Taking steps to ensure CRM data security.The data contained within a CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. application is often a company's most critical asset, yet because of the pivotal role this information plays in day-to-day business activities, it is also often the most vulnerable to security breaches and disruptions. What's more, ignoring or under-estimating vulnerabilities can be costly; a recent study by The Ponemon Institute found that a data breach can carry a staggering $14 million price tag when both tangible and intangible costs are factored in. That study, which was commissioned by PGP Corporation  This article or section is written like an .Please help [ rewrite this article] from a neutral point of view. Mark blatant advertising for , using . , examined costs incurred by 14 companies in 11 industry sectors that had breaches affecting between 1,500 to 900,000 consumer records--a total of 1.4 million compromised records. In general, the largest breaches occurred in financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , data integration and retail businesses, while the smallest were in healthcare and higher education higher education Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. . Most notably, the survey found that: * Total costs to recover from a breach averaged $14 million per company, or $140 per lost customer record; * Direct costs for incremental Additional or increased growth, bulk, quantity, number, or value; enlarged. Incremental cost is additional or increased cost of an item or service apart from its actual cost. , out-of-pocket, unbudgeted spending averaged $5 million per company, or $50 per lost customer for outside legal counsel, mail notification letters, calls to individual customers, increased call center costs and discounted product offers; * Indirect costs Indirect costs are costs that are not directly accountable to a particular function or product; these are fixed costs. Indirect costs include taxes, administration, personnel and security costs. See also
* Opportunity costs Opportunity costs The difference in the actual performance of a particular investment and some other desired investment adjusted for fixed costs and execution costs. It often refers to the most valuable alternative that is given up. covering loss of existing customers and increased difficulty in recruiting new customers averaged $7.5 million per company, or $75 per lost customer record. Overall customer loss averaged 2.6 percent of all customers and ranged as high as 11 percent. If the dollar amounts aren't convincing enough, consider the impact a data breach can have on a company's customer base: A related survey also conducted by Ponemon found that, upon receiving notification that their data had been lost, 20 percent of respondents said they had terminated their relationship with the company, and 40 percent were considering doing so. Clearly, securing the data within their CRM systems should be high on any company's priority list. The best defense against breaches is a carefully structured set of policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that apply appropriate security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security based on the value of the data contained within the CRM application as well as on the potential risks to those data from internal and external sources. Creating those policies and procedures is a three-step process that any organization using CRM systems should follow to ensure their data are secure, and their bank accounts and customer base aren't placed in jeopardy. Step One: Know Your Enemies The first step is to understand the types of threats and evaluate the potential for danger; the truth may surprise you. With so much attention paid to malicious attacks by hackers, worms and viruses, it's a common misconception mis·con·cep·tion n. A mistaken thought, idea, or notion; a misunderstanding: had many misconceptions about the new tax program. that outside forces pose the greatest danger to a company's data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters. In fact, 59 percent of data loss is caused by hardware or system malfunctions such as electrical failure electrical failure n. Failure in which the cardiac inadequacy is secondary to disturbance of the electrical impulse. , media crashes or controller failure, and 26 percent is caused by human error such as accidental deletion deletion /de·le·tion/ (de-le´shun) in genetics, loss of genetic material from a chromosome. de·le·tion n. Loss, as from mutation, of one or more nucleotides from a chromosome. or drive formatting. Software malfunctions account for another nine percent of data loss. Outside forces, on the other hand, don't even come close: only four percent of data loss is caused by viruses, and just two percent is caused by natural disasters such as fires, floods or brown-outs. Also important to the security plan is to consider both the physical and logical security of your data. Physical security addresses the ease with which someone can tamper To meddle, alter, or improperly interfere with something; to make changes or corrupt, as in tampering with the evidence. with or take down a CRM system through physical means, while logical security is the ease with which unauthorized access can be acquired. [ILLUSTRATION OMITTED] Of particular importance is how data contained within a CRM application are accessed, such as via the Internet, corporate intranet, VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. or a secure network connection. The mode of access makes a huge difference in a system's risk profile; the more public the access points (i.e., Internet or intranet versus a dedicated VPN tunnel), the higher the risk level. Step Two: Tolerance For Loss The second step in developing comprehensive policies and procedures to secure CRM data is to determine exactly what level of tolerance the organization has for any loss of access to the CRM application and data should security be breached. This information is used to establish the organization's recovery time and recovery point objectives: * Recovery time objective (RTO (Recovery Time Objective) The amount of time a computer system or application can stop functioning before it is considered intolerable to the enterprise. It can be computed to be from seconds to days, depending on how critical the application is to the organization. ) refers to the period of time within which the applications must be recovered after a breach before the loss is considered significant. In one study, 22 percent of enterprise-level companies and 20 percent of mid-tier companies reported that downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. of less than one hour would result in significant revenue loss or other adverse business impact. In a second study, 46 percent reported that the loss of data for 72 hours would threaten the survival of their business. * Recovery point objective (RPO RPO Recruitment Process Outsourcing RPO Recovery Point Objective (disaster recovery) RPO Royal Philharmonic Orchestra RPO Rochester Philharmonic Orchestra RPO Representative Poetry Online RPO Railway Post Office ) is the point in time at which systems and data must be recovered after an outage out·age n. 1. A quantity or portion of something lacking after delivery or storage. 2. A temporary suspension of operation, especially of electric power. . In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , how much data can a company lose and still be able to survive? If RPO is six hours, the company must be able to restore systems back to the state they were in as of six hours prior to the breach. A company's RTO and RPO ultimately dictate the technology used for both security and data backup. Companies with long RPOs can opt for more traditional scheduled backups that take place once or twice a day. Companies with short RPOs, however, are best-served by the near real-time backups offered by "snapshot" systems. For example, remote backup services A remote, online, or managed backup service is a service that provides users with an online system for backing up and storing computer files. Managed backup providers are companies that provide this type of service. have very short backup windows because they transfer only bit-level differences between previous and current versions of files, which allows for multiple backups throughout the business day. Another option for companies with very short RPOs is one of the emerging continuous data protection (CDP CDP (cytidine diphosphate): see cytosine. (1) (Certificate in Data Processing) An earlier award for the successful completion of an examination in hardware, software, systems analysis, programming, management and accounting, ) solutions which protect data on a transactional basis. Using e-mail as an example, a CDP solution for Microsoft Exchange Messaging and groupware software for Windows from Microsoft. Exchange Server is an Internet-compliant e-mail system that runs under Windows NT/2000 and Windows Server 2003. It can be accessed by Web browsers, the Exchange client, versions of Outlook and the earlier Windows Inbox. makes it possible to restore any message that ever flows through the system, providing continuous protection against server crashes, user deletes or any other imaginable i·mag·i·na·ble adj. Conceivable in the imagination: imaginable exploits. i·mag failure. While CDP is currently considered the high-end of backups, the growing push to shorten RPOs by companies of all sizes is likely to make it something every company strives for in the near future. When selecting the actual backup medium and storage of that medium, a company's RTO must be considered; the shorter the RTO, the more accessible the primary backup medium should be. (Duplicate backups should always be stored off-site for maximum protection.) Disk-based restoration systems provide a far shorter recovery window than tape media, as do remote backup services. If the primary backup is also kept off-site, which is often the case with tape, restoration time is even longer. In the case of remote backups, restores can take place through a Web interface to any system without an agent installation, making it considerably less time-intensive than restorations requiring the retrieval of off-site media, which must be loaded onto a backup system Noun 1. backup system - a computer system for making backups ADP system, ADPS, automatic data processing system, computer system, computing system - a system of one or more computers and associated software with common storage after an agent is installed. Step Three: Bring It All Home The third and final step is to use the information gathered in steps one and two to develop and implement a comprehensive set of security policies and procedures, which will ultimately drive the specifics on how and what technology is used. Policies and procedures should take a number of things into consideration, starting with access. Users should be restricted to only those areas that pertain to pertain to verb relate to, concern, refer to, regard, be part of, belong to, apply to, bear on, befit, be relevant to, be appropriate to, appertain to their work functions, and firewalls need to be correctly installed and configured to prevent unauthorized access. In fact, it's a good idea to have a separate policy dealing with prevention issues, such as what systems are in place to prevent unauthorized access to CRM data. Playing into access is auditing; a policy should be established that clearly defines how an organization will determine who has access to what information, and to identify when changes have been made to the system. Complementing the auditing policy should be a procedure outlining how alerts are handled. Who should be notified when an attempted breach occurs or when data are lost, and what steps should be taken as a result? Which leads us to monitoring: Whether it's done internally with software or outsourced, monitoring policies and systems should be implemented to detect when critical services or data are changed or made unavailable, or when there are anomalies in usage such as high volume on a Sunday afternoon when there is limited or no staff on the clock. While it may turn out not to be security related, it's important to know when any change in routine has taken place so it can be checked out. Finally, even the most ironclad ironclad, mid-19th-century wooden warship protected from gunfire by iron armor. The success of the ironclad when first employed by the French in the Crimean War sparked a naval armor and armaments race between France and Great Britain. policies and procedures in the world won't help if there's no way to recover data. Which brings us to data backups: It's critical to run regular backups that will meet the company's RTO and RPO, which, as noted above, play a key role in determining the type and frequency of backups and storage. Further, a policy should be in place that, in addition to the frequency of backups, dictates the "chain of command" for data recovery or restoration in the event of a loss or breach. Ready And Willing, How About Able? So, you've followed the steps; you've identified your threats, established your RTO and RPO and developed your security policies and procedures. Now it's time It's Time was a successful political campaign run by the Australian Labor Party (ALP) under Gough Whitlam at the 1972 election in Australia. Campaigning on the perceived need for change after 23 years of conservative (Liberal Party of Australia) government, Labor put forward a for the $14 million question: Can you keep your CRM data secure with your existing resources? Just as vulnerabilities can be underestimated, so can a company's ability to effectively manage data security on its own. The risks are too high to ignore, so it's important to fully evaluate internal capabilities to ensure they are adequate for the task. Ask, and honestly answer, the hard questions, including: * Do you have the technical expertise and sufficient manpower to implement and manage a security infrastructure that adequately protects your CRM data? * Do you have the technology and expertise to meet RTO and RPO? * Do you have an adequate budget to manage and maintain the currency of your security and attain RTO and RPO? If you don't have the manpower, experience or budget to ensure data security, outsourcing is a viable option. Working with a qualified outsourcing partner provides not only expert implementation of security measures, but also ongoing updates and round-the-clock monitoring and management. An outsourcing partner can also conduct overall and front-end data loss risk assessments and assist in the development and implementation of a sound data-classification policy and data handling procedures, as well as conduct ongoing audits to ensure continuous compliance. However, it's important to hold any outsourcing provider to the same $14 million standard to which internal resources are held, which means conducting a comprehensive evaluation of technical expertise and experience. The key to any evaluation is the vendor's: * Financial security and stability; * Staffing levels and credentials; * Expertise with the CRM application they'll be managing; and * The security systems employed by the vendor to prevent unauthorized access and detect intrusions. Finally, whether security is handled internally or outsourced, establishing truly effective policies and procedures involves more than just developing the documents; it is also critical to thoroughly test them, as well as audit and update them on a regular basis. Doing so will ensure your CRM data are receiving the highest level of protection warranted by the impact the information's loss could have on your business. Ken Seitz is CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. of E Solutions Corporation (www.esnet.com), where he is responsible for overseeing availability, performance and security of E Solutions' network and customers, which range from global Fortune 100 firms to mid-sized and small businesses. Seitz also manages a team of IT experts who provide immediate support of internal and external needs, as well as data center facility management, service design and project management. He can be reached at kseitz@esnet.com or (813) 301-2600. If you are interested in purchasing reprints of this article (in either print or PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. format), please visit Reprint reprint An individually bound copy of an article in a journal or science communication Management Services online at www.reprintbuyer.com or contact a representative via e-mail at tmcnet@reprintbuyer.com or by phone at 800-290-5460. For information and subscriptions, visit www.TMCnet.com or call 203-852-6800. By Ken Seitz E Solutions Corporation |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion