Thanks for your comments.

“Westpac, nab, ANZ or CBA — all of which rely on password access alone”

Thats just not true. I dont know any of them that only have password security for business banking. Even most of their consumer accounts have extra security either applied as standard or as a recommended option. Consumer accounts also have transfer limits.

Stealing funds from a bank account is clearly a criminal offence and will involve swift police action however the theft of intellectual property is a lot more difficult to prove especially if the program does not have an access log to prove they had access to the database.

All of the programs nominated can improve on their security very easily. Unfortunately users see many security measures like this as more of an obstacle to overcome than a necessary business function. Web database providers have to rise above what the salesperson and administration staff want and install security that they know is necessary to protect the data that they are entrusted to keep.

Lets face it, they backup the data because they know its important.. they should also ensure that lock on the front gates is fit for purpose. Would you lockup a Ferrari dealership with a $5 lock you got from Woolworths?

That a real estate professional would require consider 2-factor authentication necessary for the CRM system, and then store all of their money at Westpac, nab, ANZ or CBA — all of which rely on password access alone — should speak volumes on this question. Is it perfect? No. Is it trusted by 99% of online banking customers in Australia? Yes.

The issue you have raised on password selection and management is very valid. Stupid passwords are not secure.

The fault with separate authentication devices is assuming that people can actually carry a little usb dongle and/or RSA chip for each password they have. I can see my key ring now.

(full disclosure: I work at realestate.com.au)

[Spyware, Viruses and Trogans are just as bad as for installed software as they can infect the local machine making it unusable.]

The difference is, should someone get your password with an installed software they have to break into your office to be able to use it. That’s an extra level of protection. The vast majority of security issues are based around online solutions. Banking, credit cards used on online shopping, website hacking etc etc..

Nothing is perfect, and online apps hold some great benefits… some of which you have pointed out, and the other one is cost. Online apps are cheaper to roll out, therefore they are cheaper for the end users.

Unfortunatley they have one or two Achilles heels, the main one being security. The other is speed, but with broadband availability this issue seems to be reducing every year, which coincides with more and more web apps. They can’t just put their head in the sand and say it is the client’s responsibility when they know the are custodian of such a valuable commodity and in the real world basic password security just does not work.

[current keyloggers, spyware, trogens and all of these are risks, of course webbased solutions are less secure than installed software]

Spyware, Viruses and Trogans are just as bad as for installed software as they can infect the local machine making it unusable. This effective puts a DOS attack on the agents machine meaning they can’t get access to the data and are unproductive.

[Re the ONE MAN show.. if they cannot secure it get another one man.]

The thing is how do you know that they are secure? Most small businesses blindly trust their IT person and don’t know the first thing about IT (They are experts in selling things like property and not computers.) I would still put far more trust in Salesforce.com than I would in local server security. You then have one main point of failure (the login process) as opposed to many points of failure (firewall, physical access, server passwords, user passwords, fire, theft, hardware failure…)

It’s a bit confusing with the two Glenn’s here (although he is Glen and I am Glenn), but I justed wanted to thank you for your contribution. The pdf on that link is a great read.

You said you have been in the IT industry for a long time. Are you currently in Real Estate or are you still in IT ?

The examples I offered were how somebody could get access without any advanced computer knowledge or hacking skills. As you suggested, tools like keyloggers and trojans make password security on these web apps appear more like an inconvenience rather than an effective security measure.

I am still interested in what you believe web apps like Hubonline and others can implement to effectively increase the agents security. I nominated a few but are there any other easy ones to implement that come to mind?

Another point aligned with the whole backup and disaster recovery issue is will the company who hosts your database be their tomorrow? Many of these web apps dont allow you to backup the database to your own computers. What if you come in to work tommorrow and try and login and the website is gone?

The security of your data lies with these providers and agents need to make sure that the will be their for the next 1, 5 or 10 years that they expect to operate the database. This is where companies like Hubonline now that they are owned by the REA group will shine over other smaller operators. Everyone starts out small, even REA was started in a garage, but these smaller startups come with a higher risk that you should be aware of because the best database in the world is useless if it disappears overnight.

Web apps provide a fantastic and cost effective alternative. Hubonline is a good solution that will suit the vast majority of offices and if they fix some issues it will make a good solution a great one. This however only highlights the importance to get the security issues right. I would go so far as to say it is their responsibility, their duty. Most agents would not have a clue. In fact most agents see the security as an obstacle… till the day they need it.

Glenn, you said ;
snip[ would disagree that web based solutions are less secure than installed software. ]

Check the link provided. If you read the PDF on this site and pages 53-56 on just the current keyloggers, spyware, trogens and all of these are risks, of course webbased solutions are less secure than installed software.. not mentioned slower and have less features in most cases.
–
snip[ The security in most small businesses is far worse than a properly managed web service. Would you rather trust a one-man band IT service company to properly secure your data or Salesforce.com? ]

Salesforce is still a web app and has all the vulnerabilities shown in this security review. Re the ONE MAN show.. if they cannot secure it get another one man. Seriously if clients what the best security they need a managed firewall approach, it is the only secure way to go in the internet age.

Remember the big problem is password access and changing them regularly. I know clients who have left one office and gone to another can still login into their account weeks after they have left.

An interesting legal point when we had a detective at our offices invited by us and the client where fraud had taken place. As the agent could not prove that he had a system of issueing and changing passwords, and therefore anybody could have had access, including the IT person.. any body could have done it. Even though there was only one person did the job, the money was missing, the transaction were dodgy.. the police would not formally charge the person.
Therefore webbased solutions you would need to change passwords every 30 days, keep a log and control all employees. OK how many offices are out their doing this ?
Also it is such a simply task to got to Google find a logger or password finder and run it on a system you want info from.

Agents need to realise they are sending their data in clear text across the web to a site. This means vendors phone numbers, address details and even price paid. Yes it is happening every day. Most times the password and user name is in clear text as well. Technically every new sales person or support person you give access to the system, and you know the staff turnover is high can go home and download all the data they like and the agent is oblivious to it.
–
snip[ How many small businesses do you think have a bullet-proof backup system and secure servers? ]

You hope the hosting company has this covered and they do not have a major staff issue which happened recently and a staff member wiped all the data because they saw a job add and thought the boss was adevertising their job. Of course after the incident they were.

I have talked about access security not backup and disaster recovery. That is another issue entirely, and as you point out that is one of the strong points for web based (or internet based) software.

That benefit though does not just erase the need for access security. Web based solutions are certainly here to stay, but there is no way they are more secure that an office based solution. In that case you have several levels of security including phsyical security to bypass.

The security risks for Web based solutions can be made acceptable… but just using password security is fraught with danger. Just look what has happened with Internet banking and all the fraud and phishing that goes on. The banks have now added tokens, captcha’s and sms login numbers to their security arsenal because simple username passwords were so open to abuse.

We have outsourced payroll and a bunch of other sensitive data to third parties so why not CRM? If you are that worried about security then use the SecureID cards and 2 factor authentication. It does work.

The benefits of web based solutions far outweigh any disadvantages. The future is the web.

Thanks so much for taking the time to write up your review of the new HubOnline. We are all really excited about it so we appreciate your interest. If any business2.com.au readers have any questions about it, they can contact me by email at

eddie.cetin@hubonline.com.au

I’d be happy to chat.

I have to agree with you 100% when you say they should have always been looking at security. Relying strictly on password security is simply asking for trouble.

With web based solutions like Hubonline its probably impossible to tighten security to where it should be however I personally believe that they should have a far better security in place than they do have. They know that password security does not work. You just have to look at the banks experience with that and with offices the threat is most often from within than the outside.

Obviously they could offer tokens and USB dongles which allow principals to physically repossess the units to cause a lockout no matter what passwords they have but can you suggest of any others that they might be able to integrate to make their web solution more secure?

Multiarray had the extra layer of security by using a client software even though it accessed an internet hosted database. By limiting access to the actual client software itself then staff could not install it on whatever computer they liked. Whilst this is better I still suggested more including authentication by the client software to the server before it was allowed to proceed with the session. This meant that should a salesperson leave with a copy on his laptop the principal can still lock him out by removing his individual installation authentication. Should a staff member get access to the client installation files, without an authentication code the program is useless. They are still to implement something like this but I believe it is in the planning.