/Mobile
Find out how to identify assets, assess risks, mitigate residual risks, and implement backup and recovery options for Sybase Mobile Sales for SAP CRM.
Key Concept
Sybase Mobile Sales for SAP CRM offers a range of features for a mobile sales, service, or marketing professional. Sybase uses SAP NetWeaver technology for integration with mobile applications.
Working outside the office (and the LAN), which is guarded by firewalls and intrusion measures, can increase risks to the Sybase Mobile Sales for SAP CRM application. This risk is present whether the user has an iPhone or Windows Mobile phone or plans to use the upcoming BlackBerry version of Sybase Mobile Sales for SAP CRM.
On top of this, your organization’s mobile policies on risk mitigation may not be ideal. As a result, you need to establish a security policy based on the best practices of mitigating risk and recovery options at your organization for Sybase Mobile Sales for SAP CRM. You can accomplish this by setting up a risk assessment life cycle with five stages:
Step 1. Identify Assets
You need to find out what applications are on your users’ iPhone, Windows Mobile phone, or (in the near future) BlackBerry. You can do this by simply checking the icons for the applications on the home screen. When users click the icon for the Sybase Mobile Sales for SAP CRM Mobile Sales application, they are prompted for a password. Entering the correct password takes users to the application’s home page, which is divided into two panels. The upper panel shows six icons: accounts, contacts, activities, leads, opportunities, and analytics. These are your users’ assets.
The lower panel displays two fields. The first field shows scheduled meetings. If the first field shows two meetings scheduled for the same slot, the user can obtain contact information for the coordinator for one of the meetings (from the contacts icon) and reschedule the meeting via phone or email. When the other party accepts the reschedule, the change is automatically updated in the meeting schedule field. The second field lets the user know when to prepare a presentation for the scheduled meeting.
Step 2. Identify Risks: Functions
As part of the process of identifying risks, you need to know some of the functions of the Sybase Mobile Sales for SAP CRM application. For each, I will also indicate possible risks.
Note
Many of the tips in this article focus on the iPhone, but similar functions are available on the version for Windows Mobile.
Accounts and Contacts
Accounts and contacts allow a sales representative to capture, monitor, and track critical information about prospects, customers, and partners. The representative can obtain the latest status of recent transactions and a transactional history of each account. Integration of the accounts and contacts into the native functionality of the device ensures instant triggering of emails, phone calls, and navigation directions to customer sites.
However, the risks with this integration include the following:
- Unsecure Wi-Fi hotspots can leave the device open to hackers if the VPN isn’t configured properly. Make sure you check users’ configuration and ensure that they disable the Wi-Fi option when they are not using itÂ
-
Users may accidentally connect to an unsecured or suspect network if the phone is not configured to alert the user to available Wi-Fi connections. As a result, hackers can get information about your prospects, customers, and partners, as well as record transactions.
Leads and Opportunities
Leads and opportunities help a representative stay current on potential new business. When the SAP CRM system receives new leads and opportunities, it can instantly send an email to any phone’s inbox. When users click the email, they are prompted to enter the password to enter the Sybase Mobile Sales for SAP CRM application. You need to turn on iPhone’s Passcode Lock to discourage hackers. If you forget to turn it on, people can more easily reach emails containing sensitive data. Access the Passcode Lock by tapping Settings > General > Passcode Lock > Passcode On to enable the feature. You can also set an auto-lock that locks the device when idle — you can set this to active between one and five minutes of inactivity.
Scheduling and Activities
With scheduling and activities, a user can quickly access, create, and change planned activities using a list function in the native calendar application. The user can find out more about the activities by logging emails and phone calls directly to the SAP CRM system from the device’s inbox application. All information is synchronized with the SAP CRM back end.
Here are some possible risks:
- The native calendar application is not password protected
- Emails are not encrypted
-
The role of a user accessing and modifying planned activities was not specified in the organizational policy. For example, an individual’s role as a salesperson has different access permissions than an individual’s role as a CIO. The sales representative can access, modify, and schedule planned activities but does not have access to SAP CRM for more information on the activities like the CIO would.
Sales Orders and Analytics
With sales orders and analytics, a representative can access current information on sales orders and quotations to gain a comprehensive view of customers prior to a visit and to accurately position new products and offerings. Representatives can access business analytics data to review charts and key reports, such as pipeline analysis, top opportunities, and top sales orders, to prioritize their actions and achieve sales objectives.
Risks include:
Customization Capabilities
Organizations with proper user authentication and authorization can customize the Sybase Mobile Sales for SAP CRM application to meet the needs of their environment and business processes. The representative can generate reports by using canned filters or generate custom reports. Regulatory compliance on inclusion of sensitive data in report customization must be in place.
Risks include:
Step 3. Identify Risks: Technical
In addition to functions of the Sybase Mobile Sales for SAP CRM application, you need to know the technical issues with this application. I will present you with some common technical issues and their associated risks.
Phone Memory
Memory size in any cell phone, including the iPhone, is much smaller than the memory size for a laptop or a desktop. You risk your phone running out of memory while the mobile application is loading large amounts of data. One possible solution is that the iTunes store offers a number of apps that can help you free up memory on your iPhone.
Pending SubscriptionÂ
A risk occurs when a subscription is in process at the same time a user is attempting to download data to the Mobile Sales application. However, the connection information indicates the subscription is pending. The risk is that the mobile application could stop working. Data that was downloaded would be lost.
Application Always Online
Often, once a user starts their Mobile Sales application, it is always online and connected to the SAP server. The application may consume memory over time if it continues to download data while in the always-online mode. To avoid this, you can either upgrade the iPhone’s memory by connecting it to iTunes or plan to go offline at scheduled times after you get the necessary data.
Connection Update
A user unsubscribes from the Mobile Sales application to update the connection information and then enters invalid connection information. When the user attempts to subscribe to the SAP system, the connection fails and remains in a pending state indefinitely.
Contact Update
Contacts need to be updated to change or delete an existing phone, mobile, or fax number and add new ones when the contact moves to a new location. When deleting or adding an SAP CRM contact’s phone, mobile, or fax number in the phone’s native contacts, the risk is that deletion or addition actions are not submitted properly to the SAP server.
Top Opportunities Report
Another issue is that a prospect name can be too long in the report. You might not be able see the full screen in the Top Opportunities report. Zoom it until you can see the entire report. When you view it in landscape mode, the Edit button disappears. To edit it, return to portrait mode.
Step 4. Mitigate Risks
It’s extremely important to set up a policy on damaged, lost, or stolen mobile devices to protect sensitive and corporate information. You should set it up so the user has the ability to remotely perform actions from another mobile device, such as disabling the iPhone or wiping the data if an unauthorized user finds the phone makes too many failed password attempts.
Organizations should include language in the policy to prevent employees from copying or distributing sensitive data. The policy should meet all compliance and legal obligations for using company-issued mobile devices.
If a user plans to use a personal mobile phone for Sybase Mobile Sales for SAP CRM, the user should inform the system administrator. The user can be registered in the SAP CRM system as the company-authorized user of your phone before the Mobile Sales application is added on the user’s phone.
Security Controls
Next, I’ll show you examples of security controls for the functions of the Sybase Mobile Sales for SAP CRM application. Note that many of the examples I use relate to the iPhone version but are applicable to other versions of Sybase Mobile Sales for SAP CRM as well.
Monitor Wi-Fi Connections
You or your users should enable the iPhone’s Ask to Join Network function. To enable it, tap the main iPhone Settings tab and then choose Wi-Fi. In the next screen, turn on Ask to Join Network by tapping the on/off button next to the option. This way you will never connect to an open Wi-Fi network without first being asked to confirm the connection. Alternatively, you can disable Wi-Fi when you do not want to use it. This reduces the chance of accidentally connecting to an unsecured or suspect network. If you use Wi-Fi, get a properly configured VPN to work over the Wi-Fi. Make sure Wi-Fi networks are secure using Wi-Fi Protected Access (WPA) or another wireless security protocol.
Enable Passcode Lock
To turn on Passcode Lock, click the main iPhone Settings icon. Tap General and then Passcode Lock. Enable the function by tapping Turn Passcode On. You will be prompted to enter a new password. Make sure you choose a password that hackers can not easily guess. You should set the passcode prompt for immediate use by selecting Require Passcode and then setting the passcode prompt to Immediately. You should also disable Show SMS Preview. It’s not a good idea to enable it because the SMS preview function shows the first sentence of new text messages to appear on screen even when you have not entered a passcode.
Roles and Directories
The organization allows a user of SAP Mobile Sales for SAP CRM access to resources on the corporate network based on the individual, their role, and organizational policy. Here are sample access questions for common related roles:
- Is the user a salesperson using the mobile application to access planned activities?
Protect Sensitive Data
Your organization must be able to monitor and update the Sybase Mobile Sales for SAP CRM application at any location with tools that provide secure access to the company network via a VPN client, as well as authenticated data and encryption. A policy on upgrading and patching the application must be enforced. Non-compliant mobile devices running Sybase Mobile Sales for SAP CRM should be disabled.
Some US states, including Massachusetts and Nevada, will soon require encryption on all mobile devices if they contain personal information. Companies must be able to retrieve data from mobile devices if the information is part of ongoing litigation.
Continuous Monitoring
Monitoring at all times to ensure compliance of all Sybase Mobile Sales for SAP CRM should be in place. This includes flagging those that do not comply. Strong encryption for sensitive data must be ensured and locked down to prevent hackers or other threats from accessing them. Here are some examples of security controls as they pertain to technical issues with Sybase Mobile Sales for SAP CRM that I described earlier:
Step 5. Backup and Recovery Policy
A backup and recovery policy should be established for Sybase Mobile Sales for SAP CRM. It should specify what data is being stored, such as contacts, accounts, and other functions of the application. It should also specify the purpose of each data type. The policy should describe the backup schedule for each data type and what physical media is used to store the backup.
Next, consider what physical devices you want to store and perform all of the backups on. Indicate the locations of these devices (preferably at an offsite location). Then, determine how long the backups of each data type should be retained. Consider any contractual agreements that may contain specific requirements on retention.
You also need to specify how the backups are verified because frequently used backups can fail. Determine whether you want the backup software to verify the backups automatically or if you want an administrator to manually schedule backups. Finally, spell out the process for requesting restoration for SAP CRM data from backups and how the backups should be restored.
Judith M. Myerson
Judith M. Myerson is a systems architect and engineer and an SAP consultant. She is the author of the Enterprise System Integration, Second Edition, handbook, RFID in the Supply Chain: A Guide to Selection and Implementation, and several articles on enterprise-wide systems, database technologies, application development, SAP, RFID technologies, project management, risk management, and GRC.
You may contact the author at jmyerson@verizon.net.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.
