Are there security risks associated with SaaS CRM?

This is a great question on several levels. Security issues with SaaS were largely settled for many vendors a few years ago but the issue of security -- and a formal approach to managing it -- is causing some old issues to resurface. The formality is being driven by new technologies that live under the umbrella of governance, risk and compliance (GRC).

There are industry standards in place for data centers but, in my opinion, that's not enough because vendors aren't required to use them. A large and successful SaaS vendor might have all of the security bells and whistles but a small vendor who is just starting out may not. The problem is that on the Internet both vendors can look big, prosperous and secure. Buyer beware!

I think physical security is pretty well managed for most vendors, and procedures within any organization can help prevent hacking, phishing and other attacks. However, the evidence suggests that it's not perfect. Still, I think vendors can do a better job of maintaining security than many small companies simply because they have more capital and other resources dedicated to the task.

In my opinion, security risk gets dicey in areas you don't see or think about much. For example, what about the risk of having a single data center backed up to tape? The single location might be at risk for a natural disaster and without a live, mirrored backup, recovering from the tape might be possible but who knows how long it could take for the tape to reach a safe place.

I think business downtime with on-demand CRM or SaaS CRM is the big security risk today, not outright data loss. It's not what you'd think of first but I guarantee it's something a lot of vendors are already working on. When an on-demand vendor has an initial public offering (IPO) one of the targets for that new money is a mirrored data center. Check the government filings.