Secure CRM Data by Equipping Your Staff

Simon Adams
Simon Adams

An organisation’s customer relationship management (CRM) system is at the centre of its business activities and serves as its main data set, for this reason it is an extremely attractive proposition for hackers.

Businesses of any size are at risk from cyber criminals, so we can quickly dispel the common misconception that ‘we are too small to be hacked’. Firstly, a small organisation with limited security offers hackers a training opportunity, and secondly whilst there may be no obvious use for a small niche data set, if sold on the dark web it could be combined with other sources to show its true value.

So what quick steps can an organisation take to protect its data?

User Access

Setting up a robust access policy is essential, BUT it must be workable. Whilst setting up two factor authentication would always be advised, if staff do not have access to the second piece of information then the process will fail.

Also, enforcing a 14-character password with uppercase, numbers, and symbols becomes counterproductive if the password can’t be remembered and ends up being written on a Post-it note and pinned to the user’s desk. Setting a password expiration date range is suggested, along with an organisation password management tool, then a user only has to remember one password. The CRM password can therefore be as complex as the organisation wants.

Ensuring that the system has an IP range configured so that only employees can access from a work network should also be considered, along with limiting accounts to an organisation’s domain.

The organisation’s starters and leavers list should also be shared with relevant system holders to ensure access is revoked when an employee exits the organisation.


We tackled staff users, but what about other systems or web applications that connect to your CRM?

The main system administrator should keep a log of the software accounts and regularly check that they still need access and they have a contact for the integration owner. If the main system owner isn’t the technical contact, then ensure that CRM system update emails are sent to a technical colleague who can then act where appropriate.

SSL technologies often change so web applications sometimes need tweaking if they integrate with a system.  Make this review an annual check.

Data analysis can also take place outside of CRM using a data visualisation tool. It would be best practice to integrate systems rather than store Excel downloads of large data sets locally or on a shared drive. If you must do this, ensure you have made that store secure and discuss with the IT team.


Staff education is key. The biggest threat is phishing emails, where an imitation email is received pretending to be from a supplier. If a link is clicked, it could collect login information or install ransomware which could lock an organisation out of its own systems and data.

If an organisation’s domain is spoofed in phishing emails, then emails may be received which appear to be from other staff. A recent batch of these emails received by organisations were requesting internal money transfers.

In both instances staff should be educated on not clicking links from emails that look suspicious and if a money request comes from a colleague then check with them by picking up the phone and not replying to the email.

Finally, encourage staff not to leave their computers unlocked when they leave their desks. You could configure your CRM to lock out after 3 minutes of inactivity to avoid the possibility of tampering.


Share this article

More about the author

Simon Adams
Simon Adams Operations Director

Simon is responsible for the day to day running of the consultancy practice. Simon brings consultancy experience in leading the prioritisation and management of large change portfolios across IT, business and third-party suppliers. Simon is an excellent communicator, often involved in working with the executive teams, but is equally comfortable driving engagement at all levels. Simon’s passion at work is in driving change and the adoption of digital culture, tools, and ways of working. Having advised and led pre-sales due diligence and post-M&A integration, he brings first-hand experience of successfully creating a culture of high performance and engagement that is progressive in the adopted ways of working.

Contact an expert

Get in touch directly with a consultant - We’d love to discuss how we can help you achieve your project goals.

Book a Chat
let's talk speech bubble