Risk Assessment

IVK senior management met to discuss the risks associated with buying or leasing salesforce. IVK needs were identified to make sure that Salesforce meets their strategy now and predict whether this will be a good fit for the company in the future.

     The benefits of leasing salesforce included: keeping the equipment up to date; predictable monthly expenses; no upfront costs; and increasing competitive edge with competitors. The downside of leasing is, you'll pay more in the long run and you’re obligated to keep paying even if you stop using the equipment. (Alexander, n.d.)

     There are also benefits of buying salesforce.  IVK decides what it needs and then buys it.  IVK determines maintenance needs and fees. “Salesforce has its own maintenance schedule since runs on its own cloud server.  As a result, there are times that the application will not be accessible.” (Salesforce, n.d.) The equipment is deductible. (Section 179 of the IRS code lets you deduct the full cost of newly purchased assets, such as computer equipment, in the first year). The downside is that the initial outlay for needed equipment may be too much, tying up lines of credit.  Most concerning is that eventually, you're stuck with outdated equipment. (Alexander, n.d.)

     IVK choose to lease primarily because leasing is more beneficial for being a small business, funds would not be tied up and the lease would be for a short term initially, 3 to 5 years. Moreover, “Salesforce contains potential barriers to adoption. This means that even though Salesforce is cheap, the cost to integrate the application and redesigning their IT to incorporate it into a company is not the same as the cost of acquiring Salesforce. It is possible that the cost of integrating it can exceed the costs of the software itself.” (Salesforce, n.d.) 

Even though salesforce reports sound security protection, it is important for all companies i.e. IVK, to do their own security checks of the application before making a decision to lease or purchase (Zbrzezny, 2015). Extremely sensitive data such as social security numbers, credit card numbers, bank data, financial information, debit cards, driver’s licenses, addresses, phone numbers and personal family information can be at risk for the customer. Employees may also be at risk for privacy breeches if passwords are compromised. Personal data, health information, direct deposit information, bank information, social security numbers, IRS information, 401 K data, and data about family members could be accessed.  Vendors may be at risk for having financial agreements breeched as well as any other information about themselves and the company they represent. Employees, customers and even vendors could be vulnerable to Identity theft. In a recent nationwide survey, 8.1 million Americans were victims of identity theft in 2010. (California Office of Privacy Protection, 2012) IVK’s information such assets and financial data are susceptible to attack. Likewise, IVK’s strategic plans such as launching new initiatives, organizational development and reorganization may be at risk. Companies such as Verizon now do annual security reports and analyze breeched data in statistical packages. IVK may want to consider doing the same.

Comparing the time it takes an attacker to compromise an organization with the time it takes an organization to discover a breach. Data graphed with the R package ggplot2. Credit: Verizon

Source. Machlis, S. (November 5, 2015)  [online image] Retrieved from http://www.itworld.com/article/3002053/security/how-verizon-analyzes-security-breach-data-with r.html?phint=newt%3Ditworld_today&phint=idg_eid%3Da54d15417f00c7d7aa03579950727423#tk.ITWNLE_nlt_today_2015-11-05

“A constant vigilance regarding security needs to be part of the individual skill set and a key component in your organization’s culture.” (Gallaugher, 2013, p.310) It has been reported that 1% of a company’s users represent 75% of your organization's cybersecurity risk. (Cloud Lock, n.d.) Potential security issues with salesforce are threats from departing employees, threats from unsanctioned third party apps, threats associated with change management, and threats from compromised accounts. “Half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, according to a global survey from Symantec (Nasdaq: SYMC), and 40 percent plan to use it in their new jobs.” (Symantec,n.d.) Symantec also stated that employees transfer work documents to personal computers, tablets, smartphones or online file sharing applications, and, employees believe a software developer who develops source code for a company has some ownership in his or her work. (Symantec n.d.) Furthermore, even current employees who have no ill intentions sometimes pose a threat to cyber security, as we see in Steve Prokesch’s article “I was a Cyber Threat to My Company: Are You?” in Harvard Business Review (2014). 

       From a technical perspective malware and viruses could be responsible for breeches. It has been reported that Salesforce experienced a breech secondary to an email sent to customers saying that Salesforce CRM was hacked. The email used the customer's name and business email address and provided instruction to download a PDF which included a malware payload (presumably a trojan). (Jeffrey, 2007) Salesforce reports using Event Monitoring Application Program Interface (API) and a Cloud Access Security Brokers (CASBs) to help companies quickly detect and respond to these threats. (Shyhigh,n.d.) Salesforce reports that they encrypt all data transmissions using SSL 3.0/TLS 1.0 global step-up certificate from VeriSign; they employ perimeter firewalls and edge routers to block unused transmission protocols, and use internal firewalls to segregate traffic between the application and database tiers. (Schutz, 2015) 

Previously, it was determined that the value benefits, both tangible and intangible outweighed the outweighed the costs. It was estimated that using Salesforce, IVK could save $5,250,000 for reducing operating costs, reducing inventory costs, increasing staff productivity, improving leads to sales closure rates, increasing customer retention, and improve customer support. It has been reported that a security breech had occurred with Salesforce. (Jeffrey, 2007)  Recently, Entrust reported that Salesforce released a statement saying that one of its security partners believed that the Dyre malware may be affecting some Salesforce users. (2014)   Despite the concerns for security risks, it is still advantageous for IVK to lease Salesforce. The necessary security measures are in place with Salesforce.  They are certified as compliant with some of the most rigorous, industry-accepted security, privacy, and reliability standards. We are certified and audited to standards as a service provider with the ISO/IEC 27001:2005 standard (including ISO 27001), SAS 70 Type II (now SSAE No. 16), SysTrust, and the EU-US and Swiss-US Safe Harbor frameworks). Our customers can also use our cloud services to deliver solutions that comply with HIPAA, PCI DSS, and FISMA (moderate level). (Bobrowski,2014)

References

Alexander, P. (n.d.) Should You Lease or Buy Your Tech Equipment? Find out which option is            right for your business with this in-depth look into the pros and cons of each.  Retrieved from        http://www.entrepreneur.com/article/80230

Bobrowski, S. (n.d.) Protecting Your Data in the Cloud. Retrieved from 

      https://developer.salesforce.com/page/Protecting_Your_Data_in_the_Cloud

Breach Involving Personal Information. Retrieved from   

      http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/recom_breach_prac.pdf?

Cloud Lock Cybersecurity Assessment,  Uncover risk with not cost or commitment.    

      http://go.cloudlock.com/product-security-assessment.html?utm_source=google&utm_medium=cpc&utm_campaign=Google%20Adwords

     %20-%20Salesforce&gclid=CMnh3cSm_sgCFU2RHwod34cE9w

Entrust.  Identity On: CRM Provider Salesforce Hit With Malware Attack    Retrieved from 

     https://www.entrust.com/crm-provider-salesforce-hit-malware-attack/

 Gallaugher, J.  (2013) Information systems: A Manager’s Guide to Harnessing Technology.

     Washington, DC: Flat world Knowledge.

Jeffrey.  (October, 26, 2007) Salesforce.com Security Beached. Repeatedly Hacked.   Retrieved  

     from http://www.erpblogger.com/salesforce-hacked.htm

Machlis, S. (November 5, 2015) Comparing the time it takes an attacker to compromise an   

     organization with the time it takes an organization to discover a breach. Data graphed with 

     the R package ggplot2.   

Prokesch, Steve (August 20, 2014). I Was a Cyberthreat to My Company: Are You? Harvard                    Business Review.   

     Retrieved from https://hbr.org/2014/08/i-was-a-cyberthreat-to-my-company-are-you/

Salesforce (n.d.)  Advantages/Disadvantages

      Retrieved from      https://salesforce237.wordpress.com/advantagesdisadvantages 

Schutz, M. (2015) Data Security, The cloud, and Salesforce.com

      Retrieved from    http://pracedo.com/2015/03/data-security-the-cloud-and-salesforce-com/ 

Skyhigh Networks Inc. (n.d.) 5 Security Threats You Can Address Now, With Salesforce Event 

      Monitoring  +  CASB   Retrieved from  

      https://www.skyhighnetworks.com/cloud-security-   blog/5-security-

      threats-you-can-address-now-with-salesforce-event-monitoring-casb/

Symantec (n.d.) Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s     Wrong. Retrieved from   

       http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01

Zbrzezny, B. (2015) Personal conversation with Senior Security Manager IT UPMC.