Data security is more important than ever. The new rules imposed by the Australian government makes it important for companies to enhance their cyber security, but that shouldn’t be the only motive to protect customer data. Keeping a clean network, clean computers and personal devices, and not to mention clean desks, should be an organizational habit.

Brian has worked with various Australian organizations as a systems architect, building solutions that handle customer data. He knows a lot about data and these are key tips that he has prepared for us at CRM Strategy and we thought they’re worth sharing

In this article, Brian is going to go over two topics. First, HTML injections – he’s going to talk about how they work and what we need to be aware of, then he’s going to talk about general data security policies and conduct, that any organisation that handles any customer data (or any data of any sort) is advised to follow. That of course includes us, CRM strategy.

Let’s begin with the first topic, HTML Injections:

Brian Hobby: “An attacker would take advantage of a business or a reputation that has some sort of sign-up page that’s not authenticated.

And then send out emails and go fishing to a whole lot of people and say ‘your credit card is expired. Please click here to enter it’. And what they’ve done is they have set up a fake website, sign-up & credit card screen, and you’re capturing information.”

So Brian, how easily can those forms be exploited?

Brain continues to show me how easily a hacker can do this: “This is the lead capture form. You submit that says ‘thank you, refresh’. You now have a lead. Now I’m going to show you how this can be exploited:

So as a result of me adding the lead, I received an email & it has my name on it. That’s because there were merge fields on the email. So I’m now going to exploit these merge fields, and what I’m going to do is I’m going to replace what’s in there and also replace the entire rest of the email with whatever I want. I could be a program doing this and doing it thousands of times.”

So, what can we do about it?

“Well, there’s not really much you can do about it. This HTML form could be modified to do a little bit of cleaning, and the best thing to do would be to clean out the greater than, less than so and so that the tags don’t work (that’s more technical). So whatever content that they put in there would still appear in the email, but it would look stupid and the attacker would probably say ‘no, that’s not going to work’.

So we need to be mindful when working with customers, whenever we see they’ve got some sort of self-registration page or sign-up page without any authentication, that’s a potential for being exploited by using HTML injection.”

You need to make sure you clean the form.

Is it better not to have an auto response, not have a link in the auto response or not have any personal information that was submitted? 

Our team adds in: “if you don’t have an auto response, you’ve negated the issue, but you haven’t fixed it, but you’ve negated the effect. Or a generic auto-response that says, ‘Thank you for your email or something like that’.”

So Brian, can you talk to us about general policies we can adopt to enhance our security and use of information?

“One of the policies where we want to have is what I call clean network.”

We should have no customer data on our network wherever possible…

“The only time we should have customer data on our network is for the period of handling, for the initial loading of a database. Then once the database is handed over and put up into the production environment, we need to ensure that we remove all customer copies of customer data, including everything out of the backups.

You can think ‘we did this import for a customer, just in case there’s a problem with it. I’ll just hang onto the import’. Yes, that’s probably valid only for a couple of days. But we need to remove it, and if you don’t do it immediately, we will probably forget.

In terms of clean personal devices, we shouldn’t have any string of passwords that access customer systems on our personal devices. No little text files or cheat notes. The only thing you should use on our personal device to get access to customer systems is the built-in password stall that’s in the browser.

The other thing is we need to determine is where’s the best place to put certificates as we need to access many systems.”

The other policies are:

“Clean documents: when we make documents, videos design documents or anything of that sort, and we’re taking screenshots of systems, we are to never to use a screenshot of a live system with customer details. We shouldn’t send emails with screenshots of customer information unless it’s related to them & their particular roles.

Clean presentations: we shouldn’t do presentations in front of customers showing customer data unless it’s their own system.”

How do I send secure passwords?

“There’s a choice of two. You can either use a secure document in SharePoint or SMS. ‘Here’s where you got to go. The username is ‘this‘. I’ll text you the password’.

“I trust SharePoint enough that if you do a direct share with someone and then delete it when they’ve got it, then you’re all good.”

If you have a clean network, it is obvious that you don’t have to be so concerned about how secure your network is. But obviously that does not mean that you should not use a cyber security company to help you enforce some measures.

We are not a Cybersecurity Company, neither do we claim ourselves to be. For advice on Cybersecurity, contact trusted specialized entities.