The greatest threat to customer data security is located between the monitor and the chair – in other words, your own employees. Therefore, you need policies and procedures, contained in your ISP, and training for all your employees on how your ISP impacts their duties. This training should occur at initial hiring and be repeated at least annually thereafter. Everyone, for example, needs to know what to do if a completed credit app is found on the showroom floor.
Basic Safeguards Training
Basic Safeguards training should cover the substance of the Rule itself, why customer and dealership data needs to be protected, and the elements of your dealership’s ISP. Receipt and acknowledgment of your ISP by every employee should be part of this and is most easily accomplished electronically.
Phishing awareness training is where fake email attacks are periodically sent to your employees that have dealership email addresses. If someone clicks through the bait, that fact is recorded and remedial training can be applied.
QI and IT Personnel
In addition to this standard employee training, your QI and IT personnel need ongoing training to remain current on evolving threats and security developments. Because the occurrence and effectiveness of this training must be verified, archived testing should be a part of the process.
Remember, you’re only as secure as your least-trained employee, so train everyone – and keep them trained.