When we are consulting with our clients about their CRM business practices, we are frequently asked how to protect valuable customer data from potentially being taken by employees when they leave.  It’s an important question and the solution is much more difficult than you may expect.  We have, however, found five best practices that are universal to all of our clients.  Some may surprise you.

CRM is about Collaboration

Before we get started with the 5 practices, it is important to remember why you’ve invested in a CRM system.  Many business people often forget that one of the biggest benefits of a customer relationship management system is the ability that it gives your team to collaborate with one another.  You should keep this in mind as you map out your customer data protection strategy.  The more you tighten security, the less productive you will make your team.  Your efforts should focus on unleashing the full potential of your team – not on mitigating 100% of the risk of a breach. 

Note that it is critical that the business teams, and not IT, take ownership of decisions around CRM security.  In most cases, when IT makes decisions about security, they must take the most risk averse path.  If security is ever compromised in any form, it could cost them their jobs.  But if the business operates sub-optimally because of security, it is simply an annoyance.  In other words, IT groups generally have very little to gain by lessening security (even though it may greatly benefit the business), and almost everything to lose.  So not only should the business own the security requirements, but they should also document this ownership and their reason for making these decisions – don’t leave IT on the hook for a decision that the business team must make.

Practice 1: Secure the CRM Data Center

The first priority is to make sure that individuals outside of your organization can’t get access to your customer data.  This is done through a secure data center.  Managing your own data center can be costly, time-consuming and require significant ongoing maintenance.  In today’s world, however, you have the option of keeping your CRM (and other data) in the cloud.  All but the largest businesses would have a very hard time coming close to matching the level of security that is immediately available in a cloud-based CRM solution.

Keep in mind that the hardware and configuration of the software, even if you are in a cloud environment, is only part of your security protocols.  Regardless of where you host your CRM, you will need to establish documented procedures for login protocols, password resets, employee exit processes, and physical access to server hardware.

Practice 2: Share as Much Customer Information as Possible

As you design the day-to-day access to CRM data for your team, keep in mind our opening premise that, “CRM is About Collaboration.”  With that in mind, start with an assumption that everyone can access everything, and then map out the important restrictions by role asking yourself, “what access should we take away that will have little to no impact on collaboration and productivity for team members in this role?”  This is where the business team should be deeply involved.  Our standard list of questions is long when going through this process, but here are a few critical questions that should be asked for each role:

  • Is there a legal or compliance reason why we must restrict access to some data?
  • Does this role need access to this form (or table) to do their job better?
  • Will this role need to frequently extract data from CRM, or sync it with another device, in order to do their job?
  • Is there a privacy concern for either our customers or our employees if this role has access to this information?

As you work on answering these questions, try to practice the KIS method (Keep It Simple).  Many businesses initially create complex security models in their CRM system that closely resemble their org chart.  In reality, however, most security requirements are much simpler.  A complex security model will create additional time and cost for maintenance and for onboarding/exiting new team members.  Complex models will be particularly inefficient when your org chart changes.


Practice 3: Be Trustworthy and Hire Trustworthy People

This one may seem obvious but it is not always as intuitive as it seems, and there is certainly a high  degree of subjectivity involved. 

Firstly, make it your goal to be a trustworthy employer and a place that people want to work.  Make this a part of your annual planning and always seek to improve in this area.  Do your best to remove the incentive for people to want to give less than their best to their workplace.

At the same time, actively work to target and retain trustworthy employees (which, in turn, will make your organization a great place to work).  Many organizations are anxious to enlist or retain high performers and have not developed good processes for identifying those that are at a high risk of damaging the organization. 



A recent book that may help your leadership team think about both sides of this issue and that I highly recommend: Give and Take

Practice 4: Have an Employment Agreement that Protects Your Customer List

The purpose of an employment agreement in my view (and many attorney’s may differ from me on this) is primarily to provide clear communication about expected employee behavior, and secondarily to provide legal protection to the organization if those expectations are not met.  With that in mind, not only should you have an employment agreement, but you should ideally take the time to review it with employees in the spirit of helping them to understand it.  In today’s diverse workplace, many people come from different cultures where ethical norms may not align with your business norms.  It’s important to help them to understand your specific standards so they have every opportunity to live within those.

In spite of your best efforts to protect data, hire good people, and be a great place to work, some will still feel entitled to take pieces of the company with them when they go.  So it is important that you be willing to aggressively enforce the agreement if necessary, in order to protect the company and everyone in it, in the event that the agreement is violated.

From here we could have a long philosophical discussion about what is appropriate and inappropriate to include in an employment agreement.  As an executive or business owner, you’ll need to search your soul and the soul of your company (and do research on legal precedent) to decide what is right.  But you owe it to everyone in your company to have a reasonable agreement, give them an opportunity to understand the agreement, and defend the organization if the agreement is violated.

Practice 5: Add Value and Own Customer Relationships

At the core of protecting your customers is building a great company that delivers unmatched value, and having multiple people involved in relationships with your customers.  People will work with the people that they trust, that are creating value for them and that they know.  If all of the first four practices fail you or are not in place, but you are doing an excellent job with this fifth practice, then you will be protecting your customer base.  And, if you are failing at this fifth practice, then working hard on the first four will only slow the process of losing your customers to more capable competitors.

Wrap Up

To summarize, it is hard work to protect your customer base.  Writing agreements and setting up data security routines are the easy part.  But it is much more difficult, and much more important, to be a great place to work and to deliver unmatched value to your customers.  Your CRM system and business practices should be playing a pivotal role in all five areas of protecting your customers.

For more information on C5 Insight or this blog entry, please Contact Us.