1 Key Salesforce Security Best Practice
We've seen many assume their Salesforce orgs are secure enough: why should they care about FMT's recommended key Salesforce security best practice? Consider that phishing attacks are increasing and 2020 stood out. 88% of organizations around the world experienced spear phishing attempts. Remote workers are being targeted more than before. And in a successful attack, nearly 60% of organizations lose data, nearly 50% are infected with ransomware, and nearly 35% of organizations experienced financial losses.
Those are scary statistics. How can we keep our Salesforce data secure?
Let's say you implemented Salesforce a while ago and everything is working well. It's flexible enough so that you can easily change a picklist value or add a little automation. But you probably haven't thought about security since you implemented Salesforce. In my experience, most implementations configure data access (which users can see or edit which records and which fields). But very little attention is paid to how to secure your actual application. Read on for our single Salesforce security best practice . . .
Application security is a three-legged stool.
First you have access to your application. Who can access my application? Where can they access it from? When can they access the application? Usually the answer is: my coworkers. You may have set up location and time-based restrictions as well.
The second leg is how you configure your data access and feature access – who can see this field? Who can create this record?
The final leg is your users. Your users have a duty to not accidentally give out their application passwords – think phishing attacks.
Have you thought about how you can control who is accessing your system recently? How you can control that? What about phishing, malware and trojan horses?
Let’s look at system security.
System security is achieved through a combination of human education and configuring Salesforce's Session and other settings.
Remember a couple of months ago when some kid in Florida gained access to some high-profile Twitter accounts? He didn't do that by hacking; he did that by phishing. He called tech support employees and told them he had to reset their passwords. Multiple people at Twitter trusted him and followed his instructions. That's because we are inclined to trust, especially when we are at work. Work is a known environment that rewards trust and cooperation among employees. We are not designed to distrust our company's inbox!
Therefore, it's important to educate your users against phishing. Oftentimes, emails will look identical to "official" emails.
This email looks identical to an official Microsoft notice, but when you click that big blue button to "Review Recent Activity" you download malware.
Teach your users to hover over links in emails to verify the URL. If it's from Salesforce, the URL should end in ‘salesforce.com’ (and this works as a validation for other links as well). Remind your employees that your Salesforce admin will never need to know your users' passwords and to never give out their credentials for any corporate system. If you ever think an email from Salesforce seems suspicious, you can forward the email to email@example.com for verification.
What’s our single key Salesforce security best practice?
Once you've reminded your employees about their responsibility to secure corporate systems, it's time to look at how you can increase your Salesforce security by completing a security audit. FMT recommends conducting a security audit at least once a year. If you practice an annual audit, then after the first year, subsequent years’ audits will become relatively easy. This annual audit is integral to maintaining and improving your security.
In the meantime, let's look at some of the things you can do to secure your Salesforce org. First, you can check Session Settings, Password Policies, Login Access Policies, Certificate and Key Management and Remote Site Settings (there are more things to check, this is just a sample!).
If you go and check Session Settings, there are lots of options – so how do you know which ones are the safest?
Luckily, Salesforce allows you to check how your org compares with their recommendations. This is called the Security Health Check. In set-up, you can go to Security | Health Check and get a list of all your security options and how they compare to the recommended standard. It's a one-page security review – you even get a rating.
In this example, the security rating is Poor. The results are grouped in categories High Risk, Medium Risk, Low Risk and Informational Security Settings. Salesforce's recommendations are called the baseline, and the lower your settings from the recommended baseline, the lower your score will be. For example, the default number of characters for a password in Salesforce is 8, but you changed it to 5 to make it easier for your users. However, that makes your passwords much more vulnerable to guessing and brute force attacks. So that setting lowers your overall score. What if you need a higher level of security because you are in a field like healthcare or finance? Then you can create and use a different baseline to compare your settings against.
If you would like to get a higher score on security, you can change the options for each setting by clicking the edit button. Or you can change them all at once by pressing the Fix Risks button. As always, make your changes in a sandbox, test, and then fix in production.
Our final tip?
Many Salesforce Admins have a permission set to "Password does not expire." The only user who should have that option is an API only user for integrations. It is a security risk, particularly for Admin users, to give that permission to anyone else.
If you are looking to set up for a successful 2021, begin the year with a security audit. You will not be slowed down by a breach, and – even better – you won’t have to worry about one. Direct all your efforts towards strategic planning for the new year instead. To learn more about what a Salesforce security audit might look like for your particular organization or to discuss another Salesforce security best practice with our team, please contact us here.