Are you using Salesforce in the most secure way? Security is not a “set it and forget it” thing. We conduct Salesforce Security Risk Assessments for a number of clients and tend to see recurring themes that expose companies’ data. Here are the seven most common mistakes we see with Salesforce Security:
1. Not knowing who can see what
- Not understanding how roles should be determined and configured.
- Not knowing your user. As companies scale, it's hard for admins to really know their Salesforce users and who can/should see what data, across the enterprise.
2. Moving too fast
- It’s easy to forget security settings when creating new objects and fields. Be present when adding new features. An extra seven seconds per field to really reflect on every action will go a long way and prevent nasty future surprises.
3. Everyone’s an admin
- Falling into the trap of sharing everything with everyone is an easy way to expose sensitive information.
- This can be an easy mistake when people are asking for more permissions to do their job.
4. Insecure integrations
- Developers can publicly expose endpoints. It's important to identify all the various types of integrations and make sure they are constantly being reviewed in your organization.
- Duplicating encrypted info in other systems that are secure.
5. Relying too much on the Health Check
- There’s a lot the Health Check can’t check because it based on Salesforce's “baseline." It can’t see beyond the health check objectives such as secure integration and users’ accessibility.
- The Health Check can be a false positive if you're looking at the score without considering other risks that aren't included in the Health Check.
- You need to determine the baseline specific to your company's security posture.
6. Lack of data loss prevention
- Most of your users having the ability and flexibility to delete data.
- Common mistakes include not tracking history on fields, not having a secure backup solution that allows you to restore old data, and a lack of checks and balances for exporting data.
7. Bought Shield but not implemented (A false security blanket)
- Not realizing that just because you bought Shield does not mean it's "on" or implemented.
- Failing to understand that encrypting everything not a best practice.
- Neglect the ongoing maintenance of Shield that's related to Salesforce releases (three times a year) and changing/adding new data to your org.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.
