Keeping CRM customer data
secure isn't a one-size-fits-all task. Indeed, tackling security
issues around CRM data demands close examination of vendors as well as internal and external threats -- and it's a vital part of customer relationship management.
The alternative is devastating. Ponemon Institute research indicates that data breaches have serious financial consequences for an organization. According to the most recent Ponemon Institute Annual Cost of a Data Breach study, the average cost of a data breach has risen to $202 per customer record. The average cost of a data breach over four years is $6.65 million.
Companies should consider the issue of CRM and customer data security critically important, and this is true for companies of all sizes, according to Sanjeet Mall, a CRM architect at SAP. A company's most valuable data, he added, should be protected whether or not regulations mandate it.
"Considering the regulations around customer information plus the value of keeping it secure, companies really need to think about security as part of a holistic IT governance strategy," Mall said. "CRM is just one application, but customer data lives in many parts of an organization, typically connecting to ERP or financial systems, supplier management systems, or even living outside the company if in a CRM on-demand solution, and so on."
Pick the Right CRM Vendor
As Mall sees it, the most important tip for keeping CRM data secure is to choose the right CRM vendor. He suggested considering a vendor that supplies CRM solutions and can also advise on how to ensure the security of the entire IT landscape.
"This vendor needs to show that it works with and certifies solutions from security software partners, such as encryption software. It should also be able to show that it can integrate its CRM software with other vendors' solutions where customer data might live, such as ERP and financial systems, supplier relationship management systems, etc.," Mall said. "Buying from a vendor that offers a suite of these applications can significantly simplify this as well, as the integration work is done before it even arrives at the company."
But the CRM vendor's security and integration capabilities is not where the selection process should end. Mall said beyond experience and track record, enterprises should also consider the CRM vendor's partners.
"As we move into an age of mobility, where sales reps and other customer-facing employees are using mobile devices to access and update customer data remotely, make sure the vendors you choose are working with best-of-breed mobile-platform providers," Mall said. "This will ensure that regardless of where the customer data is traveling, whether inside the company or outside, it is still secure and protected."
Beware Disgruntled Employees
Another aspect of CRM security is who has access to the customer data. This is where solutions such as governance, risk and compliance software can help a company control access and do so in an auditable and trackable way. Mike Logan, president of Axis Technology, an IT and data-security provider, said tremendous amounts of private data are at risk in CRM databases because so many people access them.
"I can't begin to tell you how many times companies come to us because they've had disgruntled employees steal very sensitive customer data. The number-one comment is, 'We thought we could trust them,'" Logan said. "With the economy the way it is, no company can afford to have their data assets compromised. And with the data-privacy compliance, state laws and federal standards craze occurring now, the pressure is really on for companies to proactively prevent theft."
Andrew Storms, director of security operations for nCircle, agrees. He said it's time to get serious about CRM data -- and to treat it like the rest of the enterprise's intellectual property. As he sees it, that means encrypting it.
"Customer data is one of the highest-value targets for disgruntled employees who may believe they can use it to help them get or succeed in a new position," Storms said. "For this reason, as well as many others, be sure you monitor who has access to your CRM data and pay close attention to where the data goes, even for those with legitimate access."
10 Security-Specific CRM Tips
The Online Trust Alliance recently developed a set of global guidelines for preserving and enhancing consumer trust and confidence. With those guidelines in mind, Craig Spiezle, executive director of the alliance, offers a quick checklist for securing CRM data:
1. Encrypt all sensitive data and contacts shared with third parties or transported out of company-owned facilities.
2. Create a Data Loss Plan (DLP) to be prepared for loss and breeches.
3. Regularly scan systems, including servers and desktops, for known vulnerabilities in operating systems and applications.
4. Implement protection against phishing, spam, viruses, data loss, and malware.
5. Encrypt all wireless data access points.
6. Require employees and vendors to upgrade to the most current browser.
7. Audit all third-party code and links used or referenced on internal sites.
8. Limit access to data on a need-to-know basis.
9. Archive or destroy inactive customer data.
10. Collect data for only real or expected business purposes.
"Too many companies don't take CRM data seriously," Storms said. "What would happen if your top 10 deals for next quarter were leaked to your closest competitor? How would your customers feel if confidential data about their businesses were stolen from your systems? Imagine the long-term damage this could inflict on your business and then take action accordingly."