How to get smarter about CRM security

If Value Engineering is the identification of different implementation strategies to achieve the business goal, the ultimate in value engineering is to identify requirements that don't need to be done in the first place. Although security and access control would seem to be a poor candidate for this kind of requirements elimination, in many situations the technical solutions are so clumsy and expensive that there's almost no ROI.

This can be politically touchy, as nobody wants to be the one to say "no" to risk reduction and compliance. This can be a particularly pointed issue with CRM systems, which tend to be the most politically charged of any Enterprise application. So... don't say no -- instead say "that wont be effective."

Keeping the users to their own knitting

Let's start with an example: sales' ability to see and change opportunity records in the CRM. The starting point is typically "a sales person should see only the deals that they own and the deals of those that report to them." This is easy to understand, and clean to implement in CRM systems. Sometimes there will be a plot complication -- "the reps should be able to see that another rep's deal exists, but not be able to see any of the details." CRM systems can handle that kind of exception without too much trouble.

But in large, multi-channel organizations, there are territory overlays and named accounts. Consequently, it gets harder to automatically determine what a sales rep is supposed to "own." Their territories may have "holes" in them, and even if they don't, multi-national customers present a challenge to the "rep ownership" rules. For example, if GM Canada is making a purchase but the decision is being made in conjunction with GM USA, which rep owns it? This becomes much more complicated when selling to government contractors, where different projects within the same customer business unit may be "owned" by different sales reps.

Enforcing what started as a simple rule now would now take a complex series of lookups and exceptions. And of course, no CRM system has this processing built in: you must custom code it. But the bigger challenge is maintaining the lookup table(s) that have to be changed every time there's a new rep, new partner, or customer merger or divesture. Sure, you could create a nice UI to maintain and test all the moving parts, but in large organizations the code and lookup tables wont be maintainable. Consequently, the security infrastructure will eventually give somebody the wrong level of access, and it's likely to irritate a fair percentage of your users.

Perfectionism in this kind of issue doesn't pay. What are the alternatives? Instead of trying to preventing access, you can monitor access and create reports that alert management to abusers within each organization. You can have HR put more specific data security guidelines into the personnel handbook, and make it clear that violations will be punished.

Preventing Data Leaks

As I wrote a while ago, information leak detection and data loss prevention are hot topics. Of course you want to keep your servers secured in every way, and the leading cloud vendors do a great job of protecting your data. The real data leak problem is at the end points: laptops, iPads, and smart phones that store tremendous amounts of information.

While there are solutions available to really lock down windows laptops, they almost inevitably involve special device drivers or kernel patches that can mean trouble over time. To really do the job, you'd also want to add encryption for all files to keep data from prying eyes. At least one of these solutions that explicitly works with CRM applications, but I know of nothing that works with Macs or Linux laptops.

Unfortunately, for most organizations there just isn't a solution here, other than limiting the amount of data stored on the endpoint. Security zealots will say that clumsy ILP/DLP solutions are "better than doing nothing," but the reality may be more like "the cure is worse than the disease."

Reports that Walk

Although the law may be fuzzy about whether a salesperson's address book is his property or the company's, the law couldn't be clearer about the company's leads, contacts, deal history, and account list. Yet reps walk out the door with these all the time.

In most CRM systems, report access is basically "all or nothing." Unfortunately, management often wants the reps to be able to run ad-hoc reports to do their job while simultaneously wanting to prevent wholesale data theft.

Instead of trying to enforce a complex web of policies, it's easier to do the following:

• Make sure that the reps do not have API or Web service access to the system. The smart ones will be able to pull stuff out through Excel.

• Turn off report export privileges, if your CRM system supports this.

• Turn off their access to reporting, at least for ad-hoc stuff. If your system allows you to give reps access to canned reports only, terrific.

• Give them access to reports only through an internet "jump" page that limits which reports they see and monitors who's using what. Provide alerts to managers about employees who suddenly become excessive report users: this is often a "tell" for an employee about to leave.

• Give them access to reports only as PDFs or JPEG images -- don't let them get data in exportable or screen-scrapable form.

David Taber is the author of the new Prentice Hall book, " Secrets of Success" and is the CEO of SalesLogistix, a certified consultancy focused on business process improvement through use of CRM systems. SalesLogistix clients are in North America, Europe, Israel, and India, and David has over 25 years experience in high tech, including 10 years at the VP level or above.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsCustomer Relationship Managementsecuritysoftware

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Taber

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts