A client of ours recently had a problem with security. Specifically, shoulder surfing. The office they used was co-leased with another company and they feared the employees of that other company could walk past and see important information on the screens of their workers. Knowing KPMG is a leader in this field they came to us for advice.
What is Shoulder Surfing?
Shoulder surfing is where someone stands behind you, while you use technology and they gain access to privileged information. The most common scenario, familiar to many of us, is at the ATM, making sure no one is watching as we enter our PIN.
According to Secure:
- 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to see
- 82% admitted that it was possible information on their screens could have been viewed by unauthorised personnel
- 82% had little or no confidence that users in their organisation would protect their screen from being viewed by unauthorised people.
So the fears of the client were justified.
The main piece of software used by our client was Dynamics 365 (CRM) so I was brought in to assist.
Dynamics 365 (CRM) and Encryption
CRM has a comprehensive set of security options such as information encryption, field and record level security. However, there is little out of the box for screen-level security. In fact it is an area lacking in most modern applications. We had to think outside of the box.
The solution we came up with was comprehensive label encryption throughout the product. This way, if someone glanced over the shoulder of one of the workers they would not be able to determine what the information on screen referred to. The elegance of this solution is the fields are still transparent and editable, allowing the user to continue managing processes and entering data.
To ensure the users knew what fields were which and which entities were which, they went through computer user navigation training. This involved using an unencrypted system so the user could memorize where things were on the screen before using the production system.
How The System Looked
All levels of the system were encrypted. This is how the the navigation ribbon looked.
All entity labels were encrypted to prevent onlookers from gaining information on the browsing of the user. The users, having undergone their training, knew exactly where the entities they needed were. Similarly, views were encrypted to prevent wholesale data theft.
Even if a malcontent stood behind a productive user, with the entity, view name and column labels masked, they would be at a loss to gain useful information from the system.
We also encrypted the fields on the forms. However, we ran into a small problem due to the Social Pane.
While the Activities label took its cue from the entity encryption, the others could not easily be changed. I recommended the client move to the old Activity grid, as we used to have in previous versions of CRM, as this could be fully encrypted.
Even Advanced Find was protected from prying eyes.
Problems With Implementation
While the users took to the system without incident, the administrators had more difficulty. With the labels encrypted, it was hard to know which entities were which.
However, once the administrators were put through the same training as the users, the problem was resolved.
With the innovative encryption solution in place our client’s information was secure and with the intensive training, the users could navigate the system without issue.
As a gift to the community, I have also been given permission to release the source code for this solution to improve productivity and security for all CRM systems. If you are interested in implementing this “best practice” solution, you can obtain it here.