How to Secure HubSpot - A Guide
In today’s world, most people are aware of the importance of keeping data secure and protected. Whether it’s companies or individual users, everyone has to be aware of cyber threats.
Although many companies take steps to protect their own data, many are less vigilant when it comes to sharing their data with third parties, notably with CRM platforms. HubSpot’s data breach incident in March 2022 highlighted, however, the vital importance for all parties handling data to be secure.
This article will go through the steps HubSpot, a popular CRM platform, has taken to ensure all its customers’ data remain safe since its security incident. Also, we will recommend some steps you can take to make sure that your company data remains safe when hosting domains on HubSpot.
What is HubSpot?
HubSpot is a cloud-based CRM (customer relationship management) platform. A CRM platform enables businesses to easily manage customer interactions by analysing large quantities of customer data.
HubSpot provides businesses the right tools and resources to connect their marketing, sales, and customer service teams. Thus, with the CRM platform, a business can avoid developing data silos and gain a clear image of all its data.
What are the security implications of using a CRM platform?
Although CRM platforms offer valuable tools to businesses, they represent potential security risks as valuable customer data is stored online.
Indeed, as shown by the recent Salesforce scandal, CRM can be hacked to access private customer data. A breach in security can harm a company in the following ways:
- Direct costs: a data breach can cause direct financial harm to a company, as the company may have to suspend its operations, pay fines, invest in more secure systems, or resolve possible lawsuits;
- Indirect costs: data breaches can also cause reputational damages for a customer, potentially leading to customer churn and employee turnover.
Is HubSpot safe?
In March 2022, Hubspot was hacked, with data from 30 companies being exported. Hackers managed to infiltrate an employee’s account and thus gain access to HubSpot’s customer data. The hackers were targeting cryptocurrency companies, such as Circle and Swan Bitcoin.
Fortunately, the breach did not impact the operations and treasuries of the companies involved. Instead, customer marketing was hacked, meaning that customers were at risk of receiving dangerous emails disguised as official emails from companies.
HubSpot responded very quickly, notifying all businesses targeted by the hack, terminating access to the hacked employee account, and changing protocol so that employees could no longer take some actions in customer accounts.
HubSpot’s reaction to the data breach was impressive, as the quick response time and proactive change in policy helped to maintain the company’s reputation.
This incident was a clear sign of the importance of cybersecurity at all levels. Indeed, data security was shown to be only as strong as the weakest link in the system. It is thus imperative that all parties handling data are secure, even third-party CRM platforms.
We will go through the steps HubSpot has taken to ensure the data they handle is secure.
The key elements in HubSpot’s security program
So as to avoid any other data breach, HubSpot remains extremely vigilant about ensuring data security. Here are some of the key elements in Hubspot’s security program:
Data is encrypted In-Transit and At-Rest
It is essential that data remains secure whether it is stored on a device or travelling from one network to another.
Data in transit refers to data that is being transferred from one device to another, one network to another, or from a storage device to cloud storage. In each case, there is a security risk whenever data is being transferred.
Data at rest refers to data that remains on a device’s hard drive. In general, it is considered that data at rest is less at risk of cyber attacks, since it is harder to access. Nevertheless, there is a risk of data breach with data at rest.
At HubSpot, both data at rest and data in transit are encrypted. This ensures that data remains secure at all times.
Data is encrypted with TLS (Transport Layer Security) versions 1.2 or 1.3, the latter being the most up to date version. TLS is an encryption protocol made to ensure data security and data privacy for communications over the Internet.
HubSpot uses TLS encryption for all sensitive interactions with HubSpot products, such as API calls and authenticated sessions. TLS encrypts all data in transit.
Also, the encryption keys used by TLS are at least 2,048 bits, meaning that data is scrambled with keys that are extremely hard to hack.
For people hosting their websites on HubSpot’s platform, TLS is the default encryption protocol. This ensures that the data on your domain remains secure.
HubSpot also uses other technologies to ensure data security. With AES-256 encryption, platform data is stored safely. Also, all user passwords are hashed according to the most secure industry norms, and are encrypted at rest.
Finally, there are features to ensure that emails are encrypted both at rest and in transit.
Penetration testing is performed regularly
HubSpot regularly monitors the performance of its security measures, performing both frequent vulnerability scans and penetration tests.
Every day, vulnerability scans check HubSpot’s network for exploitable vulnerabilities. It is essential that these “soft spots” are detected as soon as possible, so that the system remains secure.
HubSpot performs these continually running scans by using adaptive scanning inclusion lists and by frequently updating vulnerability detection signatures to stay on top of security threats.
With these constant scans, HubSpot can ensure that vulnerabilities in the system are quickly spotted and thus rapidly resolved.
Every year, HubSpot brings in industry-recognised third parties to undergo penetration tests. These tests serve to expose potential flaws in a security system by attempting to hack it.
The third parties will write reports that will list flaws that present potential security risks. With these reports, HubSpot can rapidly address any security issues in its system.
Penetration tests, or PenTests, are performed against application and network layers in HubSpot’s technology stack.
Other measures to detect potential security flaws are called bug bounty programs. These programs invite individual security experts to test HubSpot’s security system. If someone finds a flaw in the system, they are financially compensated.
Security measure comply with data security regulation
In the last few years, there has been increasingly more regulation ensuring that data is handled and shared safely and ethically.
The most impactful piece of legislation is the GDPR (General Data Protection Regulation), a set of laws enforced by the EU to ensure that individuals’ data is protected.
One key measure of the GDPR is redefining what it means for data to be lawfully processed. This means that an individual needs to opt in to sharing their data and needs to know what they are opting into. The GDPR calls this “legitimate interest”.
There also needs to be proof of the reason why the user agreed to share their data. GDPR terms this “lawful basis”, which can include consent, contractual obligations, or legal obligations for the data controller.
HubSpot, in order to lawfully process data, has a multiselect property to track lawful bases. Properties can be either manually edited or automated. HubSpot also lets you track and audit the grant of lawful basis using the property history for that new property.
The most common type of lawful basis is consent with proper notice. Notice, which is when someone knows what they are consenting to, is essential.
HubSpot is focused on making it as straightforward as possible to collect, track, and manage user consent in a way that conforms with GDPR.
Some measures for new customers include forms, messages, and meetings. The aim is to be as clear and transparent as possible with new customers.
GDPR also states that users need to be able to opt out of sharing their data. HubSpot has thus created a dedicated page where a user can opt out with ease. Once they have opted out, their preference will be updated on HubSpot’s system.
There are other measures enforced by the GDPR. Read here for a complete look at the ways in which HubSpot complies with the regulation.
Some tips to ensure data security with HubSpot
HubSpot has put many measures in place to ensure data remains secure and protected. There are still some steps users can take, however, to maintain data security.
Configure a SSL certificate
SSL certificates, now referred to as TLS certificates, are a way to make websites more secure. With a TLS certificate, your website domain will change from http to https.
When you connect your website to your HubSpot account, HubSpot will automatically provide a standard TLS certificate with DigiCert.
Bear in mind, however, that HubSpot cannot issue a TLS certificate, as it is not a certificate authority. If you want a custom TLS certificate, you will have to purchase the custom TLS add-on for your HubSpot account.
There are multiple types of TLS certificates:
- Single hostname, a certification that is valid for a single subdomain. This means that only www.yourwebsite.com would be certified.
- Wildcard, on the other hand, certifies as many subdomains as you want. For example, www.yourwebsite.com and blog.yourwebsite.com could both be certified.
- Multi-domain lets you certify multiple domains, so you’d have certifications for www.yourwebsite.com and www.yournewwebsite.com.
We strongly recommend that you have a TLS certificate. Data security is at risk if a domain is not properly certified.
Enforce single sign-on and two-factor authentication
Single sign-on (SSO) gives your team members a single account for all the systems that your company uses.
SSO has its benefits, as each employee has only one username and password to remember. This means that less time is wasted on entering individuals passwords, or contacting support teams because a password has been forgotten.
SSOs can have a security risk, so it is recommended that they are paired with two-factor authentication (2FA).
2FA adds another layer of security to just a username and password. Indeed, it requires authentication from a separate device, like a mobile phone, for example. 2FA requires a user to have access to a physical device, making it more difficult for an intruder to penetrate the system.
HubSpot’s 2FA can either be a text message, or can go through authenticator apps like Google Authenticator or Microsoft Authenticator.
Password-protect some pages and configure membership
On each website, some information is more sensitive than others. That’s why HubSpot recommends that you password-protect some pages, which require registration from authorised users to access private content.
HubSpot recommends that you control who can access specific pages. Users who have publishing permissions can determine this by inviting contact from HubSpot lists. These people will need to sign up with a password in order to view specific content.
By configuring membership, some pages can only be accessed by trusted contacts who have registered to HubSpot and who are logged in.
With CMS Hub Enterprise, you can set up membership to certain pages. This membership grants access to private content on blog posts and landing and website pages.
The Service Hub Professional and Enterprise membership, on the other hand, grants access to private content on knowledge-based articles.
So as you can see, HubSpot encourages you to set up various levels of security, with only the most trusted personnel having access to the most sensitive information.
To ensure data remains as secure as possible, we recommend that you partition assets. Partitioning makes sure that only the right teams and users are able to view and edit certain pages.
In addition to ensuring data security, partitioning helps each team stay focused and organised, as they only have access to information that is relevant to their work.
With HubSpot, super admins are able to view all partitioned assets.
Configure field-level permissions
It is possible to restrict permissions on certain pages. This means that certain viewers have edit access, whereas others can only view pages.
Configuring field-level permissions ensures that only certain users can edit sensitive data. Having such restrictions ensures data integrity, in that unauthorised users are unable to tamper with information.
The highest-level access is granted to super admins, who can view and edit files that have been restricted. These super admins determine other users’ level of access.
Super admins can block users from seeing certain pages. Otherwise, they can grant access to users, who can either only view or view and edit pages.
Configure user roles
In order to maintain proper access levels, you need users to determine the level of access of new users.
Indeed, some users have “add and edit users” permissions, letting them choose and customise permissions for all HubSpot accounts, be they new or existing.
Configure hierarchical team structures
HubSpot has a Teams function, enabling you to sort users into groups. We recommend that you set up these groups in a hierarchical structure.
To create team hierarchy, you can set up parent-child relationships between the different teams. This structure lets parent groups see what all child groups are doing, whereas child groups cannot see what parent teams or other child teams own.
Such a structure lets the managing (parent) group have a clear overview of all operations, without having to share sensitive information. Our structure thus improves management and data security, as each child team has access to a limited amount of information.
Implement data synchronisation
Using HubSpot data sync, you have the ability to synchronise HubSpot with your other applications. With this method, all your customer data can be bought together on the same platform.
You can synchronise a variety of information, including contacts, companies, transactions, products, payments, and activities.
Synchronisation can be one-way or two-way. Two-way synchronisation means that both applications have access to all the data, whereas one-way synchronisation gives the data to only one platform.
As we have seen, past scandals have shown how important it is for all parties handling data to be secure. Since CRM platforms handle sensitive user and company data, data security remains of the utmost importance.
Last year, the breach suffered by HubSpot taught the company to invest more in their security. They acted quickly, and since then, focus on making sure that all the data they handle remains secure.
Users on HubSpot’s platform are also encouraged to take steps to protect their own data. Whether it’s enforcing single sign-on or configuring user roles, the best way to protect data is to make sure that only authorised personnel have access to information that is relevant to them.
At Elba, we are focused on protecting your Hubspot data. If you are interested in developing your company’s cybersecurity, you can book a demo today.