4 Steps to Secure Your CRM or Customer Experience Platforms
Your sales team has access to a customer relationship management solution or platform as a service. Sounds obvious, right? Most enterprises are aware of the risk they run by allowing sales personnel access to such platforms, and it makes sense for these companies to put a few restrictions on these and other key users in place.
However, CRMs are not just used for sales personnel. For most organizations, these have become mission-critical platforms used across your organization. They also fall outside of many enterprises’ governance initiatives, which has pros for line-of-business success and cons for governance.
Let’s focus on the basics of role-based access control to keep it simple: Do you have two-factor authentication set up for your environment? That’s a great place to start to ensure bad actors can’t sneak into the building’s perimeter. Now, if a bad actor (internal or otherwise) does gain access, do you have controls in place to make sure they can’t get access to the vault, or is access wide open once they slip past the front door?
Consider the administrator who gives an hourly rep temporary administrative privileges with the intention to later adjust profiles, or the user who needs to share data and “quickly” sets up sharing rules to enable access. These are commonsense moves, but they can be difficult to evaluate with confidence if you’ve had multiple administrators, system integrators, citizen developers, architects, etc., all handling the same environment.
Avoiding Complications Later On
You likely have customer data that is pretty important. Think about what other sensitive data lurks within your platforms that you wouldn’t want splashed across the front page of the newspaper after a breach. Do you know what’s there?
Best-in-class organizations use security and governance as a key principle for these systems, generating tremendous business value while minimizing risk. Follow these four steps to get started:
1. Define what matters.
Security and governance mean many things depending on organization-specific needs. For example, do you store customer data? Maybe you merely transmit it from one place to another. Do you conduct business in Europe, mandating adherence to the General Data Protection Regulation? Before you can start to take measures to secure your enterprise and achieve compliance, you need to know what security looks like for your company’s unique situation. Start by discussing goals with your governance, information security, legal, and compliance experts, and then define the right approach for your company.
2. Know your cloud.
Not all clouds are created equal, and there are distinct nuances between infrastructure as a service, software as a service, and platform as a service. Evaluate how you are truly using your platform today. Is it still just a CRM, or has it evolved into a customer experience platform that supports processes, users, and data you didn’t anticipate when you originally deployed? Is it a PaaS? Once you determine that, you have the basis to figure out whether your shared responsibilities are relevant.
3. Identify and prioritize areas of exposure.
With massive data breaches dominating headlines, most organizations are already paying significant attention to network penetration and other external threats. Taking steps to prevent threats from internal bad actors is a blind spot for many organizations throughout their customer-experience platforms. For example, many companies focus on granular components like database-level encryption as the silver bullet. While encryption at rest is a great functionality, focusing on this without taking more basic measures like restricting access to the data is shortsighted.
The right governance initiative is difficult to assess if companies focus on acquiring capabilities. When not implemented (or done so incorrectly), capabilities do not reduce vulnerabilities and oftentimes end up like numerous other security investments—as very expensive shelf-ware.
4. Resolve misconfigurations.
Acquiring software capabilities and allocating resources are good first steps to eliminating vulnerabilities, but they’re not enough. Your security and compliance teams need access to the right tools to evaluate, prioritize, and inform resolution of misconfigurations on the basis of evidence, not anecdotes.
Platforms and CRMs are incredibly powerful growth tools. They can also create vulnerabilities, as they may expose your most sensitive customer and internal data. The appropriate security measures will vary depending on your systems, industry regulations, and the needs of your customers. The above four steps are a straightforward place to start. Take aim at security and governance initiatives now, and you can help your organization avoid unnecessary complications down the road.
As chief revenue officer, Brian Olearczyk focuses on customer success for clients of RevCult. His perspective is informed by working with the most complex organizations in the world on data governance.