Collection of customer data and using them in such a way that it makes a business more efficiently responsive to orders, customers etc, is the primary objective of customer resource management (CRM) applications. Let us look at what the collected data usually consists of.
Firstly, the data will consist of names, addresses etc, and other information which helps to identify the customer. Secondly, the data will consist of a customer’s order history as well as other transaction details. Thirdly, the data will include financial and payment information related to customers, as well as communications between businesses and customers.
Needless to say, this is very sensitive information, and can be used to cause a lot of harm if it falls into the hands of attackers. This harm goes far beyond mere data loss. Most people associate the term ‘data breach’ with financial information – this is because it is such attacks that regularly get featured in the news.
There are many famous data loss cases involving the payment information of customers. Usually the point-of-sales systems are targeted during such attacks, but even CRM data are also targeted. CRM data is seen as an attractive target because attackers know that payment records of customers are stored in most CRM systems. Therefore CRM implementations which are vulnerable are sought by attackers.
Obtaining a business’s customer list is also another objective behind attacks on CRM systems. Such information gives a lot of valuable information about a competitor – who they’re doing business with, what is being bought by customers, how much customers are paying etc. Such corporate espionage gives a competitive advantage to attackers. While approaching the customers of a victim, attackers can use this information to their advantage. In fact, attackers can gain more of an advantage by getting to know whether customers are having issues with a victim’s services, products etc.
Attackers can get valuable information regarding a victim’s weak spots by paying attention to customer service conversations. This information can be used in the manipulation of the customers of a victim. How the victim works can be understood by paying attention to their sales cycles, sales pipelines and other processes. This gives the attacker the knowledge necessary to have a great advantage in competition.
What makes CRM data very attractive targets for attackers is the fact that the knowledge gained can be used to attack customers – by getting information about a victim’s customers and the relationship between business and customer, attackers gain a weapon with which to attack these customers. This information can be used by attackers to pose as a point of contact and extract payments from customers. This information can also be used to acquire entry into a customer’s networks.
It is easy to see that protection of CRM data should be given top priority by companies. To promote sales, more and more companies are beginning to rely on CRM solutions – this makes CRM data even more attractive for attackers. Therefore, one must adopt whatever measures necessary to prevent one’s organization from becoming a victim.