CRM system as a threat
If your company has at least one PC, it's already a source of cyber threat. Accordingly, the degree of threat increases with the number of workstations (and employees) and the variety of software installed and used. And with CRM-systems it is not easy - after all, it is the program called to store and process the major and expensive asset: client base and the commercial information, and we here fear about its safety tell. Actually, not everything is so gloomy near, and at the correct reference, you receive nothing from CRM-system, except for a benefit and safety.
What are the signs of a dangerous CRM system?
Let's begin with a short excursion into the basics. CRM can be cloudy and desktop. Cloud are those which DBMS (a database) which settles down not at you in the company, and in a private or public cloud in any data center (for example, you sit in Chelyabinsk, and your base rotates in super abrupt DPC in Moscow because so the vendor CRM and at it the contract with this provider has decided). Desktop (they are on-premise, server - which is not so true anymore) base their DBMS on your own servers (no, no, don't draw yourself a huge server room with expensive racks, most often in small and medium business it is a single server or even a regular PC of modern configuration), that is physically in your office.
You can get unauthorized access to both types of CRM, but the speed and ease of access are different, especially if we are talking about SMBs, which do not care about information security.
Signs of danger №1
The reason for the higher probability of problems with the data in the cloud system is the relationship associated with several links: you (CRM tenant) - vendor - provider (sometimes a longer version: you - vendor - IT-outsourcer vendor - provider). Tier 3-4 relationships have more risks than tier 1-2: the problem can occur on the vendor side (contract change, provider's non-payment), on the provider side (force majeure, hacking, technical problems), on the outsourcer side (change of manager or engineer), etc. Of course, large vendors try to have backup data centers, manage risks and keep their own DevOps department, but this does not exclude problems.
Desktop CRM is mainly not rented, but purchased by the company, respectively, the relationship looks more simple and transparent: during the implementation of CRM vendor sets up the necessary security levels (from delimitation of access rights and a physical USB-key to the establishment of the server in the concrete wall, etc.) and transfers the management of the company-owner of CRM, which can increase protection, hire a system administrator or contact as necessary to its software supplier.
Problems come down to working with employees, network protection and physical protection of information. In case of using desktop CRM even complete disconnection of the Internet will not stop the work, because the base is located in the "native" office.
Loss of data from the cloud CRM-system can be due to loss of data due to server failure, unavailability of servers, force majeure, termination of vendor activity, etc. Cloud is permanent, continuous access to the Internet and protection should be unprecedented: at the level of code, access rights, additional measures of cybersecurity (for example, two-factor authentication).
Signs of danger №2
This is not even about one feature, but a group of features associated with the vendor and its policies. Let us list some important examples that we and our employees have had to meet.
Vendor may choose a data center that is not reliable enough to "spin" the clients' DBMS. It will save money, will not control the SLA, will not calculate the load, and the result will be fatal for you.
Vendor may refuse to transfer the service to the data center of your choice. This is a fairly common restriction for SaaS.
Vendor may have a legal or economic conflict with the cloud provider, and then during the "disassembly" backup actions or, for example, the speed may be limited.
Backup service can be provided at a separate price. A common practice that a CRM client can only learn about when the backup is needed, i.e. at the most critical and vulnerable moment.
Employees of the vendor can have unimpeded access to client data.
There can be data leaks of any nature (human factor, fraud, hackers, etc.).
Usually these problems are related to small or young vendors, but even large ones have been repeatedly exposed to unpleasant stories (google it). Therefore, you should always have ways to protect the information on your side + to discuss security issues with the selected supplier of CRM-systems in advance. Even the very fact of your interest in the problem will make the supplier take the implementation of the most responsible.
To be continued in the next part https://zen.yandex.ru/profile/editor/id/5d7f7f203639e600ac6686e5/5d8f0c7dfbe6e700adaa3c24/edit