5 things your salespeople should know about your company's data security

Your road warriors could be leaving a trail of customer data behind them

The sales department's performance is measured on revenue, not on data protection. So it's no surprise that salespeople focus on closing deals, not security holes. As a result, they sometimes sacrifice security for convenience. They log onto Wi-Fi hot spots in airports to work on presentations despite the risk of being hacked. They carry reams of information, some of it propriety, on their smart phones. They transfer deal details on USB drives. Although companies have done much to address the challenges of this frequently mobile population, there's still more work to do.

1. Be wary of unsecured connections

Salespeople have the tools to phone home from anywhere. Unfortunately, those connections aren't always secure. Even if a salesman is using his laptop at a Wi-Fi hot spot at the airport just to check sports scores, he could be putting a slew of sensitive information at risk.

IT's response: Mandate encryption and a connection to the corporate virtual private network. Peter Evans, director of marketing at IBM Internet Security Systems, says employees should always use a corporate VPN and encryption to ensure that hackers can't get in. Moreover, companies should automate the process for users so they have no excuse for trying to circumvent the rules.

2. Guard access to the CRM system

Customer relationship management systems give sales departments an efficient way to handle information. But Rena Mears, a partner in the security and privacy services unit at Deloitte & Touche, says it's often too easy for salespeople to access the system to enter, read or forward information. "You can have data proliferating in ways that you can't control," Mears says.

IT's response: Set policies governing access, and back them up with IT controls. Companies must establish who should have access to the CRM system and for what reasons, Mears says. IT should implement access controls, automated encryption and content-monitoring applications.

3. Keep a close eye on mobile devices

Mobile devices regularly go missing as a result of carelessness or theft. In fact, a 2005 study sponsored by data protection company Pointsec Mobile Technologies (now owned by Check Point Software Technologies) found that 85,619 mobile phones, 21,460 handhelds or pocket PCs, and 4,425 laptops were left in a Chicago cab company's vehicles in a six-month period.

IT's response: Deploy security applications to company-issued devices. Businesses should require salespeople to use only company-issued mobile devices that are equipped with automatic protections -- boot-up and screen passwords, as well as automatic encryption of data, e-mail and hard drives, says Jonathan Gossels, president and CEO of System Experts, an IT compliance and network security consultancy.

4. Cut the mobile phone chatter

People have a tendency to use their mobile phones to carry on public discussions of confidential matters, says Howard A. Schmidt, a security strategist at International Information Systems Security Certification Consortium, or (ISC)2, which offers the Certified Information Systems Security Professional certification. He remembers once hearing all of the details of a fellow traveler's business call at Dulles International Airport. "Everyone in the cabin could hear him," he says.

IT's response: Provide education. Awareness training is often enough to remind people to watch what they say and when. "We show [video of] people running their mouths really loud and ask, 'Is this you?'" says Schmidt, who has also served as the cybersecurity adviser to the White House and in security roles at eBay and Microsoft.

5. Curb access to all that information

Not everyone in the sales department has equal responsibilities. Why should they all have equal access to information? Companies often fail to ask that question, says Ed Zeitler, executive director of (ISC)2.

IT's response: Manage information access and reinforce that effort with technology. Sales managers, security personnel and IT workers should define who needs access to what information. Once that's done, IT should use access controls in databases and applications to ensure that only authorized individuals can get in. Moreover, that team of managers must update access controls when employees' responsibilities change.

More about: Check Point, Check Point Software, Check Point Software Technologies, Deloitte & Touche, eBay, IBM, International Information Systems Security Certification Consortium, Internet Security Systems, Microsoft, Point Software Technologies, Security Systems
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/16/amsn-messenger/

aMSN Messenger

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia