CRM Security for non-technical managers

John Eccles, 10 February 2021

How secure is your CRM?

Your CRM system most likely holds a great deal of personal information – it’s a hacker’s goldmine. Are you doing all you can to protect it?

Disclaimer:

I am NOT a cyber-security expert. This blog is intended for a non-technical audience. I have shared common-sense measures which we have implemented at Magnetism to minimise our exposure.

You may need a cyber-security consultant. At Magnetism, we’re CRM experts but not cyber-security experts, so on top of the measure outlined here, we have an expert who advises us and checks out our system to ensure our clients’ data is not compromised.

Built-in CRM security

Businesses naturally assume that their information in CRM is safe. After all, the major CRM providers, like Microsoft, are multi-billion-dollar enterprises with massive resources available to ensure their CRM security. They utilise state-of-the-art data encryption and security measures to protect your data as it’s transferred to and stored in the cloud datacentres. But is that sufficient to ensure the safety of your critical information in your CRM?

It is important to understand what security your CRM provides:

A CRM protects your valuable information by means of Identity Access Management - such as Azure Active Directory for Microsoft Dynamics 365.

These security tools utilise a username and password to ensure only the right people can access the CRM information. The right people are your employees who need access to your critical CRM information in order to do their jobs. Identity access management does not protect against legitimate system users.

According to Verizon’s data breach investigation for 2020, about 30% of data breaches that occurred during the year were caused by insiders, intentionally and unintentionally. This is not an area of your CRM security that should be overlooked!

Furthermore, your hardware that you use to access the CRM system is not covered by the CRM security. A compromised computer can be an entry point for a hacker.

Your security responsibility

It’s up to you to implement security internally. Here are six key steps:

1. Secure your IT infrastructure

IT Infrastructure includes desktop computers, laptops, phones, routers, servers, and other IoT hardware. Make your IT infrastructure resistant to attacks as follows:

· Ensure that all devices in your company use a secure operating system (OS) with regular updates and security patches.

· Install a robust security software solution from a leading supplier. At a minimum you will need a firewall, antivirus, and email scanner.

· Ensure anti-phishing tools are enabled and configured in all browsers. For extra protection against phishing, use an identity monitoring tool to check if your credentials appear in a data leak.

· Encrypt all your disks (we use BitLocker) and install a VPN to create a tunnel that encrypts your communication and browsing.

2. Use strong passwords

Weak passwords make it easy for hackers to get into your systems. I’ve heard that a good hacker can break a weak password in less than a minute! Each device should have its own robust and unique password. Do not allow “qwerty,” birthdays, pet’s names, or family members’ details. Also insist that passwords are never re-used from personal systems.

Utilise automated password validation to ensure poor passwords don’t get used.

Password managers and some browsers suggest strong passwords that are usually a combination of upper and lower case letters, numbers, and special characters.

You may need to do an audit of all existing passwords on all devices that are part of your network. This may be arduous and time consuming, but not nearly as time-consuming as dealing with a hack.

Since remembering such passwords can be difficult, teach your team how to store their passwords and retrieve them when required.

3. Use multi-factor authentication

Multi-factor authentication (MFA) is used to ensure that you are who you say you are by requiring multiple forms of verification to prove your identity when signing into an application.

For me it means a password and my mobile phone. When attempting to log in with my username and password, I am prompted to enter a one-time password that was sent to my mobile phone. No one can break into my account unless they know both passwords.

It is sometimes inconvenient – especially when I am in a hurry. But according to Microsoft, multi-factor authentication makes you 99% less likely to be compromised!

4. Provide regular cybersecurity training for your staff

Security training for your staff can go a long way to protecting your CRM data. You do not want an employee to accidentally give a hacker login details or the network password.

You need to educate your team on the following:

· The basics of online safety and secure web browsing to avoid security threats. For example, they should never click on links in an email without verifying the source first. Instruct them not to install browser addons that may steal or harvest data or download a file from an unknown source. There are a plethora of dangerous and infected sites out there, especially illegal movie streaming sites.

· How to spot phishing emails, fake websites, and spoof accounts from their contacts. They should know what to do when they encounter malware or a phishing attempt.

· Your internal security procedures.

· Protocols in the event of a data breach.

5. Ensure CRM administrators follow best security practices

CRM system administration is an important security factor. System administrators must be both trustworthy and competent. User access needs to be restricted so that users have access only to the information they need. Staff members want to feel they can be trusted, but you have to manage access and access-levels to your CRM.

Ensure employees are using their own individual accounts to login rather than sharing logins. When an employee leaves the company, make sure their login is expired or restricted.

A common overlooked CRM security risk is the ability to download information. While many employees need access to reporting to do their jobs, broad access can pose risks to the precious data that resides in your CRM. Limit the number of individuals who can download data, and make sure everyone knows your organisation's policy on how to properly handle the information.

6. Monitor CRM activity

You don’t need to track your employees’ every action when they use your CRM system; however, you can set up security alerts that will warn you in the situation of illegal disclosure of data breaches.

A compromised CRM will have an increase in activity logs, especially during the times when no one in the office is using it. Set up alerts that will automatically notify you about unauthorised access or possible data breaches. Setting up a dashboard that shows you real-time statistics on your CRM security and network can go a long way in tracking and preventing a breach.

Conclusion

I cannot promise that if you follow the guidelines outlined here you will never be hacked – but you will certainly make hacking your system much more difficult and as a result, be much more secure.