Are you using Salesforce in the most secure way? Security is not a “set it and forget it” thing. We conduct Salesforce Security Risk Assessments for a number of clients and tend to see recurring themes that expose companies’ data. Here are the 7 most common mistakes we see with Salesforce Security:
1. Not Knowing Who Can See What
- Not understanding how roles should be determined and configured.
- Not knowing your user. As companies scale, it's hard for admins to really know their Salesforce users and who can/should see what data, across the enterprise.
2. Moving Too Fast
-
- It’s easy to forget security settings when creating new objects and fields. Be present when adding new features. An extra 7 seconds per field to really reflect on every action will go a long way and prevent nasty future surprises.
3. Everyone’s an Admin
- Falling into the trap of sharing everything with everyone is an easy way to expose sensitive information.
- This can be an easy mistake when people are asking for more permissions to do their job.
4. Insecure Integrations
- Developers can publicly expose endpoints. It's important to identify all the various types of integrations and make sure they are constantly being reviewed in your organization.
- Duplicating encrypted info in other systems that are secure.
5. Replying Too Much on the “Health Check”
- There’s a lot the Health Check can’t check because it based on Salesforce's “baseline”. It can’t see beyond the health check objectives such as secure integration and users’ accessibility.
- The Health Check can be a false positive if you're looking at the score without considering other risks that aren't included in the Health Check.
- You need to determine the baseline specific to your company's security posture.
6. Lack of Data Loss Prevention
- Most of your users having the ability and flexibility to delete data.
- Common mistakes include... not tracking history on fields, not having a secure backup solution that allows you to restore old data, and a lack of "checks and balances" for exporting data.
7. Bought Shield But Not Implemented
(A False Security Blanket)
- Not realizing that just because you bought Shield does not mean it's "on" or implemented.
- Failing to understand that encrypting everything not a best practice.
- Neglect the ongoing maintenance of Shield that's related to Salesforce releases (3x a year) and changing/adding new data to your org.
Learn about our Security Risk Assessment which addresses these common mistakes, and more!