CRM systems: protection or threat?

    March 31 is the international backup day, and the week before is always full of security related stories. On Monday, we already learned about the compromised Asus and the “three unnamed manufacturers.” Especially superstitious companies sit on needles all week, make backups. And all of this is because we are all a bit careless in terms of security: someone forgets to fasten a seat belt in the back seat, someone ignores the expiration date of products, someone stores a username and password under the keyboard, and even better writes all passwords in a notebook. Individuals manage to disable antiviruses “so as not to slow down the computer” and not to use separation of access rights in corporate systems (what are the secrets in a company of 50 people!). Probably, humanity simply has not yet developed the cyber-self-preservation instinct, which, in principle, can become a new basic instinct.

    Not developed such instincts and business. A simple question: is a CRM system a threat to information security or a security tool? It is unlikely that someone will immediately answer for sure. Here we need to start, as we were taught in English lessons: it depends ... It depends on the settings, the form of CRM delivery, the habits and beliefs of the vendor, the degree of disregard for the employees, the sophistication of the attackers. In the end, you can hack everything. So how do you live?


    CRM system as protection


    Protecting data on commercial and operational activities and reliably storing the customer base is one of the main tasks of the CRM system, and in this it is by far the most important thing about the rest of the application software in the company.

    Surely you started reading this article and, at heart, smirked, they say, who needs your information. If so, then you probably did not deal with sales and do not know how much demand for “live” and high-quality customer bases and information on methods of working with this database. The content of the CRM-system is interesting not only to the management of the company, but also:  

    • To attackers (less often) - they have a goal that is related specifically to your company and will use all resources to get data: bribing employees, hacking, buying your data from managers, interviewing managers and so on.
    • Employees (more often) who can act as insiders for your competitors. They are simply ready to take away or sell their customer base for the purpose of their own gain.
    • Amateur hackers (very rarely) - you can get hacked into the cloud where your data is located or hacked into the network, or maybe for fun, someone wants to “pull out” your data (for example, data on pharmacy or alcohol wholesalers - it's just interesting to see )

    image
    This happens information security in small and medium -sized businesses. From LJ

    If someone gets into your CRM, he will get access to your operational activities, that is, to that data array with which you make most of the profit. And from the moment of gaining malicious access to the CRM system, the profit begins to smile at the one in whose hands the client base is. Well, or to its partners and customers (read - to new employers).

    A good, reliable CRM-system can close these risks and give a bunch of pleasant bonuses in the field of security.

    So what does a CRM system do in terms of security?


    (we tell by the example of RegionSoft CRM , because we cannot be responsible for others)

    • Two-factor authorization using a USB key and password. RegionSoft CRM supports two-factor authentication of users at the entrance to the system. In this case, when entering the system, in addition to entering the password, it is necessary to insert a USB key into the USB port of the computer that has been initialized in advance. The two-factor authorization mode helps to secure against theft or disclosure of a password.

    Clickable
    • Starting from trusted IP and MAC addresses. For enhanced security, you can restrict users from logging in exclusively from registered IP addresses and MAC addresses. As the IP addresses can be used as internal IP addresses on the local network, and external addresses if the user is connected remotely (via the Internet).
    • Domain authorization (Windows authorization). The system startup can be configured so that you do not have to enter a user password at login. In this case, Windows authorization occurs, which defines the user using WinAPI. The system will be launched under the user under whose profile the computer is working at the time the system starts.
    • Another mechanism is private clients . Private clients are clients whom only their curator can see. These clients will not be displayed in the lists of other users, even if other users have a full set of permissions, including administrator rights. Thus, it is possible to protect, for example, a pool of especially important customers or a group on another basis, which will be entrusted to a reliable manager.
    • The mechanism of separation of access rights is a standard and primary measure of protection in CRM. To simplify the process of administering user rights, RegionSoft CRM assigns rights not to specific users, but to templates. And already the user is assigned one or another template that has a certain set of rights. This allows each employee, from a novice and trainee to a director, to assign authority and access rights that will / will not allow them to access confidential data and important business information.
    • System for automatic backup of data (backups) , configured using the RegionSoft Application Server script server .

    This is a security implementation using the example of a single system, each vendor has its own policies. However, the CRM system really protects your information: you can see who and how many took a particular report, who looked at what data, who did the upload, and much more. Even if you learn about the vulnerability after the fact, you will not leave the act unpunished and easily figure out an employee who has abused the trust and loyalty of the company.

    Relaxed? Early! This same protection with carelessness and ignoring data protection problems can play against you.

    CRM system as a threat


    If your company has at least one PC, this is already a source of cyberthreats. Accordingly, the degree of threat increases along with the growth in the number of workstations (and employees) and with the variety of installed and used software. And with CRM-systems, the situation is not easy - after all, this is a program designed to store and process the most important and expensive asset: the customer base and commercial information, and here we are telling horror stories about its security. In fact, not everything is so gloomy near, and with proper handling, you will not get anything from the CRM system other than benefit and safety.

    What are the signs of a dangerous CRM system?


    Let's start with a short tour of the basics. CRM are cloud and desktop. Cloud are those whose DBMS (database) is located not in your company, but in a private or public cloud in some data center (for example, you are sitting in Chelyabinsk, and your database is spinning in a super cool data center in Moscow, because the CRM vendor so decided and he has an agreement with this provider). Desktop (they are also on-premise, server - which is not so right) base their DBMS on your own servers (no, no, do not draw yourself a huge server room with expensive racks, most often in a small and medium business it is a lonely server or even an ordinary PC of modern configuration), that is, physically in your office.

    You can get unauthorized access to both types of CRM, but the speed and ease of access are different, especially if we are talking about SMB, which does not really care about information security.

    Sign of danger No. 1


    The reason for the higher likelihood of data problems in the cloud system is a relationship connected by several links: you (CRM tenant) - vendor - provider (there is a longer version: you - vendor - vendor IT outsourcer - provider). 3-4 links of the relationship have more risks than 1-2: the problem can occur on the side of the vendor (contract change, non-payment of the provider’s services), on the side of the provider (force majeure, hacking, technical problems), on the side of the outsourcer (change of manager or engineer) etc. Of course, large vendors try to have backup data centers, manage risks and keep their DevOps department, but this does not exclude problems.

    Desktop CRM is generally not rented, but acquired by the company, so the relationship looks simpler and more transparent: during the implementation of CRM, the vendor sets up the necessary security levels (from delimiting access rights and a physical USB key to placing a server in a concrete wall, etc.) and transfers control to the company-owner of CRM, which can increase security, hire a system administrator, or contact your software provider as necessary. Problems come down to working with employees, network security, and physical information security. In the case of using desktop CRM, even a complete disconnection of the Internet will not stop working, since the base is located in the "native" office.

    About cloud technology tells one of our employees who worked in a company developing a cloud of integrated office systems, including CRM.“At one of my places of work, the company created something very similar to the basic CRM, and all this was connected with online documents, etc. Once in GA, we saw abnormal activity from one of the subscribing clients. Imagine the surprise of us, analysts, when we, not being developers, but having a high level of access, simply were able to open the interface that the client used by clicking on it and see what kind of sign it was popular with. By the way, it seems that the client would not want anyone to see this commercial data. Yes, it was a bug, and it has not been fixed for several years - in my opinion, things are still there. Since then I am an adept of the desktop and don’t really trust the clouds, although, of course, we use them in work and in our personal lives, where funny fakaps also happened. ”


    From our survey on Habré, and these are employees of advanced companies

    Data loss from a cloud CRM system can be caused by data loss due to server failure, server unavailability, force majeure, vendor termination, etc. The cloud is a constant, continuous access to the Internet, and protection should be unprecedented: at the level of code, access rights, additional cyber security measures (for example, two-factor authorization).

    Hazard sign No. 2


    We are not even talking about one attribute, but about a group of attributes associated with the vendor and its policy. We list some important examples that we and our employees have encountered.

    • The vendor can choose an insufficiently reliable data center, where DBMS clients will “spin”. It will save, do not control the SLA, will not calculate the load, and the result will be fatal for you.
    • The vendor may refuse to transfer the service to the data center of your choice. This is a fairly common restriction for SaaS.
    • The vendor may have a legal or economic conflict with the cloud provider, and then during the “showdown” backup actions or, for example, speed, may be limited.
    • The backup service can be provided for a separate price. A common practice that a client of a CRM-system can find out only at the moment when a backup is needed, that is, at the most critical and vulnerable moment.
    • Vendor employees can have unhindered access to customer data.
    • Data breaches of any nature can occur (human factor, fraud, hackers, etc.).

    Typically, these problems are associated with small or young vendors, however, large ones have repeatedly got into unpleasant stories (google it). Therefore, you should always have ways to protect information on your side + discuss security issues in advance with your chosen CRM system provider. Even the fact of your interest in the problem will already force the supplier to take the implementation as responsibly as possible (it’s especially important to do so if you are dealing not with the vendor’s office, but with his partner who needs to conclude an agreement and get a commission, and not these two-factor ones ... well did you understand).

    Sign of danger No. 3


    Organization of work with security in your company. A year ago, we traditionally wrote about security on Habré and conducted a survey. The sample was not very large, but the answers are indicative:



    At the end of the article we will give links to our publications, where we will analyze the relations in the system “company - employee - security” in detail, and here we will give a list of questions whose answers should be found inside your company (even if you do not need CRM).

    • Where do employees store passwords?
    • How is access to storage facilities organized on company servers?
    • How secure is the software in which there is commercial and operational information?
    • Do all employees have active antiviruses?
    • How many employees have access to customer data, what level of access?
    • How many new recruits do you have and how many employees are in the process of being laid off?
    • Have you been in contact with key employees for a long time and listened to their requests and complaints?
    • Are printers controlled?
    • How is the policy of connecting your own gadgets to your PC, as well as using working Wi-Fi?

    In fact, these are basic questions - they will probably add hardcore in the comments, but this is a base that even an individual entrepreneur with two employees should know the basics of.

    So how to protect yourself?


    • Backups are the most important thing that is often either forgotten or not taken care of. If you have a desktop system, set up a data backup system with a given frequency (for example, for RegionSoft CRM this can be implemented using RegionSoft Application Server ) and organize competent storage of copies. If you have cloud-based CRM, be sure to find out how the work with backups is organized before signing a contract: you need information about the depth and frequency, about the storage location, about the cost of backup (often only the “last data for a period” backups are free, and a full, secret backup copying is carried out as a paid service). In general, there is definitely no place for saving or neglect. And yes, do not forget to check what is restored from backups.
    • Separation of access rights at the level of functions and data.
    • Security at the network level - you need to allow the use of CRM only within the office subnet, restrict access to mobile devices, prohibit working with the CRM system from home or, even worse, from public networks (coworking, cafes, client offices, etc.). Especially be careful with the mobile version - let it be only a greatly truncated option for work.
    • Real-time anti-virus scanning is needed anyway, but especially in the case of corporate data security. Disable at the policy level to disable it yourself.
    • Training employees in cyberspace hygiene is not a waste of time, but an urgent need. It is necessary to convey to all colleagues that it is important for them not only to warn, but also to correctly respond to the threat. Prohibiting the use of the Internet or your mail in the office is the last century and the reason for the acute negative, so you have to work with prevention.

    Of course, using a cloud system, you can achieve a sufficient level of security: use dedicated servers, configure routers and share traffic at the application level and database level, use private subnets, introduce strict security rules for administrators, ensure uninterrupted operation due to backup with the maximum necessary frequency and completeness, to monitor the network around the clock ... If you think about it, it’s not so difficult, it’s rather expensive. But, as practice shows, only some companies, mainly large ones, take such measures. Therefore, do not be shy to say again: both the cloud and the desktop should not live on their own, protect your data.

    A few small but important tips for all CRM system deployments


    • Check the vendor for vulnerabilities - look for information on the combinations of words “Vendor Name vulnerability”, “hacked Vendor Name”, “Vendor Name data leak”. This should not be the only search parameter for a new CRM system, but a check mark on the subcortex is simply necessary, and it is especially important to understand the causes of the incidents.
    • Ask the vendor about the data center: availability, how many of them, how failover is organized.
    • Configure security tokens in CRM, track activity within the system and unusual outbreaks.
    • Disable export of reports, access via API for non-core employees - that is, those who do not need these functions for permanent activities.
    • Ensure that process logging and user activity logging are configured on your CRM system.

    These are trifles, but they perfectly complement the big picture. And, in fact, there are no trifles in safety.

    By implementing a CRM system, you ensure the security of your data - but only if the implementation is done correctly and information security issues are not relegated to the background. Agree, it’s stupid to buy a car and not check the brakes, ABS, airbags, seat belts, EDS. After all, the main thing is not just to drive, but to drive safely and get safe and sound. It is the same with business.

    And remember: if labor safety rules are written in blood, business cybersecurity rules are written in money.

    On the topic of cybersecurity and the place of the CRM system in it, you can read our detailed articles:



    If you are looking for a CRM system, then RegionSoft CRM has discounts of 15% until March 31 . If you need CRM or ERP, carefully study our products and compare their capabilities with your goals and objectives. There will be questions and difficulties - write, call, we will arrange for you an individual presentation online - without ratings and puzomerki.
    Our channel in Telegram , in which without advertising we write not quite formal things about CRM and business.

    Also popular now: