An organisation’s customer relationship management (CRM) system is at the centre of its business activities and serves as its main data set, for this reason it is an extremely attractive proposition for hackers.

Businesses of any size are at risk from cyber criminals, so we can quickly dispel the common misconception that ‘we are too small to be hacked’. Firstly, a small organisation with limited security offers hackers a training opportunity, and secondly whilst there may be no obvious use for a small niche data set, if sold on the dark web it could be combined with other sources to show its true value.

So what quick steps can an organisation take to protect its data?

User Access

Setting up a robust access policy is essential, BUT it must be workable. Whilst setting up two factor authentication would always be advised, if staff do not have access to the second piece of information then the process will fail.

Also, enforcing a 14-character password with uppercase, numbers, and symbols becomes counterproductive if the password can’t be remembered and ends up being written on a Post-it note and pinned to the user’s desk. Setting a password expiration date range is suggested, along with an organisation password management tool, then a user only has to remember one password. The CRM password can therefore be as complex as the organisation wants.

Ensuring that the system has an IP range configured so that only employees can access from a work network should also be considered, along with limiting accounts to an organisation’s domain.

The organisation’s starters and leavers list should also be shared with relevant system holders to ensure access is revoked when an employee exits the organisation.

Integrations

We tackled staff users, but what about other systems or web applications that connect to your CRM?

The main system administrator should keep a log of the software accounts and regularly check that they still need access and they have a contact for the integration owner. If the main system owner isn’t the technical contact, then ensure that CRM system update emails are sent to a technical colleague who can then act where appropriate.

SSL technologies often change so web applications sometimes need tweaking if they integrate with a system.  Make this review an annual check.

Data analysis can also take place outside of CRM using a data visualisation tool. It would be best practice to integrate systems rather than store Excel downloads of large data sets locally or on a shared drive. If you must do this, ensure you have made that store secure and discuss with the IT team.

Education

Staff education is key. The biggest threat is phishing emails, where an imitation email is received pretending to be from a supplier. If a link is clicked, it could collect login information or install ransomware which could lock an organisation out of its own systems and data.

If an organisation’s domain is spoofed in phishing emails, then emails may be received which appear to be from other staff. A recent batch of these emails received by organisations were requesting internal money transfers.

In both instances staff should be educated on not clicking links from emails that look suspicious and if a money request comes from a colleague then check with them by picking up the phone and not replying to the email.

Finally, encourage staff not to leave their computers unlocked when they leave their desks. You could configure your CRM to lock out after 3 minutes of inactivity to avoid the possibility of tampering.