Salesforce.com has reached the 7,000 customer mark. Salesnet recently inked a deal with a Boston-area bank. UpShot Corp. and NetLedger Inc. continue to make strides with financial firms and other organizations with sensitive customer information.
Undoubtedly, the hosted model has become a serious option for small and mid-sized companies considering CRM applications. Does this mean that early concerns about trusting vital customer information to the security of an online provider are now over?
Not necessarily, according to Denis Pombriant, vice president and research director of Aberdeen Group in Boston, who will release a report on hosted CRM providers early next month.
"We asked specific questions about that," Pombriant said. "The things that people disliked about hosting when it was brand new, they still dislike. They're uncomfortable with the fact that data is not in their computer rooms, that someone else has access. They would like to have applications that don't require a connection to the Internet to be fully useful. Those are the same concerns we heard three or four years ago."
What has changed, Pombriant said, is the ability of the hosted providers to overcome these fears.
"It's no longer a deal stopper, it's an objection," Pombriant said. "You go into the sales process knowing it's an issue and you need to convince the customer about security."
Yet progress has been made in hosted
"Companies have matured," Dan Starr, chief marketing officer for Boston-based Salesnet, said. "During the dot-com phase, people were pouring money in without much thought about the back-end phase. The businesses that are left now are the ones that have proven the ASP model. They have proven good quality and a secure level of service."
Starr said that with major, in-house CRM deployments, customers are stuck with a vendor because of the huge sums of money spent and the huge amount of time installing the software. Because it's easy to shut down the online model, "ASPs have more of a challenge. They have to earn their clients' business every month," he said.
Tien Tzuo, vice president of product management for Salesforce.com in San Francisco, said there's no room for error.
"A vendor's reputation is built on security," Tzuo said. "If we had a security breach, it could be potentially fatal to our business. We're going to keep our eye on the ball more than most IT folks."
Additionally, hosted providers, which cater mainly to small and medium-sized businesses, say they can often provide far more security than their customers can.
"I don't think concerns will ever end completely, given what's happening on the Internet," said Zach Nelson, CEO of San Mateo, Calif.-based NetLedger. "There were four new viruses last week alone. It's always an issue. In our particular market, customers realize we basically have a Fortune 500 data center. We have all those things that they can't afford. Basically, they're getting a superior system for free."
Doing due diligence
While some financial services companies have elected to go the hosted route, that doesn't mean they're entrusting everything to a hosted CRM provider that stores sensitive information on a server located on the other side of the country.
Joe Riley, senior vice president and corporate sales manager for Eastern Bank in Boston, said his company uses Salesnet, but only for prospecting new business, not as a repository for current customer information.
The prospecting data is valuable nonetheless, and Riley said his company took a long look at security before choosing a CRM provider.
"I wanted to know who had access and what assurances we would get contractually," Riley said. "What kind of protection did they have in their database? In event of cessation, how would we get that info back and in what format? They made all those assurances to me; I was convinced, as were our tech people, that their protections were state of the art."
That type of security research is incumbent on a business before deciding whether to go with hosted CRM, according to Laurie McCabe, vice president and practice director with Summit Strategies in Boston.
"There are still security issues," McCabe said. "It's a situation where customers need to do their own due diligence. With CRM, it may not be an IT person doing the decision making."
Companies should also consider an online vendor's commitment to offline security. What happens when a salesperson gains offline access to company information? How is that information protected? What if the sales agent quits or is fired?
Salesnet's Starr points to this as a differentiator for his company. With Salesnet, offline information is written on .NET architecture and encrypted, he said. Salesforce.com, which currently stores information on an XML file, is planning on adding encryption in its next release, Tzuo said.
NetLedger doesn't currently feature offline access. UpShot declined to comment on its security policies.
ForEx Capital Markets, a global currency trading firm in New York, had the problem of an employee walking off with company data. It elected to go with Salesforce.com after examining the company's policies and technology.
"The people who are most likely to run away with our information are here," said Saul Weiner, an analyst with ForEx. "If someone wants to get hold of information, we don't feel it makes a difference if the software is here or there."
As the ASP market has matured, technology has matured with it.
"From a physical perspective, the [data center] rooms that big-time hosters use are very solid," Pombriant said. "There's good encryption, secure sockets and all that stuff. It literally is true that, in many cases, the hosted providers provide better security than an individual company could provide. It's not so much a technology issue at this point."
FOR MORE INFORMATION: