Boards believe their IT departments have cyber security covered but often glaring gaps are revealed, according to Optimising IT’s head of cyber Todd Gifford.
Under the new GDPR legislation companies risk huge fines if their data protection measures are deemed inadequate.
Gifford will highlight common flaws in a company’s cyber security strategy and identify ways to mitigate the risk of a potential cyber attack at AM’s GDPR conference which takes place at the Hilton Doubletree in Milton Keynes on February 22.
The food for thought session is aimed at giving senior leaders the questions they need to be asking of their in-house IT department and IT partners.
Delegates can sign up to a free half-day workshop, designed to give decision-makers the tools they need to ensure their policies and procedures stand up to scrutiny under the regulations, at a later date from Optimising IT, which boasts large automotive dealer groups among its clients.
Gifford said: “It’s not a question of trying to catch out the in-house IT department whose time is spread thinly and they may not have the specific skills required to implement and maintain a stringent information security policy.
“Dealers need to look at the risk, if they operate three sites and their data records number in the tens of thousands, their protection will not need to be as far reaching as large groups with millions of records.
“There’s all sorts of scenarios where data protection can be breached. For example, a rogue employee could download 30-odd customer records prior to moving jobs or companies may allow employees access to information which isn’t necessary for the roles they undertake.
"It may be all that’s needed are controls to prevent data downloads.
“Less obvious areas include the hand-held payment devices which require a certificate to be signed saying all the necessary controls and protections are in place but these are often not adequate and are easily hacked.
"Other common weaknesses we find include patch updates whereby software is updated on devices, but not on the network.
“The weakest link can be a company’s third-party suppliers which hackers can infiltrate and find their way into a dealer group’s system.
"We also find employees using the free dropbox version yet the T&C’s include the right to read the data transferred.
"It’s the same with Gmail, so if someone emails themselves work to complete at home to their private Gmail account and the information contains private details of individuals, that’s a data breach.
“By giving directors the knowledge to ask the right questions, dealers can soon discover whether their protections are robust enough to satisfy the ICO should something go wrong or a complaint is made.”
Gifford will provide real-life examples from personal experience and some of the world’s leading brands where data oversights have led to security breaches and fines from the ICO.
However, under GDPR the ICO will not only benefit from enhanced powers but will be able to administer much larger fines up to 4% of group worldwide turnover or €20 million (whichever is greater).
AM's GDPR conference provides a ‘checklist’ so dealers can be confident their policies and procedures are compliant under the new regulations.
Expert speakers will tackle specific elements of GDPR such as marketing including consent and legitimate interest as way to communicate to legacy data and the role of the data protection officer.