Cybersecurity – Questions to Ask Your Telematics Provider

SECURITY IS A COMPLEX TOPIC THAT DEALS WITH EVERY PART OF A TELEMATICS SYSTEM.

Simply asking “is our data secure?” isn’t enough. With valuable data on the line, your questions should aim deeper. Look for specific implementations and strategies that form the very basis of modern security standards. The following questions are intended to serve as a primer to help you engage telematics providers about the security of your telematics data.

1. WHO MANUFACTURERS THE TELEMATICS HARDWARE? WILL THE DEVICE BE THE SAME ACROSS MY ENTIRE FLEET?

Why It Is Important To Ask: If your telematics provider does not manufacture their own hardware, they may not have good insight into the security of the hardware. Similarly, if your provider does not have direct control over their hardware and software security, they may take longer to respond to threats or vulnerabilities because they will need to coordinate with third parties. Moreover, electronics are updated frequently. Different hardware models can introduce different sets of vulnerabilities for each model, meaning that more work will need to be done to patch these security holes across the entire product line. With more hardware variants, there is a higher demand for the engineers to maintain and fix security flaws — in this way resources may not be evenly spread and attention might waver because of product complexity, which can lead to omissions and unfound vulnerabilities.

Manufacturers must be the ones responsible for security for the life of the product.

2. DO YOU ENCRYPT THE DATA AS IT IS SENT OVER THE CELLULAR NETWORK?

Why It Is Important To Ask: Cellular carriers should not be exclusively relied upon to secure the delivery of your telematics data over the air. It is important that your telematics providers take additional steps to encrypt your data so that even if the cellular communication channel is compromised, your data will not be.

3. IS THE FIRMWARE SIGNED TO PREVENT OUTSIDE PARTIES FROM CHANGING THE CODE ON THE DEVICE?

Why It Is Important To Ask: The firmware is the brain behind the device — it decides where the data is sent, what data is captured, and how it is stored. If a malicious firmware were installed on your device, it would no longer be possible to know where your data is being sent or what is happening to it. Your telematics provider should sign every firmware update with a digital signature that indicates the update came from a trusted source.

4. DO YOU HAVE SECURITY DOCUMENTATION THAT COVERS YOUR HARDWARE, YOUR SERVERS, THE TRANSMISSION OF DATA, AS WELL AS POLICIES FOR EMPLOYEES?

Why It Is Important To Ask: Security documentation shows a baseline commitment to a culture of security. A telematics provider should be able to provide details on their security measures, as well as their mitigation and disaster recovery strategies in case something unexpected occurs. A security process outline document — like Geotab’s Technical and Organizational Data Security Measures Statement — goes a long way towards helping you understand what happens to your data.

5. IN THE EVENT THAT YOUR SERVERS ARE COMPROMISED, WHAT SORT OF MITIGATION STRATEGY DO YOU USE TO PROTECT THE ACCOUNT INFORMATION OF YOUR USERS?

Why It Is Important To Ask: If a security breach does occur, the system should contain as little personal information as possible. Passwords should never be stored directly in the system of your telematics provider; rather, passwords should be transformed into hashes and further strengthened through salting.