CRM is a fertile ground for security breaches. By their nature, most CRM applications involve mobile devices, such as notebook computers that employees bring into the field, and many applications use wireless connections to talk to the server. As a general rule, any mobile device is more vulnerable to security breaches, ranging from attacks against communication links to simply having the device stolen.
The below five tips will greatly enhance the security of your CRM system:
- Encrypt your remote data.
- Do you encrypt data on laptops and other mobile devices? As a first line of defense, all confidential data on mobile devices should be encrypted. Consider using software to encrypt everything on your notebooks. At the very least, business-critical information should be protected by encryption.
- Do you have password protection on all mobile devices? Do you require strong passwords and frequent changes? Many organizations use combinations of numbers and letters at least six characters long and have users change them every 30 to 60 days.
- Alternatively, do you use other, more secure, authentication methods in place of passwords? More secure authentication methods can involve separate physical keys, such as USB drives, which need to be plugged into a computer to make files accessible. This is more secure if you keep the key separate from the computer, as on a key chain in your pocket or purse — not in the computer case.
- Do you have an independent firewall on your mobile products? Although Windows XP and Vista both come with firewalls, many experts recommend adding a more secure third-party product, especially if you’re using a wireless connection.
- Watch your wireless connections.
Data is at its most vulnerable when it is in transit. This is especially true if you use wifi or other wireless connections to transmit your data to the home office.
- Do you use the appropriate level of wifi encryption? Wifi communications can be encrypted with WPA (Wifi Protected Access) or 802.11i standards to make interception much more difficult. The older WEP (Wired Equivalent Privacy) standard is much less secure.
- Do you turn off the wifi client when you’re not using it? If your wifi client is left on an intruder can try to use it to break into your computer. Turning off wifi when you don’t need it is an easy way to prevent unauthorized access.
- Do you verify SSIDs (Service Set Identifiers) before using them? Setting up a fake SSID is one way to access a wifi session. Essentially, this involves setting up an access point on top of another wifi hot spot in such a way that there is at least an equal chance that anyone logging in through the hot spot will connect through the phony access point — which will then read and record the entire session.
- Do you keep file and printer sharing disabled on your laptop? File and printer sharing are useful, but they also open dangerous vulnerabilities. If you aren’t using them, disable them.
You may want to consider a policy of never using “open” (non-password protected) wifi hot spots in airports, coffee shops and other public places to transact business.
- Consider role-based security.
Role-based security refers to establishing a series of finely grained classifications of your employees, each with a specific bundle of access and other privileges. Employees assigned to a classification only have access to the privileges associated with that role. When designing roles, carefully consider what employees actually do, not their position in the organization. Each role should give employees the privileges they need to do their job and no more.
- Educate your staff.
- Do you keep employees up to date on security best practices? All the hardware in the world won’t help if your staff doesn’t understand enough to take basic precautions to prevent systems from being compromised.
- Do you have an ongoing security education program? Are your people made aware of the dangers of sharing, writing down passwords, etc.?
- Are your people trained not to open attachments from unknown sources?
- Are they taught not to add “grayware,” such as unauthorized file sharing applications to their systems?
- Beware of phishing.
Phishing and its variants are a major source of security breaches. Most people know that phishing involves sending phony email messages with the aim of getting the victim to submit confidential information such as credit card numbers or account details. However, many people aren’t aware of the specific danger signs of phishing emails. For example, government agencies or banks will never ask you to submit confidential information in an email.
While the idea of phishing is common knowledge, it still succeeds because organizations don’t make a point of alerting their employees to the dangers. You should have a policy for dealing with suspicious emails and make sure your employees are aware of what constitutes a “suspicious” email.