5 Principles of CRM Security

CRM is a fertile ground for security breaches. By their nature, most CRM applications involve mobile devices, such as notebook computers that employees bring into the field, and the increasing dependency on tabletapplications using wireless connections. Any mobile device is more vulnerable to security breaches, ranging from attacks against communication links to simply having the device stolen.

The below five tips will greatly enhance the security of your CRM system:

Encrypt your remote data. Do you encrypt data on laptops and other mobile devices? As a first line of defense, all confidential data on mobile devices should be encrypted. For notebooks, consider using a software encryption solution to protect all data, or minimally, any business-critical files.

• Do you have password protection on all mobile devices?
• Do you require strong passwords and frequent changes? Many organizations use combinations of numbers and letters at least six characters long and have users change them every 30 to 60 days.
• Alternatively, do you use other, more secure, authentication methods in place of passwords? This can involve separate physical keys, such as USB drives, which need to be plugged into a computer to make files accessible. Make sure you keep the key separate from the computer, and not in the computer case.
• Do you have an independent firewall on your mobile products? Although Windows XP and Vista both come with firewalls, many experts recommend adding a more secure third-party product, especially if you’re using a wireless connection.

Watch your wireless connections. Data is at its most vulnerable when it is in transit. This is especially true if you use wireless connections at your home office or in a public place, for example your local coffee shop.

• Do you use the appropriate level of Wi-Fi encryption? Wi-Fi modems and routers should use WPA (Wi-Fi Protected Access) or WPA2 encryption keys to prevent unauthorized access. The older WEP (Wired Equivalent Privacy) standard is much less secure.
• Do you broadcast your SSID (Service Set Identifier)? The SSID is the network name of your wireless network and is required for devices to connect to it. Most routers or wireless access points will allow you to disable the broadcasting of the SSID, keeping the information for your use only.
• Do you use file and printer sharing? This networking feature is particularly useful on home networks but can be a security concern on public networks. Consider disabling this feature for public connections.

Consider role-based security. Role-based security refers to establishing a series of finely grained classifications of your employees, each with a specific bundle of access and other privileges. Employees assigned to a classification only have access to the privileges associated with that role. When designing roles, carefully consider what employees actually do, not their position in the organization. Each role should give employees the privileges they need to do their job and no more.

Educate your staff. Do you keep employees up to date on security best practices? All the hardware in the world won’t help if your staff doesn’t understand enough to take basic precautions to prevent systems from being compromised.

• Do you have an ongoing security education program? Are your people made aware of the dangers of sharing, writing down passwords, etc.?
• Are your people trained not to open attachments from unknown sources?
• Are they taught not to add unauthorized file sharing applications to their systems?

Beware of phishing. Phishing and its variants are a major source of security breaches. Most people know that phishing involves sending phony email messages with the aim of getting the victim to submit confidential information such as credit card numbers or account details. However, many people aren’t aware of the specific danger signs of phishing emails. For example, government agencies or banks will never ask you to submit confidential information in an email.  While the idea of phishing is common knowledge, it still succeeds because organizations don’t make a point of alerting their employees to the dangers. You should have a policy for dealing with suspicious emails and make sure your employees are aware of what constitutes a “suspicious” email.

With some simple adjustments and employee education, the security of your CRM system will be strengthened keeping this powerful sales and customer service tools secure.