Are you using Salesforce in the most secure way? Security is not a “set it and forget it” thing. We conduct Salesforce Security Risk Assessments for a number of clients and tend to see recurring themes that expose companies’ data. Here are the 7 most common mistakes we see with Salesforce Security:

1. Not Knowing Who Can See What

• Not understanding how roles should be determined and configured.
  
  
• Not knowing your user. As companies scale, it's hard for admins to really know their Salesforce users and who can/should see what data, across the enterprise.

2. Moving Too Fast

• • It’s easy to forget security settings when creating new objects and fields.  Be present when adding new features. An extra 7 seconds per field to really reflect on every action will go a long way and prevent nasty future surprises.

3. Everyone’s an Admin

• Falling into the trap of sharing everything with everyone is an easy way to expose sensitive information.
  
  
• This can be an easy mistake when people are asking for more permissions to do their job. 

4. Insecure Integrations

• Developers can publicly expose endpoints.  It's important to identify all the various types of integrations and make sure they are constantly being reviewed in your organization.
  
  
• Duplicating encrypted info in other systems that are secure.

5. Replying Too Much on the “Health Check”

• There’s a lot the Health Check can’t check because it based on Salesforce's “baseline”. It can’t see beyond the health check objectives such as secure integration and users’ accessibility.
  
  
• The Health Check can be a false positive if you're looking at the score without considering other risks that aren't included in the Health Check.

• You need to determine the baseline specific to your company's security posture. 

6. Lack of Data Loss Prevention

• Most of your users having the ability and flexibility to delete data.
  
  
• Common mistakes include... not tracking history on fields, not having a secure backup solution that allows you to restore old data, and a lack of "checks and balances" for exporting data.

7. Bought Shield But Not Implemented
(A False Security Blanket)

• Not realizing that just because you bought Shield does not mean it's "on" or implemented. 
  
  
• Failing to understand that encrypting everything not a best practice.
  
  
• Neglect the ongoing maintenance of Shield that's related to Salesforce releases (3x a year) and changing/adding new data to your org. 

Learn about our Security Risk Assessment which addresses these common mistakes, and more!