Securing Your CRM With Stronger User Policies

March 8, 2019

By: Mickey Baines, Principal

In case you missed the big enrollment technology news this week, The Chronicle and Inside Higher Ed both reported on the apparent hack in to several institutions’ Technolutions Slate CRM. We wanted to offer some clarity to the issue at hand and provide some steps to limit your potential exposure to a similar issue.

First, it should be noted that this does not appear to be an actual hack into the Slate CRM. The issue was

Protecting your higher education CRM against hackers

with the users’ institutional email accounts (staff members, not students). Based on the description offered in the articles listed above, a hacker used CRM users’ email addresses to reset their passwords, and accessed the links embedded in the system generated emails to change those passwords and access the system.

So, what can you do to help increase your security? There are several basic steps that together provide a significantly stronger layer of security. Here are a few recommendations:

  1. Enforce strict password guidelines for both Email and CRM access (Email is how you reset your password so if you allow someone access to your email you may have a breach). Yes, this is a basic step, but with each of the password recommendations below you will find greater protection:
    • Changed Every 90 Days
    • Are a minimum of 15 characters long including both letters and numbers
    • Include 3 of the following 4 attributes:
      • 1 uppercase character
      • 1 lowercase character
      • 1 numeral
      • 1 special character: ! # $ % – _ = + < > @ &amp; *
      • NOTE: some systems may allow you to establish this criteria
    • Cannot be one of your previous 3 passwords
    • Cannot contain your username, first name, or last name
  2. Deactivate users that no longer need to access the system.
  3. Adjust profiles and security to make sure users only have access to the minimum required data for their responsibilities.  This ensures if there is a breach the exposure is limited.
  4. Enable two-factor authentication to require a second device for confirming logins and password resets for your users. For Salesforce users, know this setting should be in place by default unless you have it specifically turned off. If you do, you should consider turning it back on.

If you are unsure where you or your institution stands in terms of these specific recommendations, or how secure your CRM is based on your current security protocols, you can inquire with us for assistance. For our active clients, we will be reviewing basic org security and providing client-specific recommendations.