As the COVID-19 pandemic lingers on, companies around the world are proving that work can still get done remotely. The enterprise shift to a near-universal reliance on distributed teams has driven further adoption of cloud-based tools, and many organizations are now finding themselves better positioned to thrive in a dynamic market than they were before the crisis.
But while the relatively smooth transition that many companies have experienced is impressive, they now face a multitude of new risks. Many aren’t prepared to handle them.
A New Frontier
The Salesforce platform represents a natural gateway to the cloud for the countless enterprise customers already using it to support important business operations. Its baked-in security features and infinitely customizable functionality make it a safe and powerful tool capable of driving growth across your organization. However, cloud platform providers can’t protect customers from all risks. Over the course of recent remote work security risk assessments, we’ve found several recurring threats specific to working-from-home teams.
For starters, users creating and exporting reports — which can be run on virtually any platform data — often download sensitive data to a home or personal computer, exposing it to loss or theft (especially if that computer is already compromised).
Furthermore, companies that aren’t using VPNs or Virtual Workstations typically relax permissions governing data access; our aggregate 2020 Salesforce SRA findings revealed that, on average, 89% have some level of access to sensitive information stored in their orgs, and none of the firms in our report had configured the ability to monitor user behavior or store activity. In the event of an internal breach, it would be virtually impossible for them to pinpoint the source.
Moreover, many companies that have configured strong security controls aren’t always implementing solutions for showing the status of those controls. That can make it hard to prove your org is in compliance with least privilege access or external regulatory standards.
All of these risks pose a serious threat to companies that might be less prepared than ever to deal with the legal and ethical consequences of a data breach. Here are the steps compliance leaders and security teams can take to make sure they are avoided:
- Ensure your Org is classified appropriately. Salesforce has evolved from a SaaS contact management solution to something far more powerful — a PaaS capable of supporting or delivering core business applications. While many firms already know how to ensure availability and security for these applications, we’ve found that they often misclassify their Org, which results in significant oversights. If a Salesforce Org is given a “Type 1” or “Class A” classification, it should be treated as such from the standpoint of business continuity, disaster recovery, enterprise monitoring, security, and compliance.
- Utilize Shield to maintain platform visibility. The same user-friendly development features that make Salesforce great for supporting custom applications also make it a challenge for compliance teams. Fortunately, Shield can help you keep tabs on all kinds of information. Event Monitoring lets you view comprehensive usage data, for example, while Encryption protects data and Field Audit Trail records its state and value for up to 10 years. If you need help, you can find a number of third-party resources to help operationalize Shield. Besides reviewing the Salesforce security model, it’s also critical to thoroughly identify and classify the data residing in your Salesforce Org because classification ultimately has a significant effect on access controls.
- Make access controls a priority. Not everyone in your organization should be able to access the same data in your Org. When possible, firms should implement a least privilege access policy, ensuring that sensitive data can only be viewed and managed by the employees in charge of handling it. Likewise, a strong password policy and two-factor authentication protocols are critical, especially in a remote work environment. Data loss as a result of an internal breach is often preventable, but as your network expands, it takes deliberate action to continually keep data safe.
The companies that use Salesforce the most are usually the ones that get the most value from the platform. But as your usage expands, your security posture must be able to keep up. By capitalizing on the powerful security controls the platform offers, teams can mitigate many of the most pressing threats that accompany remote work.
Here's more to explore:
- Learn about Cloud Security Cockpit® to implement, manage and prove Salesforce security controls
- Free Download: The Auditors Guide to Salesforce
- Salesforce Best Practices to Enable Remote Work without Adding Unnecessary Risk
- Contact us to learn about a Salesforce Security Risk Assessment