A simple question: Is a CRM system a threat to information security or a security tool? Hardly anybody will answer exactly like that. Here it is necessary to begin, as we were taught on lessons in English: it depends ... It depends ... It depends on options, the form of delivery CRM, habits and beliefs of the vendor, degree of the spiteful attitude of employees, sophistication of malefactors. After all, it is possible to hack into everything. So how to live?
CRM-system as a protection.
To protect data on commercial and operational activities and to store the client base reliably is one of the main tasks of the CRM-system, and in this case, it is more important than the rest of the application software in the company.
Surely you have started to read this article and smirked at the heart of your heart, saying, who needs your information. If so, then you probably did not deal with sales and do not know how much in demand are the "live" and quality customer base and information about the methods of working with this base.
The content of the CRM-system is interesting not only to the company's management but also:
- Attackers (less often) - they have a goal related to your company and will use all the resources to get the data: bribing employees, hacking, buying your data from managers, interviews with managers, etc.
- Employees (more often) who can act as insiders for your competitors. They are simply willing to take the customer base with them or sell it for their own gain.
- Amateur hackers (very rare) - You may be exposed to cloud hacking where your data is or to network hacking, or maybe someone will want to "pull out" your data (e.g., pharmacy or alcohol wholesalers - just interesting to see) for the sake of fun.
If someone gets into your CRM, they will have access to your operating activities, which is the amount of data that you use to make the most of your profits. And from the moment you get malicious access to the CRM system, the profit starts to smile at the person in whose hands the client base is. Well, or his partners and customers (read - new employers).
The good, reliable CRM-system is capable to close these risks and to give a heap of pleasant bonuses in the sphere of safety.
So, what can CRM-system in terms of security?
(we tell on an example RegionSoft CRM as we cannot be responsible for others)
- Two-factor authentication using a USB key and password. RegionSoft CRM supports two-factor authentication of users at login. In this case, when logging in to the system, in addition to entering the password, it is necessary to insert the USB key, which was initialized beforehand, into the USB port of the computer. The two-factor authentication model helps ensure that the password is not stolen or disclosed.
- Start from trusted IP addresses and MAC addresses. For increased security, you can restrict user login to registered IP addresses and MAC addresses only. Both internal IP addresses in the local network and external addresses can be used as IP addresses if the user connects remotely (via the Internet).
-Domain authorization (Windows authorization). You can configure the system startup so that you do not have to enter the user's password when you log in. In this case, Windows authorization takes place, which defines the user by means of WinAPI. The system will be run under the user, under whose profile the computer is running at the time of system startup.
-Another mechanism is private clients. Private clients are clients that can only be seen by their supervisor. These clients will not be displayed in the lists of other users, even if other users have a full set of permissions, including administrator rights. In this way, you can protect, for example, a pool of VIP clients or a group based on another criterion, which will be assigned to a reliable manager.
-The access rights sharing mechanism is a standard and primary protection measure in CRM. For simplification of the process of administration of the rights of users, in RegionSoft CRM the rights are appointed not to concrete users, and templates.
And already to the user, this or that template possessing a certain set of the rights is appointed to this or that template. It allows each employee - from the beginner and the trainee to the director - to appoint powers and access rights which will allow/will not allow them to receive access to the confidential data and the important commercial information.
To be continued in the next part
https://zen.yandex.ru/profile/editor/id/5d7f7f203639e600ac6686e5/5d8f0a87fc69ab00adca444f/edit