Problem
A large automotive dealership that has been operating since the mid-1970’s, needed a cyber risk assessment to meet the FTC Safeguard rule requirements as well as evaluate their security posture. The dealer had multiple locations with several dealerships across a few key cities. They also employed a full-time IT staff of 15-20 employees. None of these employees were specific to cyber security, mostly IT support, network administration, and software development.
Their IT team was challenged by several new locations and acquisitions. They spent a lot of their time connecting to existing systems and setting up the new locations. Leaving little time to focus on cyber security and exposing them to risk through integrating with the acquired companies.
In addition to the risk assessment, the dealership wanted a road map to guide their cybersecurity risk program for the next 3-5 years. Their goal was to build out a yearly project plan for the next 3-years and then have a list of additional projects they would look at into the future. It was important that the list be prioritized to eliminate as much risk as quickly as possible. They knew they would be juggling IT staffing issues and priorities.
Solution
We worked with the dealership to conduct a cyber risk assessment using the Center for Internet Security Top 18 (CIS 18) controls. We interviewed multiple people from each department across the dealership and dove into their policies and procedures. Through the interview process we were able to identify areas of high, medium, and low risk that needed addressed and we compiled a list of recommendations based on these findings.
Once the risk assessment was completed and we had a picture of all the tasks that needed to be completed, we were able to build out a road map. The road map was based on the risk we determined during the assessment. Critical or high risk activities were scheduled to be done in year one with lower risk items pushed out. Some low risk items that could be easily handled were scheduled earlier to try and reduce more risk.
Cost: $14,000 to $20,000
Results
At the conclusion of the project, the client had a cyber risk assessment report that identified risk and gaps in their current cybersecurity program. They also had a roadmap of tasks, built out by year, that allowed them to plan and budget for future cybersecurity spending. They decided to explore outside help in completing the road map and brought in contract IT resources to help speed up the execution of the road map. We recommended to the CIO that they follow up with another risk assessment in 2-3 years to make sure everything was progressing as planned.