COMNEXIA
Automotive Dealership IT & FTC Compliance

How Do You Secure a Dealership Management System (DMS)?

A practical guide to securing your dealership management system with access controls, network segmentation, monitoring, and FTC Safeguards Rule compliance.

By COMNEXIA
#DMS security#dealership management system#auto dealer IT#CDK security#FTC Safeguards Rule#network segmentation#ransomware protection

How Do You Secure a Dealership Management System (DMS)?

You secure a dealership management system by combining strict access controls, network segmentation, continuous monitoring, encrypted backups, and a written incident response plan. A DMS such as CDK, Reynolds and Reynolds, Dealertrack, or Tekion holds Social Security numbers, credit applications, driver’s license images, and financial records for thousands of customers — making it one of the highest-value targets in any dealership’s technology stack. Treating DMS security as a layered discipline, not a single product, is what separates dealerships that survive an attack from those that lose weeks of operations.

At COMNEXIA, we’ve spent 35 years supporting automotive dealerships across the Atlanta metro and beyond, and DMS protection is now the single most important conversation we have with dealer principals. This guide explains the controls that actually reduce risk.

Why Is the DMS Such a High-Value Target?

The DMS is a high-value target because it concentrates regulated personal and financial data in one always-on system that connects to dozens of third parties. A modern dealership DMS integrates with lenders, OEM portals, CRM tools, payment processors, F&I menu software, and service schedulers. Every one of those integrations is a potential entry point, and every record inside is exactly what identity thieves and ransomware operators want.

The June 2024 CDK Global cyberattack made the stakes undeniable. The incident took DMS access offline for roughly 15,000 dealerships across North America for nearly three weeks, forcing many to write deals on paper and halting service operations. It demonstrated that a single platform compromise can paralyze sales, service, parts, and finance simultaneously — and that dealerships have little control once the breach is at the vendor level. That reality is why your internal controls matter so much: they’re the part you can actually govern.

What Access Controls Should a Dealership Use?

Dealerships should enforce least-privilege access, require multi-factor authentication (MFA), and remove credentials the moment an employee leaves. Access control is the cheapest, highest-impact DMS security measure because most breaches start with a stolen or over-privileged login.

Practical access controls include:

  • Role-based permissions. A service advisor does not need access to F&I credit data, and a salesperson does not need administrative settings. Map DMS roles to actual job functions and review them quarterly.
  • Multi-factor authentication everywhere. MFA on the DMS, on email, and on remote access (VPN or RDP) blocks the overwhelming majority of credential-stuffing and phishing-based intrusions.
  • Unique accounts per user. Shared “front desk” logins make it impossible to trace who did what. Every user gets their own credentials.
  • Immediate offboarding. Dealerships have high turnover. A documented process to disable DMS, email, and network accounts on an employee’s last day closes one of the most common gaps we find during assessments.
  • Vendor and integration review. Audit which third parties have API access to your DMS, and disable connections you no longer use.

How Does Network Segmentation Protect a DMS?

Network segmentation protects a DMS by isolating it from guest Wi-Fi, service-bay devices, and general office traffic so that a compromise in one area cannot spread to your most sensitive systems. A flat network — where the customer waiting-room Wi-Fi shares the same space as the finance department’s computers — lets an attacker move laterally from a low-value device straight to the DMS.

Effective segmentation for a dealership typically includes:

  • A dedicated VLAN for DMS and finance workstations, firewalled off from everything else.
  • A separate guest network for customers that has no route to internal systems.
  • Isolation for IoT and service equipment — diagnostic tools, cameras, and smart devices are frequently unpatched and should never share a segment with regulated data.
  • Tight firewall rules between segments so traffic is allowed only where there is a genuine business need.

For dealer groups running multiple rooftops, segmentation also limits blast radius across locations, so a breach at one store doesn’t automatically reach the others. This is a core part of how we design multi-location dealership networks.

How Do You Detect a DMS Breach Quickly?

You detect a DMS breach quickly through continuous monitoring, endpoint detection and response (EDR), and centralized logging that alerts on abnormal behavior. The longer an intruder stays undetected, the more data they exfiltrate and the more systems they encrypt — so visibility is everything.

A strong monitoring stack includes:

  • 24/7 monitoring and alerting through a managed detection and response (MDR) service or a security operations center that watches for unusual logins, off-hours activity, and large data transfers.
  • Endpoint detection and response (EDR) on every workstation and server, which can isolate a compromised machine automatically before ransomware spreads.
  • Centralized log collection so DMS access, firewall events, and authentication attempts are recorded and retained — both for detection and for the audit trail regulators expect.
  • Regular vulnerability scanning to find unpatched systems and weak configurations before attackers do.

Most dealerships don’t have the in-house staff to watch alerts around the clock, which is exactly why managed IT services with built-in security monitoring have become standard for dealers serious about protection.

What Does the FTC Safeguards Rule Require From Dealerships?

The FTC Safeguards Rule requires auto dealerships to maintain a written information security program, designate a qualified individual to oversee it, encrypt customer data, implement access controls and MFA, monitor systems, and conduct regular risk assessments. Because dealerships extend credit and arrange financing, the FTC classifies them as “financial institutions” under the Gramm-Leach-Bliley Act, so the rule applies directly.

Key requirements include:

  • A designated Qualified Individual responsible for the security program.
  • Encryption of customer information in transit and at rest.
  • Multi-factor authentication for anyone accessing customer data.
  • Written risk assessments and a documented incident response plan.
  • Service provider oversight, including security expectations written into vendor contracts.
  • Annual reporting to the dealership’s board or ownership on the program’s status.

Non-compliance carries real financial penalties and amplifies liability after a breach. The good news: nearly every Safeguards requirement overlaps with the security controls described above, so doing DMS security well and meeting the rule largely happen together.

How Should a Dealership Back Up and Recover Its Data?

A dealership should maintain encrypted, tested backups following the 3-2-1 rule — three copies of data, on two types of media, with one stored offsite or in immutable cloud storage. Backups are the last line of defense against ransomware, but only if they’re isolated from the production network and verified regularly.

The critical details dealerships miss:

  • Immutable or offline backups. If your backup can be reached and encrypted by the same attack, it isn’t a backup. Immutable storage prevents tampering even if an attacker gets administrative credentials.
  • Tested restores. A backup you’ve never restored is a guess. Periodic test restores confirm recovery times and data integrity.
  • Defined RTO and RPO. Know how long you can be down (recovery time objective) and how much data you can afford to lose (recovery point objective), then build backup frequency to match.

When the DMS vendor itself is the point of failure — as in the CDK incident — having your own exported records, deal jackets, and local backups can be the difference between writing deals on paper for a day versus stalling completely.

Frequently Asked Questions

Q: Is DMS security my responsibility or the vendor’s? A: Both. Your DMS vendor secures their platform, but you are responsible for access controls, network security, employee training, backups, and FTC Safeguards compliance on your side. The CDK outage showed that you cannot rely on the vendor alone — your internal controls are what you can govern directly.

Q: How much does dealership IT security cost? A: Cost depends on dealership size, number of rooftops, and existing infrastructure, but most dealers find managed security far cheaper than a single breach. A documented incident response, MFA, EDR, and monitoring typically fit within a predictable monthly managed-services budget rather than a large capital expense.

Q: Does the FTC Safeguards Rule really apply to car dealers? A: Yes. Because dealerships arrange financing and extend credit, the FTC treats them as financial institutions under the Gramm-Leach-Bliley Act, making the Safeguards Rule directly applicable, including its MFA, encryption, and written-program requirements.

Q: What’s the single most important DMS security control? A: Multi-factor authentication combined with least-privilege access. The majority of intrusions begin with stolen credentials, and MFA blocks most of those attacks outright while limiting what any single compromised account can reach.

Q: How do I know if my dealership is already compliant and secure? A: Start with a security risk assessment that reviews access controls, network segmentation, backups, monitoring, and Safeguards documentation. COMNEXIA performs these assessments for Atlanta-area dealerships and provides a clear remediation roadmap.

Securing Your DMS With an Experienced Partner

DMS security is not a one-time project — it’s an ongoing program of access control, segmentation, monitoring, backups, and compliance that adapts as threats evolve. For 35 years, COMNEXIA has helped Atlanta-area dealerships build exactly that, combining deep automotive DMS expertise with the FTC Safeguards knowledge dealers need today.

If you want to know where your dealership stands, explore our automotive dealership IT services or learn how our managed IT services deliver the monitoring and protection a modern DMS demands. Based in Roswell, GA, we understand both the technology and the realities of running a dealership.

Back to Insights

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.

Schedule Consultation
Call (877) 600-6550