Getting Your CRM Security Aligned

22 Jun 2020

CRM Security is a vast topic but it is also one that needs to be addressed. This might seem quite daunting so in today’s blog post we are going to break it down into manageable chunks.

Security online works both ways too. If you leave something too easy to access, then you are inviting nefarious activity. For obvious reasons you have a password for your email account, and you don’t share that with anyone, least of all strangers. We’ve read countless articles outlining the importance of secure passwords too. But if you come up with security solutions that are overly complicated, it becomes a hindrance.

CRM Security is about finding a balance that lets your team go about their day to day safe in the knowledge that appropriate security levels are in place. For this post I’d like to break this into three definite areas: People, Data, and System. 

The People aspect should be self-explanatory but more on that shortly. Data is the information you enter, and the System is the architecture that contains the information in a logical fashion.

Let’s Go Shopping

To illustrate the story, I’m going to reinvent your software as a department store and consider the CRM security that will need implementing in that environment.

My department store has those same three attributes that your CRM system has:

1. The People are your stakeholder groups: management, members of staff and customers. 
2. The data is all the information you store. Customer details, product inventory, supplier details and that kind of thing.
3. The System is your physical buildings – ranging from the locks on the doors, the shop itself, the storage-rooms and offices. 

We’re now going to look at how my different stakeholder groups interact with the department store. We can then see how that be compared to the CRM security measures and permissions you need to think about.

Your Customers

When the shop is open, browsers can come in and look around. They can see the goods, and the prices. Some higher value goods are probably not on direct display but require a member of staff to unlock a cabinet to show the client. You could consider this person to be someone with greater security privileges.  Physically they can come and go in your shop during your opening hours, but they cannot go beyond that customer-facing zone. They can also visit the website and online store and log questions via email or social media.

If we apply that scenario to a CRM, the CRM security measures are pretty simple. The general public doesn’t possess the information required to log into your system. They can only see the data that you have marked as being customer-facing – for example on a portal. Customers can also log into that portal to view their sales history, and to log tickets with your customer support team. Quite similar to what some shops offer with their loyalty programmes. Data visibility is restricted to their own information, they cannot see information relating to other clients. Regarding the system architecture, they have a very limited access to your system. Most of the modules are off-limits, and functionality available is very restricted.

Standard Users

Let’s say your front-of-house staff all have an ID that lets them into the building. This is like the username and password your team uses to get to their account in the CRM. As well as walking round the customer-facing areas, your staff can also go behind the counters, into the warehouse and other places off-limits to clients. They can log into computers to process sales, check stock alerts, give discounts, create new loyalty customers and that kind of thing.

Let’s look at this in CRM terms. These members of staff can log into the system. If you have a heightened security awareness, you might want to implement Multi-Factor Authentication on top of the usual username and password to enable access.

Once logged in, they can view customer details, to input or update records. They can log sales on the system, and you might even set their accounts up so they can apply discounts, within reason. But they cannot edit your product data itself which could mess with your ordering processes, and they cannot see or alter your buy prices either.

In terms of system architecture, depending on their log-in, they will have access to different areas of the system. Sales staff will not need to see the Helpdesk area that the Support department use. None of them can see Personnel data, apart from perhaps their own record, to enable them to manage their holiday allowance.

Line Managers

Your management team will need to know everything happening on the shop regarding the sales team – that’s where line managers come into play. This is an important role as it involves explaining to the sales team how they put the corporate vision into practise. As per that stakeholder group, they can access the shop front, warehouse, canteen, staff parking and so on. They tend to spend their time in the offices upstairs, rather than in the customer-facing areas.

Managers need access to different areas of the system than your sales staff. If we flip this to OpenCRM speak – your managers can access and create activities for all the members of their team (working out staffing rotas for example). For this they need a comprehensive overview of the personnel data.

Both in terms of data and overall module accessibility the managers have far more access than the sales team. A different role in the business means physical admittance to more places, and also increased data access.

Inventory Managers and CRM Security

You have a team that look after what’s on the shelves. The inventory managers will decide what to buy in, inputting details from the suppliers, and setting sell prices.

These are your data admins. They will be permanently updating product lists, altering buy prices, inputting supplier details and that kind of thing. They will also update the system itself but carrying out actions such as modifying picklists and adding custom fields. This will require a profile with quite a different set-up to the previous stakeholder groups we have considered. They are less concerned with customer or personnel data, so access to those modules can be restricted.

Senior Management

You need to have a person or team with an overview of everything that is going on. Whether it’s reviewing sales and performances, keeping tabs on finance, and basically overseeing the business plan. They also have the keys to the board room, and the company safe. Information-wise, they have access to the sensitive information that is for management eyes only. 

In your CRM security considerations, these are the system/ super admins. They have access to all data and all configuration. If anything needs altering, they can be on there right away. If a staff member needs locking out of the system, or adding in, they can do that. There may be sensitive information that no-one else should see. Once again, using permissions at module and field-level mean you can streamline the system to ensure the right people have access to the right information.

Your Business and CRM Organisational Structure

As you can see, there are likely to be parallels in how the hierarchy in your organisation needs to be reflected in your CRM set-up. There is quite a lot to think about when setting this up, as that CRM security model needs to offer the appropriate level of safety without compromising on usability. As you are likely to have a remote workforce also using and interacting with the system, it is important to get your permissions model in place when setting up your CRM.