What do I need to know about data security?

1. Data on the move (known as Data in Motion) : The first priority is that all data is moved using SSL (Security Socket Layer). This covers encrypts the data from one point to another. This provides a minimum basic level of security as otherwise if a username or password is sent to the host server (to access your data where it is stored online) using plain text this can be simply read or intercepted when you are using a wireless network.

You can check whether you are using SSL as your URL in your browser starts with https:// (URLs on unsecured sites start with http://).

‍

2. Data on the servers (known as Data at Rest): This second priority is just as important as the first. Checking that the provider is using a highly rated and reputable data centre is essential. This is because there are so many considerations. The data centre must offer a secure, durable technology platform which has industry recognised certifications and be subject to regular audits. Also a reputable data centre will have multiple layers of operational and physical security to ensure the integrity and safety of your data, incorporating encryption, backup and redundancy procedures.

3. Procedures for authentication and authorisation: This is when you first sign into your CRM system, there should be a minimum requirement for your password. This is important as a computer generated password used with some systems with just 6 characters (letters all in lowercase) can be broken in about 5 minutes. With just a few small changes such as including upper and lowercase and special character/s and increasing the length to 9 characters, the time taken to break the password rises to an astonishing 19,985 years! The provider should NEVER have access to your password.

The next most common procedure is to generate a token (cookie) to be stored on your device which will authenticate your access.

This should be time sensitive so that it requires you to login on a regular basis.

The third aspect to authentication and authorisation is defining access to the different levels within the CRM. Are there specific areas where only an admin user can access or specified areas according to the users role or responsibility?

4. Data stored on the mobile or computer (a variation of Data at Rest): A good procedure is to store any customer or other sensitive data on secure servers where it is usually much safer than storing it on a mobile device. There are exceptions where you might require limited offline access, however this does increase the security risk. Many organisations prefer users not to have sensitive data stored on their devices, in case of theft or loss.

5. Who can authorise access to the CRM and BYOD (Bring your own device): Are there procedures in place to control the authorisation of new or additional users who require access to the system? These will include the allocation to specific areas or modules within the CRM.

Increasingly users prefer not to have to carry multiple devices, rather they will wish to use their own mobile. The industry term is known as BYOD (Bring your own device).

This has the added advantage that the employer will not be required to invest in new capital expenditure.

To maximise the benefits (and to minimise security risks) when implementing a new CRM it can be helpful to consider introducing appropriate business operating procedures. The CRM provider should be able to assist with advice and will possibly run workshops and training courses to assist in the developing of a framework to decide on and set any new processes required.

6. Overall security of the system code: How well has the system been constructed? How experienced is the team who built it? The code can be encrypted or obfuscated (this makes the code appear jumbled). The latest HTML5 code can not be encrypted, but can be obfuscated. In some cases encryption can affect the system causing it to operate slowly. This area is much harder to determine for most everyday users. However, generally the speed of the system is an indication of the build quality of the code.

‍