It’s fair to say that 2020 held big changes for all of us, but one thing remained consistent — RevCult continued to conduct security risk assessments (SRAs) for our clients across industries, and those exercises continued to turn up vulnerabilities and security gaps in Salesforce implementations. These shortcomings and oversights put organizations at risk of noncompliance in the best case and catastrophic data loss in the worst case.
Our unique view into the inner workings of a host of different Salesforce implementations offers us a valuable look at some of the biggest challenges and obstacles organizations face. To help our clients make the most of this information, we put together an annual State of Salesforce Data Security Report that offers insights into the most impactful security initiatives a company can undertake.
One of the most pressing findings was that permissions are still being regularly granted to users in a blanket fashion, and in 2020, an alarming 70% of users could export reports containing valuable and sensitive data. Considering the average Salesforce org is chock-full of 2,600 fields of non-encrypted information, you can start to see what’s at stake in terms of internal IP, customer data, and noncompliance with different regulatory groups.
Understanding Shared Responsibility
While many organizations are struggling to secure their Salesforce data, some have fundamentally flawed frameworks in place that show these companies aren’t even aware of their responsibilities in this department. Salesforce may be tasked with protecting the platform, but it’s up to you as the user to configure your own implementation properly.
With about 10% of employees being granted administrative access on average, it’s clear that breaches, access errors, and accidental deletion are far from top of mind in the typical organization. Most employees don’t have malicious intent, but it’s still important to ensure that they can’t accidentally let sensitive information slip.
To secure the information contained in your Salesforce implementation, start with the following three steps:
- Lean on gold standards of security
Even if you keep privileged access limited to just the users who need it most, these individuals still represent a security risk that should be minimized. Enforce a strong password policy, ensure credentials are changed every 30 to 90 days, and educate users about the perils of using the same password across multiple accounts. Lean on two-factor authentication to provide an additional degree of security, whether it’s powered by an app like Google Authenticator or a physical security key.
- Educate your employees
Make sure your workers are aware of the latest changes to your data classification system, and explain the levels of data sensitivity and the purpose of the system in the first place. Use a resource such as a color code to make it easy for employees to identify the security risks associated with a piece of data. An elegant system based on the colors of the rainbow, for example, will allow employees to intuitively grasp risks, allowing them to handle data appropriately.
- Adopt straightforward permissions
People don’t make all users administrators because they think all users need administrative privileges — they do it because it’s easier and faster, and it seems at surface level to be an obvious solution to a complex problem. An effective permission set takes far more time to create, but it’s an investment in organizational security that will pay dividends for years. Create a permission set for the long haul, with straightforward names indicating what information each level unlocks. Be thorough so the next administrator to come along won’t be tempted to create a whole new system or just ignore permission sets entirely.
Adoption and implementation of Salesforce have exploded from the initial cloud-based SaaS CRM into a platform that powers many different parts of an organization, and securing it can be a struggle. In many cases, however, there are quick wins to be had. One of the most effective security measures you can take is to withdraw blanket administrative privileges and reissue them on a case-by-case basis according to a thorough, well-defined permission set. As your use of Salesforce expands, this permission set will serve to guide administrators and ensure that sensitive data stays in as few hands as possible.
Here's more to explore:
- NEW: Get a copy of RevCult’s report with 5 key takeaways: The State of Salesforce Data Security
- Learn more from Jonathan Hay on Salesforce Security: 10 Pieces of Advice From Cadence Bank on Agile Salesforce Security To Improve Client Experiences
- Read the 3 Steps to Assess Risk & Verify Security of Your Salesforce Data
- Learn about Cloud Security Cockpit® to implement, manage and prove Salesforce security controls
- Contact us to learn about a Salesforce Security Risk Assessment