Signs of danger number three.
Organization of work with security in your company.
Here is a list of questions that you should find answers to within your company (even if you don't need CRM).
Where do employees keep their passwords?
1. How is access to the storage on the company's servers organized?
2. How is software that has commercial and operational information protected?
3. Do all employees have active antiviruses?
4. How many employees have access to client data, what level of access does this have?
5. How many newcomers do you have and how many employees are in the process of being fired?
6. How long have you been in contact with key employees and listened to their requests and complaints?
7. Are printers controlled?
8. How is the policy of connecting your own gadgets to your PC and using Wi-Fi?
In fact, these are basic questions - the comments will surely add a hardcore, but this is a base that even an individual entrepreneur with two employees should know the basics of.
So how to protect yourself?
Backups are the most important thing that is often forgotten or neglected. If you have a desktop system, set up a data backup system with a given frequency (for example, for RegionSoft CRM it can be implemented with the help of RegionSoft Application Server) and organize competent storage of copies. If you have a cloud CRM, be sure to find out how to work with backups before you sign a contract: you need information about the depth and frequency, the location of storage, the cost of backups (often free only backups of "latest data for a period", and a full-fledged, secular backup is carried out as a paid service). In general, there is no place for savings or negligence. And yes, don't forget to check what is being recovered from backups.
Separation of access rights at the function and data level.
Network-level security - you need to allow the use of CRM only within the office subnet, restrict access for mobile devices, prohibit working with the CRM-system from home or, worse, from public networks (co-working, cafes, client offices, etc.). Be especially careful with the mobile version - let it be only a very truncated version for work.
Antivirus with real-time scanning is needed in any case, but especially in case of corporate data security. Do not disable it yourself at the policy level.
Training employees in cyberspace hygiene is not a waste of time, but an urgent need. You have to tell your colleagues that it is important for them not only to warn them but also to respond to the threat. To forbid to use the Internet or the mail in the office is the last century and the reason for an acute negative, therefore it is necessary to work with preventive maintenance.
Certainly, using cloud system, it is possible to achieve sufficient level of safety: to use the allocated servers, to adjust routers and to divide the traffic at a level of the appendix and a level of databases, to use private subnets, to enter strict rules of safety for administrators, to provide continuity at the expense of backup copying with as much as possible necessary frequency and completeness, to carry out round-the-clock monitoring of a network ... If to think over, it is not so and difficult, - rather expensive. But, as practice shows, such measures are taken only by some companies, mostly large ones. Therefore, do not hesitate to say again: both the cloud and desktop should not live on their own, protect your data.
Some small, but important tips for all cases of CRM-system implementation
Check the vendor for vulnerabilities - look for information on combinations of the words "Vendor Name vulnerability", "Vendor Name hacked", "Vendor Name data leakage". This should not be the only parameter for finding a new CRM-system, but check the box on the subcorrector is just necessary, and it is especially important to understand the reasons for the incidents.
Ask the vendor about the data center: availability, how many there are, and how the failover is organized.
Configure the security tokens in the CRM, keep track of activity within the system and unusual spikes.
Disable report export, API access for non-core employees - those who do not need these features for continuous operation.
Ensure that your CRM system is configured with process logging and user activity logging.
These are trifles, but they complement the overall picture perfectly. And there aren't really any security trifles.
By implementing a CRM system, you ensure the security of your data - but only if the implementation takes place correctly, and information security issues are not overshadowed. Agree, it is silly to buy a car and not to check the brakes, ABS, presence of airbags, seat belts, EDS.
In fact, the main thing is not just to drive, but to drive safely and get there safely. The same is true of business.
And remember: if the safety rules are written in blood, the rules of business cybersecurity are written in money.