With more and more cloud-hosted SaaS platforms available, it is important to understand your role in keeping the data you hold on those platforms safe and secure.
We sat down with Simpro’s technology leaders to discuss what our user community should be doing to keep customer data secure in Simpro, protect their business and safeguard valuable information.
Why should you care about data security and protecting your customer and employee information?
There are many reasons to prioritize data security. Legally, business owners have a duty of care to keep the data we hold secure, or face potential fines and lawsuits. From a business standpoint, protecting the information you hold about your customers and employees from potential hacks or data leaks will safeguard your business from bad press, loss of trust, angry clients and significant customer churn. But more humanely; you will save them and yourself from the emotional, mental and physical distress of personal and sensitive information being compromised.
Wayne Barelds, Vice President of Product, Simpro:
Data security helps protect our customers and their customers from financial loss, if you don’t have the proper security in place, you could lose your customer’s trust and ruin your brand and business reputation and be liable for data loss. It's serious business.
Identity theft is something we hear about almost daily now, with so much activity online every second, it's no wonder that hundreds of millions of people last year experienced some kind of data breach which lead to compromised emails, fraudulent activity on bank and credit accounts, use of social media and applications for malicious activity. This has repercussions for customers, their customers, relationships and families.
Vaughan Mckillop, Co-Founder, and Technical Product Manager, Simpro:
It's all about safety, if someone gets access to your data they can use it in a malicious way. As a business you care about your customers. They’ve provided you with information and use your services to get their jobs done. They trust you to look after them and the information you hold about them. As a consumer, I want to make sure that I work with businesses that take care of my data.
With the recent spate of attacks on businesses making headlines daily, now more than ever, individuals will be looking even closer at the companies they work with and the businesses they buy goods and services from to ensure good data protection policies are in place.
What is the best way businesses can protect customer data?
David Peters, Client Services Manager, Simpro:
It’s critical that businesses take a good look at their operations and place importance on not having a security breach. To prevent this they need to have policies in place, and more importantly need to adhere to them.
The data breach could come from an external actor, but could very well be from someone internal to your business. For example, you may have a disgruntled employee exiting your business that seeks to take with them classified company or customer information. Take a good look at the policies you have in place to promptly remove their access and ensure your systems are kept up to date, and that might be another policy you put in place.
Ensure 2-factor authentication is used on all Simpro account licenses. This added-layer of security uses another device to authenticate that it's you personally who is accessing the system. Should an actor try to gain access using your username and password and without access to your nominated device, they won’t be able to get in.
Implement a strong password policy that enforces employees to change these every 3 months. Strong passwords contain a longer phrase comprised of letters, numbers and characters. Policies should clearly state that passwords should never be written down. We recommend using a product that stores passwords securely for you; for example Google passwords.
Only hold the data you need, making it difficult and less attractive for people to attempt to take the data out of your system. If you are using Simpro, you will want to make sure the security permissions you have set are applicable to the types of roles in your business. Only display the information that is needed for people to perform their role. The access permissions set for each role type allows you to only pick the important information that the individual needs to see, limiting the risk of over exposure.
Daniel Sanders, Software Architect, Simpro:
An audit of responsibility will enable you to ensure your users are operating the system as it is intended, that includes how and where they are storing data. Be sure to look outside the prescribed data fields, custom fields and notes are often a culprit for storing personal or sensitive information. If you see financial (credit card) or personal information in these fields, a big red flag should be waved. That type of data should not be held in Simpro, rather should be kept in relevant, certified systems that are purpose built for this information. Consequently, keeping this data may open our customers up to a world of pain should they find themselves exposed due to a breach.
What customer and employee data should we be holding and for how long?
It’s not often the easiest question to answer, but simply put, the information you retain should be considered important and critical for your business operations. Simpro users should be asking themselves if the data is necessary? In quite a number of cases, we need to hold on to data for warranty, compliance or certification purposes.
You also need to consider regionally what is required and what is best practice to protect customer data. If you operate in a region bound by GDPR, you must only keep the data you need, for the time you require it. And that relates to all customer and personnel data. You may have legal or tax requirements that require you to hold your data for a length of time, we recommend you meet your business requirements but when capturing new information, only ask for and retain what you actually need. That way if there was a leak as a result of a security breach and information was lost, risk would be minimized.
Consider the systems you are using and make sure the data you keep is in the right place. For example, employee data including wages and other personal information should sit in your accounting or payroll platform.
It is important that you put in place a policy and procedure in regards to who needs to retain access to your stored data in your Simpro platform, when data should be archived, who needs access to that archive and for how long. It’s good to note that data can be obfuscated - which means it can be made unintelligible, but accessible should you need to resurface the information for legal reasons.
Is my data safe using an integration with Simpro?
The certified partners who integrate with our Simpro platforms have gone through a rigorous security testing process. But if you are using an integration that has accessed our open API and not a certified partner, we strongly suggest you be more curious about their access to your data, and what particular data they will be calling on. Do you trust the source of the third-party application you are using? Is it a reputable brand or provider? How necessary and what are the benefits of that application? Be curious about how they are storing data and where it is stored, how long the data will be kept in the third party application. If the data is just transiting through the application, great! If the third party is keeping a copy, then you could be at risk.
Whenever you allow another provider to access your Simpro data through the open API, you are effectively giving them the keys to your information. Any breach or loss of information that occurs, you and the third-party system will bear the responsibility. Therefore, you should understand the level of access they are gaining and set up procedures and security policies around managing software integrations.
There is no time like the present to conduct an audit of your data management in Simpro. Identify the roles the people in your company hold, what permissions they have, and what access they have to customer and employee data. Ensuring you have a data security policy and procedure in place, will help you and your team adhere to the guidelines you have set and safeguard your business from any potential risk or data loss.
For more information on how you can keep your data safe, view 5 Steps to Safeguarding Your Data in Simpro