CRM Export Security – Mitigating Data Leakage Risk
When implementing a Customer Relationship Management system, whether as a new endeavor or as a replacement for an outdated system, there will inevitably be conversation regarding data security. With good reason, as a lack of appropriate planning could be costly to the organization resulting in lost sales to competitors, lost employee productivity, and potentially legal action.
Data Leakage is real
Most data in a CRM is sensitive–with the real question being the degree of sensitivity. When this data goes outside the walls of the organization, it can be quite problematic. Consider what it would mean to your organization if one of the following happened:
- A list of all customer records is stolen by an employee before accepting a position with a competitor.
- An employee leaves their laptop unlocked and unattended at a coffee shop, where someone seizes the opportunity to email themselves a full list of recent transactions.
- Information regarding purchases made by government agencies was exported to a file, left on a USB drive, and lost.
You can imagine the questions that will be raised as a result of any of the above….all driving back to the questions of whether appropriate measures were taken to safeguard the data and who was responsible for enforcing them.
Ernst & Young published a brief last year on data loss prevention, which is a great overview of the issues, costs, and considerations of data loss. The brief’s overlap with most CRM implementations is in the Customer Data and Corporate Data areas. Customer lists, prospect lists, contact history, and purchase history are among the most common, each of which have a cost associated with them in the event of a data breach.
Appropriate precautions should be taken
The major CRM applications have security models that allow permissions to be granted based on a wide array of business rules. The key to setting these up is to first understand the use cases behind accessing the information, then gain agreement of what the appropriate result should be. Often this CRM security dialogue raises awareness of situations that haven’t previously been considered and perhaps already exist as a risk for data leakage.
CRM technologies provides a great framework to begin guarding this data, but don’t discount the importance of process and training when it comes to data protection. During the course of outlining the usage scenarios there will be corner cases that fall outside of the systematic rules. Often this will stem from a project (perhaps cross-functional) that requires a one-time deviation from the standard security procedures. Having the processes to follow when accessing the information as well as the clear expectation of how it should be handled by all parties is critical…and not a problem that’s solved inside of a CRM system.
Finding the right balance
A very common pitfall is to skip the analysis of the usage scenarios, and instead rely on more heavy-handed security policies. These often end up getting in the way of user productivity, resulting in frustration and the opinion that the CRM is more of a burden than an enablement tool.
When I’m working with clients as a Manager at Hitachi Solutions, we discuss balancing many factors as part of this discussion. Some of these include:
- Functional System Requirements
- Regulatory Compliance
- System Auditing Capabilies
- Education Delivery Capabilities
- Incedent Response Procedure
- Corporate Risk Management Strategy
These are just a taste of the many factors involved when considering a CRM system’s export security. It is crucial to begin this conversation early, as it will save time and testing later in the process of deployment.
The power of a CRM system lies in enabling users to leverage relevant information when interacting with a customer or prospect. Sometimes, this includes extracting details from the system in the form of a report or a standalone file. When approaching this situation, the right solution will include well implemented technologies that will enable productivity while still protecting data. It will also leverage clearly documented processes that guide the desired interactions with the system. Finally, it will include sufficient training for the people who will be accessing the data regarding the proper way to conduct themselves when doing so.