerability scans did nothing to prevent. And as a practical matter, you probably won’t be able to get a cyber liability insurance policy unless you employ EDR at your store. Whatever solution you go with, be sure it is both defensible and insurable.