9 tips to protect your CRM data from malicious hackers

CRM data offers all sorts of goodies for hackers. Now's the time to step up your protections.

It turns out that Home Depot was shockingly lax with the security around its customer data, according to a news report in the New York Times this weekend. How bad? Security workers at the retailers took to warning friends to only use cash when shopping at the store.

There didn't seem to be any one particular reason why Home Depot was so slow to make the changes it should have, but rather several factors combined with (as I imagine) a sense of being overwhelmed by the task ahead. No matter: Assuming the report is accurate, Home Depot's position is inexcusable. Retailers have been in the crosshairs of hackers for years now and it should have known.

Right now the headlines are focused on the cyber vulnerabilities of national retailers but another threat is looming -- one aimed specifically at CRM systems.

A few weeks ago, Salesforce notified its customers that that the Dyre malware, which typically targets customers of large financial institutions, has been tweaked to target some of Salesforce users as well.

This malware is not targeting a vulnerability within Salesforce's platform; rather, it resides on infected computer systems and steals user log-in credentials. Presumably, it can piggyback its way into a corporate system using any CRM application. And once it gains entrance, all sorts of low-hanging fruit await: Payment information, customer data, and possibly sensitive intellectual property of customers. There is also a wealth of knowledge about company relationships and who controls the purchasing power.

"Often CRM systems will keep the contact information of C-level personnel from other organizations that a company is doing business with," David Pack, director of LogRhythm Labs, says. Using this information, "a realistic-looking spear phishing e-mail can be crafted, turning this into a potential supply chain attack on other organizations that might not even be Salesforce users."

Scared now? Good. Here's what you can do about it.

CITEworld spoke with several security experts to see what steps a company could take to protect its CRM data specifically. We began with a few base assumptions, namely that the fundamentals were in place -- assume your security software isn't outdated, and the security team has access to all networks including customer data (both reported to be Home Depot's failings). We also assumed more advanced -- but still commonly cited -- protections are in place, such as two-factor authentication.

In other words, we asked what else can companies do to protect their CRM data? This is what we learned.

Understand the scope of your task

Or as Tom Cruise said in the first Mission Impossible movie, "relax, it's much worse than you are thinking."

Understand that you are most vulnerable to a "man in the middle" attack vector, said Kyle Kennedy, CTO of STEALTHbits Technologies.

"The sad part is that when this happens everyone will blame the service provider even though it's typically the fault of a careless employee at a an organization consuming the service who either decided to use his infected home machine to interact with the company's data, or the individual that foolishly clicked a hyperlink that results in malware being installed on his business machine.

Don't stop reminding employees and partners of the risks

The best way to counter the risk of these attacks is an extensive and ongoing social engineering education campaign with employees and partners. "Make sure everyone knows that an authorized tech will never ask for things such as passwords," according to Andy Pace, Chief Operating Officer of SingleHop. "Also employees should know not to access your CRM through emails from unidentified senders."

Know that protecting the data is more efficient than protecting the boundary/container

Given the propagation of data in business workflows, protecting the data itself over its lifecycle protects it from advanced threats, says Trish Reilly, who handles cloud product marketing for Voltage Security.

"Containers only protect data at rest -- which only shields the data from a very narrow set of threats. In today's cloud, advanced threats attack data in use, in motion, and at rest -- which points to using a continuous data-centric approach to mitigate them."

Encrypting the data at the container has value if used as a means to protect it in the event of media removal, theft, recycling, she continued. "If the concern is to protecting data and its movement (or unknown movement) then encrypting higher up -- at the application layer through a data-centric approach -- is safer," she said.

Choose encryption wisely

With the rush to protect data in the cloud, many solutions have emerged that make serious trade-offs with security, such as enabling searching and sorting by weakly encrypted data, Reilly also noted.

Enterprises need to choose vendors that have validated, secure methods with independent validation, she said.

Have clear auditing and visibility in place

Administrations need to have a clear understanding of who performed which action, when, from where, using what device, says Boris Gorin, head of Security Engineering for FireLayers.

"This is critical to detect any abnormal behavior, like, say, an "administrator" logging in from China in the middle of the night, as well as conduct forensic investigation in case any potential or actual breach is suspected."

Think "need to access"

Make sure each user only has access to the information they need. This will limit exposure of customer information.

Also never have group accounts; accounts need to be separate and established for each user, says SingleHop's Pace says. "This allows you to ensure accountability and makes it easy to isolate breached accounts."

And add VPN and IP range restrictions where applicable, he adds. "Many users only access CRMs from the work place and each of these users should have their access limited to VPN."

Get proactive with DLP

IT can prevent malware incidents by using Data Loss Prevention (DLP) at the endpoint level, says Roman Foeckl, CEO of CoSoSys.

"DLP technologies should be combined, meaning they should be used to protect data in motion, DLP for data at rest and DLP for data in use," he says. "Scanning data at rest is useful to proactively determine what endpoints are particularly vulnerable based on large amounts of CRM data residing on them."

Ditto mobile endpoints

Mobile endpoints -- smartphones and tablets -- also need to have an MDM solution in place since lots of CRM data and access credentials are saved on them, Foeckl added.

Ensure proper data backup and recovery solutions are in place

Jeff Erramouspe, CEO of Spanning, says that most of the Salesforce administrators the company has met are either doing nothing specific to protect their data, or at most use the Salesforce Weekly Export feature. "Automatic daily backups are needed to ensure IT-level business continuity in case the worst does happen," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags Customer Relationship ManagementapplicationssecuritysoftwareHome Depotcloud computingcrminternetsalesforce

More about DLPHome DepotLogRhythmReilly

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Erika Morphy

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts