March 31 is International Backup Day, and the week before is always full of security stories. On Monday, we already learned about the compromised Asus and "three unnamed manufacturers." Particularly superstitious companies are on pins and needles all week, making backups. And all from the fact that we are all a little careless in terms of security: someone forgets to fasten their seat belt in the back seat, someone ignores the expiration date of the products, someone stores the username and password under the keyboard, and even better, writes down all the passwords in a notebook. Individuals manage to turn off antiviruses “so that the computer does not slow down” and not use the separation of access rights in corporate systems (what secrets in a company of 50 people!). Probably, mankind simply has not yet developed the instinct of cyber-self-preservation, which, in principle, can become a new basic instinct.
Did not develop such instincts and business. A simple question: is CRM a threat to information security or a security tool? It is unlikely that anyone will give an accurate answer like this. Here we need to start, as we were taught in English lessons: it depends ... It depends on the settings, the form of delivery of CRM, the habits and beliefs of the vendor, the degree of disregard for employees, the ingenuity of attackers. After all, everything can be hacked. So how do you live?
This is information security in small and medium-sized businesses
CRM system as protection
Protecting data on commercial and operational activities and securely storing the client base is one of the main tasks of the CRM system, and in this it is head and shoulders above all other application software in the company.
Surely you started reading this article and grinned deep down, they say, who needs your information. If so, then you probably have not dealt with sales and do not know how much "live" and high-quality customer bases and information about methods of working with this base are in demand. The content of the CRM system is interesting not only to the company's management, but also:
- Attackers (less often) - they have a goal related specifically to your company, and will use all resources to get data: bribing employees, hacking, buying your data from managers, interviewing managers, and so on.
- Employees (more often) who can act as insiders for your competitors. They are simply ready to take away or sell the client base for the purpose of their own profit.
- For amateur hackers (very rarely) - you can get hacked into the cloud where your data is located or the network is hacked, or maybe someone wants to “pull out” your data for fun (for example, data on pharmacy or alcohol wholesalers - just interesting to see ).
If someone gets into your CRM, he will get access to your operations, that is, to the data array with which you make the most of the profit. And from the moment you get malicious access to the CRM system, the profit begins to smile at the one in whose hands the customer base is. Well, or his partners and customers (read - new employers).
Good, reliable is able to close these risks and give a bunch of nice bonuses in the field of security.
So, what can a CRM system do in terms of security?
(let's use an example, because cannot be held responsible for others
- Two-factor authentication using a USB key and password. supports two-factor authentication mode for users when logging into the system. In this case, when logging in, in addition to entering a password, you must insert a USB key that has been previously initialized into the USB port of the computer. Two-factor authorization mode helps to insure against theft or disclosure of the password.
Clickable
- Run from trusted IP addresses and MAC addresses. For enhanced security, you can restrict users to log in only from registered IP addresses and MAC addresses. Both internal IP addresses in the local network and external addresses can be used as IP addresses if the user connects remotely (via the Internet).
- Domain authorization (Windows authorization). You can configure the system to start up so that you do not need to enter a user password when logging in. In this case, Windows authorization occurs, which determines the user using WinAPI. The system will be launched under the user profile under which the computer is running at the time of system startup.
- Another mechanism is private clients. Private clients are clients that only their handler can see. These clients will not be displayed in the lists of other users, even if other users have full permissions, including administrator rights. In this way, you can protect, for example, a pool of especially important clients or a group on a different basis, which will be entrusted to a reliable manager.
- Permissions separation mechanism - a standard and first-priority measure of protection in CRM. To simplify the process of administering user rights, in rights are not assigned to specific users, but to templates. And already the user himself is assigned one or another template that has a certain set of rights. This allows each employee - from newbie and trainee to director - to assign permissions and access rights that will allow / will not allow them to access confidential data and important business information.
- Automatic data backup system (backups)configurable with Script Server .
This is the implementation of security on the example of a single system, each vendor has its own policies. However, the CRM system really protects your information: you can see who made a particular report and at what time, who viewed what data, who uploaded it, and much more. Even if you find out about the vulnerability after the fact, you will not leave the act unpunished and easily identify the employee who abused the trust and loyalty of the company.
Relaxed? Early! This same protection, if neglected and ignored data protection issues, can work against you.
CRM system as a threat
If your company has at least one PC, this is already a source of cyber threat. Accordingly, the degree of threat multiplies with the increase in the number of workstations (and employees) and with the variety of installed and used software. And things are not easy with CRM systems - after all, this is a program designed to store and process the most important and expensive asset: the customer base and commercial information, and here we are telling horror stories about its security. In fact, not everything is so gloomy up close, and with the right handling, you will not get anything from a CRM system other than usefulness and security.
What are the signs of a dangerous CRM system?
Let's start with a little tour of the basics. CRM are cloud and desktop. Cloud ones are those whose DBMS (database) is not located in your company, but in a private or public cloud in some data center (for example, you are in Chelyabinsk, and your database is spinning in a super cool data center in Moscow, because the CRM vendor decided so and he has an agreement with this provider). Desktop (they are on-premise, server - which is no longer so true) base their DBMS on your own servers (no, no, don’t draw yourself a huge server room with expensive racks, most often in small and medium-sized businesses this is a single server or even an ordinary PC of a modern configuration), that is, physically in your office.
It is possible to gain unauthorized access to both types of CRM, but the speed and ease of access are different, especially if we are talking about the SMB, which does not care much about information security.
Danger Sign #1
The reason for the higher probability of data problems in the cloud system is the relationship connected by several links: you (CRM tenant) - vendor - provider (there is a longer version: you - vendor - vendor's IT outsourcer - provider). 3-4 links of relationships have more risks than 1-2: the problem can occur on the side of the vendor (change of contract, non-payment for provider services), on the side of the provider (force majeure, hacking, technical problems), on the side of the outsourcer (change of manager or engineer), etc. Of course, large vendors try to have backup data centers, manage risks and keep their DevOps department, but this does not exclude problems.
Desktop CRM is generally not rented, but acquired by the company, so the relationship looks simpler and more transparent: the vendor sets up the necessary security levels during the implementation of CRM (from access rights and a physical USB key to placing a server in a concrete wall, etc.) and transfers control to the company that owns the CRM, which can increase protection, hire a system administrator, or contact their software vendor as needed. The problems come down to working with employees, protecting the network and the physical protection of information. In the case of using desktop CRM, even a complete shutdown of the Internet will not stop work, since the base is located in the “native” office.
One of our employees who worked in a company that developed cloud-based integrated office systems, including CRM, tells about cloud technologies. “At one of my jobs, a company was building something very similar to basic CRM, and it was all about online documents and stuff. Once in GA, we saw anomalous activity from one of our subscriber clients. What was the surprise of us, analysts, when we, not being developers, but having a high level of access, were simply able to open the interface that the client was using by clicking on the link, to see what kind of sign it was popular with. By the way, it seems that the client would not want anyone to see this commercial data. Yes, it was a bug, and it was not fixed for several years - in my opinion, things are still there. Since then, I have been a desktop adept and do not really trust the clouds, although, of course, we use them at work and in our personal lives, where funny fuck-ups have also happened.
From our survey on Habré, and these are employees of advanced companies
Loss of data from a cloud CRM system may be due to data loss due to server failure, server unavailability, force majeure, vendor outage, etc. The cloud is constant, uninterrupted access to the Internet, and protection should be unprecedented: at the level of code, access rights, additional cybersecurity measures (for example, two-factor authorization).
Danger Sign #2
We are talking not even about one sign, but about a group of signs associated with the vendor and its policy. Let's list some important examples that we and our employees had to meet.
- The vendor may choose an insufficiently reliable data center where the clients' DBMS will “spin”. He will save money, will not control the SLA, will not calculate the load, and the result will be fatal for you.
- The vendor may refuse the right to transfer the service to the data center of your choice. This is a fairly common limitation for SaaS.
- The vendor may have a legal or economic conflict with the cloud provider, and then during the “showdown”, backup actions or, for example, speed may be limited.
- The backup service can be provided for a separate price. A common practice that a CRM system client can learn about only at the moment when a backup is needed, that is, at the most critical and vulnerable moment.
- Vendor employees can have unhindered access to customer data.
- Data leaks of any nature can occur (human factor, fraud, hackers, etc.).
Usually these problems are associated with small or young vendors, however, large ones have repeatedly fallen into unpleasant stories (google it). Therefore, you should always have ways to protect information on your side + discuss security issues with your chosen CRM system provider in advance. Even the very fact of your interest in the problem will already force the supplier to take the implementation as responsibly as possible (it is especially important to do this if you are not dealing with the vendor's office, but with its partner, for whom it is important to conclude an agreement and receive a commission, and not these your two-factor ... well did you understand).
Danger Sign #3
Organization of work with security in your company. A year ago, we traditionally wrote about security on Habré and conducted a survey. The sample was not very large, but the answers are indicative:
At the end of the article, we will give links to our publications, where we analyzed in detail the relationships in the “company-employee-security” system, and here we provide a list of questions that should be answered within your company (even if you do not need CRM).
- Where do employees store passwords?
- How is access to storages organized on the company's servers?
- How is software that contains commercial and operational information protected?
- Do all employees have antiviruses active?
- How many employees have access to customer data, what level is this access?
- How many newcomers do you have and how many employees are in the process of layoffs?
- Have you been in contact with key employees for a long time and listened to their requests and complaints?
- Are printers monitored?
- How is the policy of connecting your own gadgets to a PC, as well as using a working Wi-Fi, organized?
In fact, these are basic questions - they will probably add hardcore in the comments, but this is the base, the basics of which even an individual entrepreneur with two employees should know.
So how do you protect yourself?
- Backups are the most important thing, which is often either forgotten or not taken care of. If you have a desktop system, set up a data backup system with a given frequency (for example, for RegionSoft CRM this can be done using ) and organize proper storage of copies. If you have a cloud-based CRM, be sure to find out before concluding an agreement how work with backups is organized: you need information about the depth and frequency, storage location, and the cost of backup (often only “last data for a period” backups are free, and a full, secure backup copying is carried out as a paid service). In general, there is definitely no place for savings or negligence. And yes, do not forget to check what is being restored from backups.
- Separation of access rights at the level of functions and data.
- Network-level security - you need to allow the use of CRM only within the office subnet, restrict access for mobile devices, prohibit work with the CRM system from home or, even worse, from public networks (co-working, cafes, client offices, etc.). Be especially careful with the mobile version - let it be only a very truncated version for work.
- An antivirus with real-time scanning is needed in any case, but especially in the case of corporate data security. Prevent at the policy level from disabling it yourself.
- Training employees in cyberspace hygiene is not a waste of time, but an urgent need. It is necessary to convey to all colleagues that it is important for them not only to warn, but also to correctly respond to the threat. Prohibiting the use of the Internet or your mail in the office is the last century and the cause of acute negativity, so you have to work with prevention.
Of course, using a cloud system, you can achieve a sufficient level of security: use dedicated servers, configure routers and split traffic at the application and database levels, use private subnets, introduce strict security rules for administrators, ensure continuity by backing up as often as necessary and completeness, to carry out round-the-clock monitoring of the network ... If you think about it, it's not so difficult, it's rather expensive. But, as practice shows, only some companies, mostly large ones, take such measures. Therefore, we will not hesitate to say again: both the cloud and the desktop should not live on their own, protect your data.
A few small but important tips for all cases of implementing a CRM system
- Check the vendor for vulnerabilities - look for information on combinations of the words "Vendor Name vulnerability", "Vendor Name hacked", "Vendor Name data leak". This should not be the only parameter in the search for a new CRM system, but it is absolutely necessary to tick the box, and it is especially important to understand the causes of incidents that have occurred.
- Ask the vendor about the data center: availability, how many there are, how failover is organized.
- Set up security tokens in CRM, track activity within the system and unusual bursts.
- Disable the export of reports, access via API for non-core employees - that is, those who do not need these functions for their permanent activities.
- Make sure that your CRM system is set up for logging processes and logging user actions.
These are small things, but they add up to the big picture. And, in fact, there are no trifles in safety.
By implementing a CRM system, you ensure the security of your data - but only if the implementation is done correctly, and information security issues are not relegated to the background. Agree, it's stupid to buy a car and not check the brakes, ABS, airbags, seat belts, EDS. After all, the main thing is not just to go, but to go safely and get there safe and sound. It's the same with business.
And remember: if labor safety rules are written in blood, business cybersecurity rules are written in money.
On the topic of cybersecurity and the place of the CRM system in it, you can read our detailed articles:
- - an overview of possible security threats in the corporate sphere and an approximate detection scheme.
- - a detailed analysis of how employees can harm your business and how they do it in the commercial field.
If you are looking for a CRM system, then on . If you need CRM or ERP, carefully study our products and compare their capabilities with your goals and objectives. There will be questions and difficulties - write, call, we will organize an individual presentation online for you - without ratings and puzomerki.
, in which, without advertising, we write not quite formal things about CRM and business.
Source: habr.com