The sales department's performance is measured on revenue, not on data protection. So it's no surprise that salespeople focus on closing deals, not security holes. As a result, they sometimes sacrifice security for convenience. They log onto Wi-Fi hot spots in airports to work on presentations despite the risk of being hacked. They carry reams of information, some of it propriety, on their smart phones. They transfer deal details on USB drives. Although companies have done much to address the challenges of this frequently mobile population, there's still more work to do.
1. Be wary of unsecured connections
Salespeople have the tools to phone home from anywhere. Unfortunately, those connections aren't always secure. Even if a salesman is using his laptop at a Wi-Fi hot spot at the airport just to check sports scores, he could be putting a slew of sensitive information at risk.
IT's response: Mandate encryption and a connection to the corporate virtual private network. Peter Evans, director of marketing at IBM Internet Security Systems, says employees should always use a corporate VPN and encryption to ensure that hackers can't get in. Moreover, companies should automate the process for users so they have no excuse for trying to circumvent the rules.
2. Guard access to the CRM system
Customer relationship management systems give sales departments an efficient way to handle information. But Rena Mears, a partner in the security and privacy services unit at Deloitte & Touche, says it's often too easy for salespeople to access the system to enter, read or forward information. "You can have data proliferating in ways that you can't control," Mears says.
IT's response: Set policies governing access, and back them up with IT controls. Companies must establish who should have access to the CRM system and for what reasons, Mears says. IT should implement access controls, automated encryption and content-monitoring applications.
3. Keep a close eye on mobile devices
Mobile devices regularly go missing as a result of carelessness or theft. In fact, a 2005 study sponsored by data protection company Pointsec Mobile Technologies (now owned by Check Point Software Technologies) found that 85,619 mobile phones, 21,460 handhelds or pocket PCs, and 4,425 laptops were left in a Chicago cab company's vehicles in a six-month period.
IT's response: Deploy security applications to company-issued devices. Businesses should require salespeople to use only company-issued mobile devices that are equipped with automatic protections -- boot-up and screen passwords, as well as automatic encryption of data, e-mail and hard drives, says Jonathan Gossels, president and CEO of System Experts, an IT compliance and network security consultancy.
4. Cut the mobile phone chatter
People have a tendency to use their mobile phones to carry on public discussions of confidential matters, says Howard A. Schmidt, a security strategist at International Information Systems Security Certification Consortium, or (ISC)2, which offers the Certified Information Systems Security Professional certification. He remembers once hearing all of the details of a fellow traveler's business call at Dulles International Airport. "Everyone in the cabin could hear him," he says.
IT's response: Provide education. Awareness training is often enough to remind people to watch what they say and when. "We show [video of] people running their mouths really loud and ask, 'Is this you?'" says Schmidt, who has also served as the cybersecurity adviser to the White House and in security roles at eBay and Microsoft.
5. Curb access to all that information
Not everyone in the sales department has equal responsibilities. Why should they all have equal access to information? Companies often fail to ask that question, says Ed Zeitler, executive director of (ISC)2.
IT's response: Manage information access and reinforce that effort with technology. Sales managers, security personnel and IT workers should define who needs access to what information. Once that's done, IT should use access controls in databases and applications to ensure that only authorized individuals can get in. Moreover, that team of managers must update access controls when employees' responsibilities change.