Credit: David Goehring via Flickr
It turns out that Home Depot was shockingly lax with the security around its customer data, according to a news report in the New York Times this weekend. How bad? Security workers at the retailers took to warning friends to only use cash when shopping at the store.
There didn't seem to be any one particular reason why Home Depot was so slow to make the changes it should have, but rather several factors combined with (as I imagine) a sense of being overwhelmed by the task ahead. No matter: Assuming the report is accurate, Home Depot's position is inexcusable. Retailers have been in the crosshairs of hackers for years now and it should have known.
Right now the headlines are focused on the cyber vulnerabilities of national retailers but another threat is looming -- one aimed specifically at CRM systems.
A few weeks ago, Salesforce notified its customers that that the Dyre malware, which typically targets customers of large financial institutions, has been tweaked to target some of Salesforce users as well.
This malware is not targeting a vulnerability within Salesforce's platform; rather, it resides on infected computer systems and steals user log-in credentials. Presumably, it can piggyback its way into a corporate system using any CRM application. And once it gains entrance, all sorts of low-hanging fruit await: Payment information, customer data, and possibly sensitive intellectual property of customers. There is also a wealth of knowledge about company relationships and who controls the purchasing power.
"Often CRM systems will keep the contact information of C-level personnel from other organizations that a company is doing business with," David Pack, director of LogRhythm Labs, says. Using this information, "a realistic-looking spear phishing e-mail can be crafted, turning this into a potential supply chain attack on other organizations that might not even be Salesforce users."
Scared now? Good. Here's what you can do about it.
CITEworld spoke with several security experts to see what steps a company could take to protect its CRM data specifically. We began with a few base assumptions, namely that the fundamentals were in place -- assume your security software isn't outdated, and the security team has access to all networks including customer data (both reported to be Home Depot's failings). We also assumed more advanced -- but still commonly cited -- protections are in place, such as two-factor authentication.
In other words, we asked what else can companies do to protect their CRM data? This is what we learned.
Understand the scope of your task
Or as Tom Cruise said in the first Mission Impossible movie, "relax, it's much worse than you are thinking."
Sign up for CIO Asia eNewsletters.