Intercom is a centralized hub for businesses to streamline customer communication across various channels such as chat, messaging, email, and support ticketing. It facilitates seamless interactions by providing support, collecting feedback, and fostering stronger relationships. 

During these interactions, Intercom captures critical customer details such as names, email addresses, phone numbers, and other pertinent information shared in conversations. Intercom maintains a comprehensive record of all interactions, including chat logs, support tickets, and email exchanges, to provide valuable context for future engagements. Additionally, it allows team members to store internal notes and communicate about specific customers or issues based on individual settings.

However, storing and handling sensitive information necessitates robust security protocols to prevent data breaches that could have far-reaching consequences for trust, reputation, and financial standing.

This comprehensive handling of sensitive information naturally foregrounds a crucial inquiry for companies leveraging this platform: Just how secure is Intercom when it comes to protecting your business and customer data?

Is Intercom Safe And Secure?

Here are some key security measures implemented in Intercom by default:

Hosting: Intercom uses Amazon Web Services in the USA for hosting, which is known for its strict security and compliance standards. 

Automated deployment: Intercom uses automated systems to ensure secure and efficient deployment of changes to both the application and operating platform. With dozens of deployments per day, security fixes can be quickly rolled out when needed.

Data encryption: Intercom enforces data security by encrypting all data during transit. The API and application endpoints use TLS/SSL exclusively, meeting an "A+" rating on SSL Labs' tests. This includes strong cipher suites and features like HSTS and Perfect Forward Secrecy, which are enabled for added protection.

Third-party audits: Intercom regularly engages with trusted third-party auditors to review its codebase and infrastructure and address any potential issues that may arise.

Infrastructure management: Intercom uses Terraform to maintain infrastructure and additional technologies like Graylog, AWS CloudTrail, and PantherLabs. This ensures a comprehensive audit trail for both the infrastructure and application.

Two-factor authentication: 2FA is implemented whenever feasible, with vendors mandated to enforce it on all accounts. While shared accounts are not recommended, tools such as 1Password are employed for secure login management when necessary. 

Corporate network security: The corporate network is structured without any backdoors to production systems, following a zero-trust model for enhanced security

Incident response: An incident response plan is documented, and all employees are trained on security protocols and policies.

Penetration testing: Specialized security partners carry out External penetration tests twice a year.

Code review and testing: Any changes to the Intercom codebase undergo peer review and automatic testing through the CI/CD process to catch any regressions or security flaws using static analysis. They also manage a public bug bounty program with Bugcrowd to identify and resolve any potential security issues.

Intercom also provides additional security measures for integrations:

• Identity verification: Identity Verification in Intercom helps prevent unauthorized users from impersonating others on the Messenger platform.
• Attribute restrictions: Intercom can stop malicious actors from inserting harmful data by disabling attribute creation via Messenger.
• Session management: The Intercom JavaScript shutdown method closes user sessions upon logging out of the app.
• Domain management: A trusted domains list can be added to ensure the Messenger is only accessed on approved domains.
• Security indicators: Tooltips and visual indicators flag untrusted links in email conversations for enhanced security awareness.

Common security concerns with Intercom

Cloud-Based System Reliance

Intercom utilizes a shared responsibility model, where physical and network security at their data centers is managed by cloud providers like Amazon Web Services (AWS). While this partnership leverages AWS's robust security frameworks, it also presents potential vulnerabilities, particularly if the cloud provider itself is compromised. This situation could impact the security of Intercom users, despite the protective measures in place. Additionally, the reliance on a single cloud platform can pose challenges in data mobility, complicating the process for users wishing to migrate to another platform in emergency situations. 

Third-Party Integrations

Connecting Intercom to other applications enhances functionality, but also introduces security vulnerabilities. Flaws in these external platforms can lead to unauthorized access to Intercom data. Improperly configured integrations may inadvertently expose sensitive information or functionalities, heightening the risk of data breaches or leaks.

User Management And Access Control

Accidental exposure may occur due to human error, as sensitive information can be leaked through insecure conversations or file uploads. Disgruntled employees with access to Intercom could also pose an insider threat by intentionally misusing or stealing data. Privilege creep—where users accumulate access rights beyond their needs—may occur over time if user roles and permissions are not regularly reviewed and adjusted. 

Data Privacy And Compliance

Intercom's feature of storing data in designated geographic locations may not always meet a company's legal or regulatory obligations, which can pose challenges for businesses that must adhere to strict data residency laws. Businesses should understand and manage the duration of customer data retention, especially for compliance with regulations such as GDPR that dictate specific policies for retaining data.

Why do you need a Third Party DLP integration for Intercom ?

An Extra Security Layer

Incorporate advanced security features such as encryption enhancements and network security configurations to ensure all data is secure at rest and in transit. Use strong encryption standards for all data and implement advanced methods like elliptic curve cryptography (ECC) for stronger data protection during transit. Regularly update encryption protocols for data at rest to prevent unauthorized access. Also, data loss prevention (DLP) solutions should be employed to prevent accidental sharing or leakage of sensitive information.

Secure Logins With 2FA, SSO, or SAML

Hackers often exploit the "human element" by manipulating individuals to gain access rather than exploiting code vulnerabilities. To safeguard your workspace, it's crucial to strengthen your access model, minimizing human error that could lead to security breaches. Avoid reusing passwords and sharing credentials. Implement robust login measures such as 2FA, SSO, or SAML in your Intercom workspace to prevent unauthorized access, protect customer conversations, and preserve your brand's integrity.

Use Identity Verification

Implement stringent identity verification processes to enhance the security of user accounts and deter fraudulent activity. All individuals, whether visitors or registered members, are required to present a unique identity token before accessing the platform. This approach ensures that only verified users can enter your workspace, safeguarding against unauthorized access. Even without active users, activating identity verification preemptively shields your environment from potential threats. Visitors will remain unaffected as they are authenticated via a unique cookie in their browser.

Monitoring And Logging

Improve your enterprise security measures by integrating Intercom into an SIEM system. This will centralize security event logging and analysis, making detecting and responding to potential threats easier. Make it a regular practice to review system logs for any suspicious activity or anomalies. Set up alerts for critical security events so we can quickly respond to any potential threats that may arise.

Implement "Least Privilege" For User Roles And Permissions 

With permissions and roles, you have complete control over your teammates' actions. This feature allows you to limit privileged actions to a select few members in your workspace, following the "least privilege" approach. This means that each teammate will only have access to the tools necessary for their job, reducing the potential impact of any account takeover incidents.

Monitor Activity Logs

Assigning roles doesn't mean you can let your guard down. It's always a good idea to regularly check your teammate's activity logs for any unusual activity. These logs serve as a way to monitor important changes like data deletion or export. If you have a large team, keep an eye on failed login attempts, new invitations, changes in settings, or even bulk data exports. These insights can help detect suspicious behavior and protect against the potential threat of internal bad actors.

Regular Security Reviews

Consistently review your Intercom configurations and access controls to maintain stringent security. Conduct periodic security audits—quarterly or following significant changes to your setup—to evaluate access permissions, integration security, and potential vulnerabilities. Keep your Intercom system and any integrated applications updated with the latest security patches to prevent risks.

Conduct Training Sessions

Additionally, develop a comprehensive incident response plan to effectively address and mitigate any security incidents. Educate your team on essential cybersecurity practices, including secure password management and phishing detection techniques. Implement strict password policies requiring strong, unique passwords for all team accounts, which should be updated regularly.

While it is important to follow the abovementioned best practices, there are still ways that sensitive data can be accessed. To address this issue, a data loss prevention (DLP) solution must be implemented in Intercom.

Introducing Strac DLP For Intercom

Strac Intercom DLP protects businesses by discovering (scanning), classifying, and remediating sensitive data such as SSNs, driver's licenses, credit cards, bank numbers, IP (confidential data), etc. 

Strac features:

• Automatic detection and redaction: Strac automatically identifies and redacts sensitive content, ensuring only authorized personnel can access the original information through a secure vault. Strac's AI detects sensitive data with accuracy and precision across volumes of unstructured texts and documents.

• Customizable data recognition: Businesses can configure Strac to recognize and redact a wide range of sensitive data elements, including PII (Personally Identifiable Information) and PHI (Protected Health Information):some text
  • Social Security Numbers
  • Dates of birth
  • Driver's license numbers
  • Passport details
  • Credit card and debit card numbers
  • API keys
  • Financial documents
  • Confidential data
• Comprehensive audit reports: Strac provides detailed reports on access attempts to specific messages, aiding compliance, risk, and security personnel. 

• Remediate sensitive data: Strac provides remediation actions like redaction, blocking, alerting, and encryption. This feature is particularly useful for protecting private information such as PII (Personally Identifiable Information) or PHI (Protected Health Information), effectively blocking unauthorized access. Strac's redaction replaces sensitive data with a link to Strac's secure Vault. 
• API integration: Strac's RESTful APIs allow custom integrations alongside user-friendly no-code options for a flexible and efficient DLP deployment.
• Dashboard and analytics: Strac's dashboard offers detailed visualizations of data discovery and remediation activities, providing insights into data flow and security status.
• Compliance with regulations/privacy laws: Strac helps you comply with major regulations like PCI, SOC 2, NIST CSF, HIPAA, GDPR, CCPA, and India's DPDP, safeguarding against legal and financial penalties.

Schedule a demo with Strac today to protect your Intercom environment!