How to protect your Intercom account?

TL;DR

What is Intercom?

Intercom is a customer relationship management (CRM) software solution for businesses. It allows companies to develop customer relationships with chatbots, product tours, proactive messages, email campaigns, self-serve support, and more.

Why is it essential to secure Intercom accounts?

With more and more data being stored in the cloud, protecting that data is increasingly imperative. Data protection is no longer a choice for many businesses. More and more laws worldwide mandate data privacy and security. For example, the European Union's General Data Protection Regulation (GDPR) establishes a "right to delete" for customer data being held by a private company. In the US, the California Consumer Privacy Act (CCPA) similarly establishes the right to request that a company delete customers' information, with states like Colorado and Virginia recently passing similar laws.

According to IBM, data breaches cost companies an average of $4.35 million. This doesn’t even factor in the cost of a ransom itself, should your company fall victim to a ransomware attack. For example, their lack of secure cookies leaves users open to a client-side attack. They also have a particular vulnerability allowing third parties to forge records.

How should you secure your Intercom Workspace?

Add an Extra Security Layer

Instruction on adding an additional security layer, such as two-factor authentication in Intercom WebApp — Intercom recommends adding an additional security layer, such as two-factor authentication. Image from Intercom.

Bad actors can exploit several vulnerabilities to gain access to your sensitive Intercom data. According to a 2022 Verizon report, 82% of data breaches were caused by human error, including stolen credentials, phishing, misuse, or a simple mistake. Simple best practices you may use on other services are also recommended for Intercom. For example, refrain from reusing a password for multiple services and make sure you change your password regularly, especially if it has been in a data breach. Intercom also recommends adding an extra layer of security to your login through two-factor authentication, a Google Single Sign-On (SSO), or Security Assertion Markup Language (SAML).

Identity Verification

Enforce Identity Option in Intercom — Follow the instructions on the Identity Verification page in your settings to set this up. Image from Intercom.

You may be interacting with other users, like customers, through your Intercom account. These interactions may contain sensitive data, so it is essential to ensure other users are who they say they are. Identity Verification can help. Enabling this feature will send a unique identity token to each user that they must enter to log in on top of their user ID and password. Even if you don't have other users in your Intercom workspace, enabling Identity Verification is still recommended so malicious users cannot join your workspace is still recommended.

Role-Based Access Control

Role Selection for Teammates in Intercom — You can change access control for a user by going to **Settings > General > Teammates**. Image from Intercom.

Another way to protect your information among your organization's members is through role-based access control. This is a best practice for all services, such as Google Drive. Role-based access control lets you set permissions for different users. For example, some may only be able to view, while others can edit. Similarly, role-based access control allows you to restrict sensitive information to only those who need to know this information to perform their jobs. This is called the principle of "least privilege," a critical security practice everywhere, including on Intercom. One way to do this on Intercom is limiting access to specific conversations for certain teammates. Intercom explains how to do this on their Help Center.

Teammate Activity Logs

Teammates Activity Interface in Intercom — Image from Intercom

Intercom also provides visibility into your workspace members' activities. You can use the Teammate Activity Logs to monitor suspicious activities, such as multiple failed login attempts, invitations to new users, setting changes, and bulk data exports.

An Expert Solution

All in all, you can take several best practices recommended by Intercom to protect your data. However, there are several downsides:

There is no way to prevent access to sensitive data like Drivers License, identity pictures, SSNs, bank statements, etc. No granular access control exists, hence the massive risk of data loss exfiltration.
It requires company-wide policies and procedures to be implemented, and more importantly, all customer support employees must be trained.
There is no way for the business to implement GDPR or CCPA's Right To Delete control as data is all over the place for a customer.

Strac's Data Loss Prevention (DLP) Solution for Intercom automatically detects and redacts sensitive data like PII (SSN, DL, Passport, etc.), PHI (patient data, dob, etc.), credit card numbers, bank account details, API keys, and more from Zendesk comments and tickets. Strac App is also listed on Intercom's App Store

Strac's Redactor is powered by its Machine Learning models that are trained to help businesses to comply with PCI, HIPAA, SOC2 and various privacy laws by automatically redacting sensitive data. Strac also exposes REST APIs for redacting any data.

Book a demo to see how Strac's unique redaction technology will eliminate your security and compliance risks.‎

Discover & Protect Data on SaaS, Cloud, Generative AI

Strac provides end-to-end data loss prevention for all SaaS and Cloud apps. Integrate in under 10 minutes and experience the benefits of live DLP scanning, live redaction, and a fortified SaaS environment.