Let’s say your top sales manager leaves your company to join a competitor. You expect they’ll take their relationships with them, but will they take your sales data, too?
Unfortunately, you probably won’t know and neither will your cybersecurity team. In this article, I’ll explain why that is and help you understand what you can do about it.
Chances are, you’ve been keeping your sales data in the cloud for some time. If you’re like many executives, you might assume your data is secure within those cloud applications. That’s a dangerous assumption, though. Cloud providers are responsible for everything that delivers their application (e.g., their data center); it’s your responsibility to protect the data inside it.
How are companies handling their responsibility to safeguard their information in the cloud? At one global company, a group of contractors was given access to the company’s Salesforce instance. Months later, after their projects ended, the former contractors could still log in and access the company’s records—and they were.
Think about the data inside a CRM system. Not only does sales data contain personal and regulated information that has to be protected—combinations of names, addresses, phone numbers and emails—it also holds the keys to your sales pipeline, and if you lose it, you can lose your business. It’s hard to imagine a more crucial dataset, especially as organizations use their CRM systems for all sorts of critical workflows that include contracts, discounts, quotes, customer cases, payment information and other sensitive documents.
No one wants to think about what would happen if cyber thieves stole personal details about your customers and leaked them. But we have to consider it. In addition to jeopardizing your pipeline, your company’s reputation could be damaged, and you could incur fines for privacy violations.
Thinking about protecting CRM data isn’t easy—many cloud applications have become so sophisticated that they require a high level of expertise to understand, and customer relationship management (CRM) applications are some of the most complex. Because they were designed to make it easier to create, share and analyze sales data, security comes second.
Why Protecting Your Critical Sales Data Is Hard
Cloud applications don’t make it easy to answer questions about data protection. Each one takes you down a different road when you start to ask: “Who can access our sensitive data? What did our former employee access before leaving? Is our instance configured properly?”
Let’s take Salesforce as an example. It’s essentially an extensive, complex database with many kinds of records, such as account records for prospect organizations, contact records for professionals you want to get in touch with and opportunity records for deals you’re working on. Each record has many fields associated with it, such as the address field, notes, costs and references to people in the account. The access controls that dictate who has access to which and what kinds of records in Salesforce are like the layers of an onion—there are many overlapping layers, and peeling the layers back can make you want to cry.
Many security teams describe cloud applications as “black boxes.” They don’t know how they work or what’s happening on the inside. When you do dive in, you find there are broad organizational settings, role-based access capabilities, organizational hierarchies, sales models (territory vs. product) and fine-tuned access controls down to object and field levels. There are also application, system and sharing settings.
We talk to Salesforce admins who create and maintain massive spreadsheets just to try to track who has access to what. Understanding changes, finding sensitive and regulated data and tracking activity are just as challenging and require additional modules, additional configurations and tons of expertise.
It’s unrealistic to expect a security team to keep up with all the configuration options and mechanics of every SaaS application and cloud infrastructure service that’s undoubtedly enabling your business. It’s also unrealistic to expect application specialists to maintain massive spreadsheets and explain them to compliance and security officers once a quarter.
How To Protect Your Sales Data
Attackers would love to get their hands on your data, so your job is to make it as hard as possible for them to gain access. To safeguard any critical data, especially sales data, you must be able to map who can and does access it and where your most sensitive data sits. With these ingredients, you can triangulate and prioritize risk.
Once you’ve analyzed and prioritized risk, take an “assume breach” mindset and follow these steps to begin reducing the potential damage to your CRM system:
- Start where the upside is high and the downside is low. Data risk assessments uncover troves of sensitive data that are broadly accessible but rarely used—such as a complete copy of the sales database that was spun up for testing but never shut down.
- Our risk assessments reveal that many users have powerful permissions they either never use or shouldn’t have. If more than 10% of your users have administrative rights to your CRM system, that’s probably too high.
- Try a tabletop exercise that focuses on your CRM data. Pretend a mid-level sales manager leaves, and perform an access review to see what they could have taken. How many records can they access? Which ones do they access? Would anything have notified you if the manager was accessing a large number of records?
CRM systems are complicated—protecting the data inside doesn’t have to be. Ensure only the right people always have access to the right data, and make sure they’re using it in the right way. Sometimes, safeguarding your CRM starts with just a simple question: How are we protecting our sales data?
This article first appeared on Forbes.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction, and execution of the company.