How a 6-Location Auto Dealership Group Rebuilt Its Infrastructure, Stood Up a Redundant Hub-and-Spoke WAN, and Hit FTC Safeguards Compliance

The Challenge

Our client, a 6-rooftop auto dealership group, was running a patchwork of site-by-site infrastructure that no longer matched how the business actually worked. • DMS data needed to move cleanly between rooftops, but the network was a mix of consumer-grade circuits, flat LANs, and inconsistent firewalls • Any single circuit outage at a store stalled deals, F&I, and service writeups • Microsoft 365 was deployed with default settings — no conditional access, no MFA, drifted policies, no DLP on customer financial data • Endpoints relied on legacy AV with no managed detection or response • The FTC Safeguards Rule applied to every rooftop, and they had no documented program, no risk assessment, and no qualified individual designated They needed one partner to redesign the network, secure the Microsoft stack, and stand up a real FTC Safeguards program — without slowing down sales, service, or the F&I office.

Our Approach

TRNSFRM ran the engagement using our IT Resilience Framework: Assess, Build, Transform. Assess • FTC Safeguards Rule gap assessment across all 6 rooftops, mapped to the dealership's actual data flows (DMS, F&I, credit apps, customer PII) • Inventoried every circuit, firewall, switch, AP, and endpoint at each store • Documented DMS dependencies and cross-site traffic patterns • Designated a Qualified Individual and built the written information security program Build — Redundant Hub-and-Spoke WAN • Designed a hub-and-spoke WAN with the corporate hub as the aggregation point and each rooftop as a spoke • Dual-circuit (primary + LTE/secondary) at every site with automatic failover routing so DMS and core apps stay online during a circuit outage • Standardized next-gen firewalls, switches, and Wi-Fi across all locations with consistent VLAN segmentation (corporate, F&I, service, guest, IoT) • Centralized monitoring and configuration management so policy is identical at every rooftop Microsoft 365 Hardening + Policy Drift Remediation • Re-baselined Microsoft 365 with custom conditional access, MFA, and security policies aligned to FTC Safeguards • Deployed continuous policy drift monitoring and automated remediation so settings stay where we set them • Rolled out DLP and data labeling to protect customer financial information in email, SharePoint, OneDrive, and Teams Endpoint and Identity Security • Replaced legacy AV with managed detection and response (MDR) and 24x7 monitoring • Deployed Duo MFA across VPN, RDP, DMS access, and admin workflows • Hardened privileged access and centralized logging tied to documented incident response procedures • Delivered Safeguards-aligned security awareness training for every employee at every rooftop

The Outcome

In one coordinated program, the dealership group went from a fragile, store-by-store IT footprint to a unified, redundant, FTC Safeguards-aligned environment. • 6 rooftops connected on a redundant hub-and-spoke WAN with automatic failover routing • Dual-circuit resilience at every store — DMS access stays up through circuit outages • Microsoft 365 hardened with conditional access, MFA, DLP, and continuous policy drift remediation • MDR and 24x7 monitoring deployed across all endpoints; legacy AV retired • Duo MFA enforced on VPN, remote access, and privileged workflows • FTC Safeguards Rule program documented end-to-end: risk assessment, written program, Qualified Individual, training, and incident response • Sales, service, and F&I keep moving even when an ISP doesn't

Services Delivered

• Cybersecurity Operations
• Governance & Compliance
• Managed IT
• vCIO

Related resources

Book Your Strategy Call Today

No pressure. No sales pitch. Just a conversation with an expert to map out your risks, gaps, and next steps toward compliance and security.

Walk away with a written risk snapshot. No NDA, no sales pitch — or we'll send you a $50 Amazon gift card.

Not ready to book? Get Your Cyber Score — free, 2 minutes.