Any small- to medium-sized car rental operator will say it’s crucial to protect rental customer information, especially with all of the hacking of personal information that seems to make daily headlines.
“In addition to protecting customers’ data, cybersecurity is also important to protect a company’s reputation,” says Jason Harker, head of IT at Dollar Thrifty’s U.K. franchise. “There are also legal threats. Starting next year in Europe, companies can be fined up to 20 million euros for a data breach under the General Data Protection Regulation.”
Many, however, are ill-informed as to the types of threats and how to protect against them.
According to the Small Business Committee, the majority of cyberattacks happen at small businesses.
“In fact, 71% of cyberattacks occur at businesses with fewer than 100 employees,” said Steve Chabot (R-Ohio), chair of the House Small Business Committee, during a 2015 hearing titled “Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks.”
“These attacks come from criminal syndicates, ‘hacktivists,’ and foreign nations,” Chabot said. “They are after intellectual property, bank accounts, Social Security numbers, and anything else that can be used for financial gain or a competitive edge.”
A company could face various types of cyberattack threats including phishing, spear phishing, brute force, and viruses (malware and ransomware).
“Regardless of the method used, most cyberattacks have a similar goal to infiltrate and exploit,” says Robin Tatam, director of security technologies at HelpSystems, a provider of IT management software solutions.
“Company data has an intrinsic value to someone somewhere. Sensitive data such as employee information can be used for identity theft. Credit card data can be sold on the dark Web.”
Cybersecurity needs to be a priority for companies of all sizes, according to the National Cybersecurity Institute. The institute emphasizes the importance of developing a formal plan for cybersecurity. The outline would include steps the company would take to mitigate cyber threats as well as a plan of response if a security breach occurs.
Rental companies collect several pieces of personal information from their customers.
Personal Identifiable Information (PII) includes a customer’s contact information, driver’s license information, Social Security information, passport information, insurance information, and credit card information.
A customer’s personal information can be found on a rental company’s servers, desktops, the cloud, mobile devices, and email. Additionally, the information can be found in physical form if companies still make photocopies and print out rental contracts.
“If you photocopy a rental contract, you run the risk of that customer leaving its contract in the rental car and the next customer having access to that information,” says Shawn Concannon, executive vice president at TSD, a provider of fleet management software. “Once those transactions are complete, put those physical copies in a locked file drawer or shred them.”
Phil Jones, vice president of Bluebird Auto Rental Systems, advises companies to not make any photocopies of a customer’s personal information. It’s against the Payment Card Industry Data Security Standard.
“If there is a breach and people’s credit card data gets stolen, you can get fined and/or lose your right to process credit cards,” he says.
Rental software companies like TSD and Bluebird can host a rental company’s customer data. Bluebird’s customer databases feature layers of security to prevent intruders from hacking into the system, according to Jones. Security procedures include intrusion prevention software and encrypting sensitive data at rest, such as credit card information.
Protect Computers From Outside Threats
When storing personal information digitally, a company’s computer networks and applications need to be protected.
To start, a company must apply all the latest updates from its computer manufacturer as soon as they come out, according to Jones. Then turn on some kind of anti-virus or anti-malware software and update regularly. A firewall should also be set up to prevent intruders from accessing your network.
“Anti-virus software gives you some protection from existing threats,” says Brian Powers, network administrator at Bluebird. “You also want to make sure that your network’s firewall doesn’t have any open ports that don’t need to be open.”
Powers also recommends not having an open share on a computer drive. This means everyone at the company has read/write access to the drive. If a company experiences a virus outbreak, an open share would provide a direct pathway that can write to the drive and encrypt any data on it.
To ensure that computer security stays up to date, Jones suggests assigning a specific person to handle the ongoing maintenance and updating of software. If possible, it could be helpful to assign this responsibility to an employee with some level of IT experience.
“Our IT department, including myself, monitors the company’s cybersecurity through weekly vulnerability scans on all of our public-facing servers,” says Harker. “We also install intrusion-prevention software on our networks.”
Security threats don’t just happen externally; they also happen internally. Attacks can be caused by employees and supplier or service providers. ZDNet, a business technology news website, reported that 75% of large corporations have experienced a security breach that was attributed to its workers.
“I think the greatest threat is people not looking internally — employee theft and data loss,” says Concannon. “If employees are all on company laptops, someone could put a thumb drive in the laptop and walk away with all of the company data.”
How can a company prevent sensitive data from being taken by its employees? To minimize employee exposure to company data, State Van Rental has security accesses set for positions internally, according to Nima Mobasser, vice president of Los Angeles-based State Van Rental.
Rental companies should reassess their software and who has permission to see certain information. What are your software security permissions and levels? Does your counter agent have full access to the software? Do you have a data security log to know when someone accesses information?
Software programs can limit data access to employees. Through Bluebird’s software, rental companies can secure different menu items; a log-in and password would only be issued to certain employees, says Jones.
Concannon recommends preventing the temptation of employee theft. For example, don’t leave thousands of dollars in your cash box. Restrict an employee’s use of the rental software via the internet. That way, he or she can only use the software on a certain IP address. Lock down laptops so employees can’t use a thumb drive or email information from it.
Consider running a weekly audit report to ensure the right people are doing the right things in the system. TSD’s software will provide a daily report of which employees are accessing what information, according to Concannon.
Data access should also be limited to vendors. Concannon suggests setting up a data protection agreement that discusses whether vendors can exchange information or what data restrictions should be in place. It’s also important to know if a vendor has security policies or some type of cyber liability coverage in case of a breach or cyberattack.
“Vendors are also responsible for housing a company’s data,” says Concannon. “Vendors shouldn’t be sharing a rental company’s data without its permission.”
Create a Security Policy
If a company has never developed a cybersecurity policy, Concannon suggests getting an outside security audit. A vendor such as HelpSystems will first do a security assessment by scanning a company’s servers. Then it develops a security policy for the business.
“HelpSystems has designed a solution portfolio that leverages services and software to identify vulnerabilities and manage risk,” says Tatam. “Offered services include remediation planning, implementation, and even managed security services. We offer tools for intrusion detection and prevention, user privilege elevation and tracking, and provisioning.”
As part of a security policy, employees should be educated about online threats and how to protect data, according to the U.S. Small Business Administration. Consequences for violating the policies should be outlined in the policy.
Jones emphasizes the importance of training employees about cyberattacks such as ransomware. These viruses are transmitted through links and attachments in emails. Once an employee clicks on the link, the virus infects a company’s computer system and encrypts the company’s data. According to Jones, a company should have a security policy to not open any unknown links or attachments received through email.
If a rental company is using its own rental software system, a security policy should also include procedures on backing up sensitive data.
“If something goes wrong, you preferably want to have a backup of your whole system,” says Powers. “The system should be verified and restored monthly. At Bluebird, we look at backup logs every morning and do test restores on a regular basis.”
A security plan should be updated on a continual basis. “Keep your cybersecurity current,” says Concannon. “Just because I put a security policy in place five years ago doesn’t mean it’s still effective today.”