Sage CRM 2023 R2: Deep Layered Defence for Integrated Sage CRM

7 minute read time.

This article discusses the significance of securing web-based business applications like Sage CRM and Sage 300 through a strategy known as deep layered defence (DLD). These applications integrate customer management with accounting software and may be vulnerable to cyberattacks, potentially leading to data breaches and fraud. The DLD strategy involves implementing multiple layers of protection for the application, web server, network, and user devices.

Sage CRM is a versatile and easily customised Customer Relationship Management system that integrates with Sage accounting software. Whether you are using Sage 50, Sage 100, Sage 200, Sage 300, Sage X3 or Sage Intacct, there are integrations available that provide seamless connection across your business. Sage CRM enables you to manage your Marketing, Sales and Customer Service all in one place.

For example, the Sage 300 integration for Sage CRM creates a link that enables Sage CRM and Sage 300 to share information as it is entered into either program. After integration, front-office personnel can create customer quotes and orders in Sage CRM and then promote those quotes and orders to Sage 300.

Sage CRM and Sage 300 web screens are both web-based applications that can be accessed by users inside and outside of the corporate network.  Because the interfaces for these applications are exposed through the web, the security of these systems needs to be taken seriously and reviewed regularly.

There are many dangers to a business of not securing their web applications that are accessible from beyond the corporate network.  If a web application like integrated Sage CRM is not properly secured, attackers can gain access to sensitive data, such as customer Personally Identifiable Information (PII), financial information, and intellectual property. This data can then be used for identity theft, fraud, or other malicious purposes.

I have written An Overview of System Security for Sage CRM ( and discussed the key ways in which Sage CRM can be hardened against attack.  I want to stress the importance of thinking about the security of the whole system that is exposed to the web not just thinking about Sage CRM on its own. 

Deep layered defence (DLD) is a security strategy that uses multiple layers of protection to defend against cyberattacks. This includes the application's own security, as well as the security of the web server, network, and endpoints.

The goal of DLD is to make it as difficult as possible for attackers to successfully exploit a vulnerability. By having multiple layers of security, attackers are more likely to be stopped by one of the layers before they can reach their target.

Web-based business applications like Sage 300 web screens and Sage CRM are vulnerable to cyberattacks when a DLD strategy has not been implemented. There may be vulnerabilities that are not to do with the applications themselves but rather the environment in which they are installed and managed.

The web server that hosts the business applications is a potential target for attack. Web servers can be vulnerable to a variety of attacks, such as denial-of-service attacks and file upload exploits.  The network that the web-based business application is connected to can also be a target for attack. Network vulnerabilities can be exploited to gain access to the web server or the application itself. The devices that users use to access the web-based business application can also be a target for attack. Endpoint vulnerabilities can be exploited to steal user credentials or install malware on the device.

By working with customers to implement a DLD strategy, partners can significantly reduce the risk of these vulnerabilities being exploited. A DLD strategy will incorporate multiple layers of security, making it more difficult for attackers to successfully exploit a vulnerability.

Partners should work with customers to ensure that they also have a plan for responding to cyberattacks. This plan should include steps for identifying and containing the attack, as well as steps for recovering from the attack.

By implementing a DLD strategy, our partners can significantly reduce our customers' risk of being attacked and having their data compromised.

Sage CRM provides documentation on how to install a secure system – ( as does Sage 300 for its web screens.

Customers together with their partners have a responsibility for following the advice.  In the example of Sage 300, this is explicit:

Important! To use Sage 300cloud web screens, data must be protected with Secure Socket Layer (SSL). When using Sage 300cloud web screens over an external network or the internet, additional security measures are required, such as a Virtual Private Network (VPN). To determine appropriate security measures, consult with your information technology (IT) professional or Sage Business Partner.

Sage is playing its part.  We have security champions who are security experts who work with the main developers, to review our products to ensure we implement secure coding practices like input validation and monitor for vulnerabilities. Sage CRM is regularly scanned for vulnerabilities. This helps to identify and fix security vulnerabilities before they can be exploited by attackers.

All parts of a customer system however need to be managed for security.  If there are multiple layers of security, a vulnerability present in one layer will be blocked in another. 

Sage CRM has a development cycle that has 2 releases a year. The review of the application security for Sage CRM is built into that cycle.  But Sage CRM's application security is only one part of the whole and a live system will need to be reviewed regularly as part of the philosophy of Deep Layered Defence.    You can read more about why keeping Sage CRM up-to-date is important here:

For applications like Sage CRM and Sage 300 that are available beyond the corporate network, a specialist company is best to advise on the frequency and extent to which a partner should help an individual customer review their specific security measures.  Nevertheless, whether a review of security measures for customer web applications takes place quarterly or as the new versions of Sage CRM or Sage 300 are released, all customers need to have a plan to regularly review their security measures.

Sage CRM is a web-based application that is designed to be secure. However, it can be kept secure only if proper measures are taken during implementation and then reviewed regularly.

It is important to update Sage CRM regularly to protect yourself from new vulnerabilities.

  • Employees should be trained on security best practices, such as creating strong passwords and not clicking on links in suspicious emails.
  • Make sure you implement HTTPS so that Sage CRM uses encryption to protect data at rest and in transit. This means that data is scrambled so that it cannot be read by unauthorized users.
  • Use a modern browser when accessing Sage CRM or Sage 300 through a web browser. It is important to use a secure web browser, such as Edge, Chrome or Firefox. These browsers have built-in security features that can help to protect your data.
  • Keep your anti-virus software up to date on the servers and browser machines. Anti-virus software can help to protect your system from malware, which can steal your data. It is important to keep your anti-virus software up to date with the latest virus definitions.
  • If you access Sage CRM from outside of your corporate network, it is a good idea to use a VPN. A VPN encrypts your traffic so that it cannot be intercepted by unauthorized parties.
  • Make sure that you implement the Sage CRM security policies for users. The security territories and user profiles allow customers to control who has access to which data. This can be used to ensure that only authorized users have access to sensitive data.
  • Use the fact that Sage CRM keeps track of user activity. This can be used to track down unauthorized access and malicious activity.
  • Have a plan for responding to security incidents: Organizations should have a plan in place for responding to security incidents. This plan should include steps for identifying and containing the incident, as well as steps for recovering from the incident.

I hope that this has been a useful read.  If you take anything away from this, it is that I want you to understand that securing web-based applications like Sage CRM and Sage 300 involves more than just protecting the application itself. A comprehensive DLD strategy, collaboration with customers, and continuous security measures are crucial to safeguarding sensitive data and maintaining the integrity of the applications.

This article applies to Sage CRM stand-alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.

Please note:

All environments, configurations, integrations, and 3rd-party software that are supported by Sage are documented in the help and guides published on Sage CRM Help Center (

Any environments, configurations, integrations, and 3rd-party software that are not documented here have not been tested and are therefore not supported by Sage.