ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Taking Steps To Ensure CRM Data Security

By Ken Seitz
E Solutions Corporation


The data contained within a CRM application is often a company’s most critical asset, yet because of the pivotal role this information plays in day-to-day business activities, it is also often the most vulnerable to security breaches and disruptions.

What’s more, ignoring or under-estimating vulnerabilities can be costly; a recent study by The Ponemon Institute found that a data breach can carry a staggering $14 million price tag when both tangible and intangible costs are factored in.

That study, which was commissioned by PGP Corporation, examined costs incurred by 14 companies in 11 industry sectors that had breaches affecting between 1,500 to 900,000 consumer records — a total of 1.4 million compromised records. In general, the largest breaches occurred in financial services, data integration and retail businesses, while the smallest were in healthcare and higher education. Most notably, the survey found that:

  • Total costs to recover from a breach averaged $14 million per company, or $140 per lost customer record;
  • Direct costs for incremental, out-ofpocket, unbudgeted spending averaged $5 million per company, or $50 per lost customer for outside legal counsel, mail notification letters, calls to individual customers, increased call center costs and discounted product offers;
  • Indirect costs for lost employee productivity averaged $1.5 million per company, or $15 per customer record; and
  • Opportunity costs covering loss of existing customers and increased difficulty in recruiting new customers averaged $7.5 million per company, or $75 per lost customer record. Overall customer loss averaged 2.6 percent of all customers and ranged as high as 11 percent.

If the dollar amounts aren’t convincing enough, consider the impact a data breach can have on a company’s customer base: A related survey also conducted by Ponemon found that, upon receiving notification that their data had been lost, 20 percent of respondents said they had terminated their relationship with the company, and 40 percent were considering doing so.

Clearly, securing the data within their CRM systems should be high on any company’s priority list. The best defense against breaches is a carefully structured set of policies and procedures that apply appropriate security measures based on the value of the data contained within the CRM application as well as on the potential risks to those data from internal and external sources.

Creating those policies and procedures is a three-step process that any organization using CRM systems should follow to ensure their data are secure, and their bank accounts and customer base aren’t placed in jeopardy.

Step One: Know Your Enemies

The first step is to understand the types of threats and evaluate the potential for danger; the truth may surprise you. With so much attention paid to malicious attacks by hackers, worms and viruses, it’s a common misconception that outside forces pose the greatest danger to a company’s data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters.

In fact, 59 percent of data loss is caused by hardware or system malfunctions such as electrical failure, media crashes or controller failure, and 26 percent is caused by human error such as accidental deletion or drive formatting. Software malfunctions account for another nine percent of data loss. Outside forces, on the other hand, don’t even come close: only four percent of data loss is caused by viruses, and just two percent is caused by natural disasters such as fires, floods or brown-outs.

Also important to the security plan is to consider both the physical and logical security of your data. Physical security addresses the ease with which someone can tamper with or take down a CRM system through physical means, while logical security is the ease with which unauthorized access can be acquired. Of particular importance is how data contained within a CRM application are accessed, such as via the Internet, corporate intranet, VPN (define - news - alert) or a secure network connection. The mode of access makes a huge difference in a system’s risk profile; the more public the access points (i.e., Internet or intranet versus a dedicated VPN tunnel), the higher the risk level.

Step Two: Tolerance For Loss

The second step in developing comprehensive policies and procedures to secure CRM data is to determine exactly what level of tolerance the organization has for any loss of access to the CRM application and data should security be breached. This information is used to establish the organization’s recovery time and recovery point objectives:

  • Recovery time objective (RTO) refers to the period of time within which the applications must be recovered after a breach before the loss is considered significant. In one study, 22 percent of enterprise-level companies and 20 percent of mid-tier companies reported that downtime of less than one hour would result in significant revenue loss or other adverse business impact. In a second study, 46 percent reported that the loss of data for 72 hours would threaten the survival of their business.
  • Recovery point objective (RPO) is the point in time at which systems and data must be recovered after an outage. In other words, how much data can a company lose and still be able to survive? If RPO is six hours, the company must be able to restore systems back to the state they were in as of six hours prior to the breach.

A company’s RTO and RPO ultimately dictate the technology used for both security and data backup. Companies with long RPOs can opt for more traditional scheduled backups that take place once or twice a day. Companies with short RPOs, however, are best-served by the near realtime backups offered by “snapshot” systems. For example, remote backup services have very short backup windows because they transfer only bitlevel differences between previous and current versions of files, which allows for multiple backups throughout the business day.

Another option for companies with very short RPOs is one of the emerging continuous data protection (CDP) solutions which protect data on a transactional basis. Using e-mail as an example, a CDP solution for Microsoft Exchange makes it possible to restore any message that ever flows through the system, providing continuous protection against server crashes, user deletes or any other imaginable failure. While CDP is currently considered the high-end of backups, the growing push to shorten RPOs by companies of all sizes is likely to make it something every company strives for in the near future.

When selecting the actual backup medium and storage of that medium, a company’s RTO must be considered; the shorter the RTO, the more accessible the primary backup medium should be. (Duplicate backups should always be stored off-site for maximum protection.) Disk-based restoration systems provide a far shorter recovery window than tape media, as do remote backup services. If the primary backup is also kept off-site, which is often the case with tape, restoration time is even longer.

In the case of remote backups, restores can take place through a Web interface to any system without an agent installation, making it considerably less time-intensive than restorations requiring the retrieval of off-site media, which must be loaded onto a backup system after an agent is installed.

Step Three: Bring It All Home

The third and final step is to use the information gathered in steps one and two to develop and implement a comprehensive set of security policies and procedures, which will ultimately drive the specifics on how and what technology is used. Policies and procedures should take a number of things into consideration, starting with access. Users should be restricted to only those areas that pertain to their work functions, and firewalls need to be correctly installed and configured to prevent unauthorized access. In fact, it’s a good idea to have a separate policy dealing with prevention issues, such as what systems are in place to prevent unauthorized access to CRM data.

Playing into access is auditing; a policy should be established that clearly defines how an organization will determine who has access to what information, and to identify when changes have been made to the system. Complementing the auditing policy should be a procedure outlining how alerts are handled. Who should be notified when an attempted breach occurs or when data are lost, and what steps should be taken as a result?

Which leads us to monitoring: Whether it’s done internally with software or outsourced, monitoring policies and systems should be implemented to detect when critical services or data are changed or made unavailable, or when there are anomalies in usage such as high volume on a Sunday afternoon when there is limited or no staff on the clock. While it may turn out not to be security related, it’s important to know when any change in routine has taken place so it can be checked out.

Finally, even the most ironclad policies and procedures in the world won’t help if there’s no way to recover data. Which brings us to data backups: It’s critical to run regular backups that will meet the company’s RTO and RPO, which, as noted above, play a key role in determining the type and frequency of backups and storage. Further, a policy should be in place that, in addition to the frequency of backups, dictates the “chain of command” for data recovery or restoration in the event of a loss or breach.

Ready And Willing, How About Able?

So, you’ve followed the steps; you’ve identified your threats, established your RTO and RPO and developed your security policies and procedures. Now it’s time for the $14 million question: Can you keep your CRM data secure with your existing resources? Just as vulnerabilities can be underestimated, so can a company’s ability to effectively manage data security on its own. The risks are too high to ignore, so it’s important to fully evaluate internal capabilities to ensure they are adequate for the task. Ask, and honestly answer, the hard questions, including:

  • Do you have the technical expertise and sufficient manpower to implement and manage a security infrastructure that adequately protects your CRM data?
  • Do you have the technology and expertise to meet RTO and RPO?
  • Do you have an adequate budget to manage and maintain the currency of your security and attain RTO and RPO?

If you don’t have the manpower, experience or budget to ensure data security, outsourcing is a viable option. Working with a qualified outsourcing partner provides not only expert implementation of security measures, but also ongoing updates and round-the-clock monitoring and management.

An outsourcing partner can also conduct overall and front-end data loss risk assessments and assist in the development and implementation of a sound data-classification policy and data handling procedures, as well as conduct ongoing audits to ensure continuous compliance. However, it’s important to hold any outsourcing provider to the same $14 million standard to which internal resources are held, which means conducting a comprehensive evaluation of technical expertise and experience. The key to any evaluation is the vendor’s:

  • Financial security and stability;
  • Staffing levels and credentials;
  • Expertise with the CRM application they’ll be managing; and
  • The security systems employed by the vendor to prevent unauthorized access and detect intrusions.

Finally, whether security is handled internally or outsourced, establishing truly effective policies and procedures involves more than just developing the documents; it is also critical to thoroughly test them, as well as audit and update them on a regular basis. Doing so will ensure your CRM data are receiving the highest level of protection warranted by the impact the information’s loss could have on your business.

Ken Seitz is CIO of E Solutions Corporation (http://www.esnet.com), (news - alert) where he is responsible for overseeing availability, performance and security of E Solutions’ network and customers, which range from global Fortune 100 firms to mid-sized and small businesses. Seitz also manages a team of IT experts who provide immediate support of internal and external needs, as well as data center facility management, service design and project management. He can be reached at [email protected] or (813) 301-2600.

If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at http://www.reprintbuyer.com or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.

For information and subscriptions, visit http://www.TMCnet.com or call 203-852-6800.

| More