RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data -- all within Salesforce.
Last year changed everything, and traditional ways of doing business went out the window alongside the mass exodus from the office. As employees were forced to learn their way around unfamiliar collaboration tools, share workspaces with spouses, and juggle childcare and distanced learning demands during the ensuing chaos, details like security and compliance often lay neglected near the bottom of the priority list. The same was true all the way up the corporate ladder, and one survey of C-level executives on Infosecurity Magazine found that 90% had canceled or postponed critical security projects on account of the transition to remote work.
Recognizing that the survival of many companies was at stake in the early days of the pandemic, numerous regulatory bodies opted to give these businesses a compliance grace period in the same way banks and utilities let missed mortgage payments or electricity bills slide without penalizing customers or withholding service. As investment adviser representatives relocated to shelter-in-place, for example, state regulators in Delaware and Alabama offered now-expired grace periods. Maine extended its grace period until Jan. 29, 2021, and New Hampshire continued its grace period indefinitely.
Cybercriminals were of a different mind. Instead of giving the world time to come to grips with the pandemic and get security matters in order, they redoubled their efforts: The same Infosecurity Magazine report saw 90% of CXOs reporting an increase in cyberattacks since remote work began in earnest.
Cybercrime isn’t carried out by enterprising computer engineers looking to make a quick buck. These hackers are hardened criminals, and a report by the Federal Bureau of Investigation in conjunction with the Department of Homeland Security and the Department of Health and Human Services illustrated that hacker groups are deliberately targeting the most vulnerable systems — including those relied on by healthcare providers — at the height of the COVID-19 pandemic.
Network insecurities can have devastating consequences for healthcare providers and their patients, but a business breach can also threaten the survival of the company that falls victim. The loss of valuable data, the substantial time and effort to get systems back up and running, and the very real damage to a company’s reputation all add up to an astronomical cost — and that’s before considering the fines and fees sure to be levied by a large and growing number of regulatory bodies that keep industries in check.
The days of the Wild West of data are behind us, and businesses around the world face ever-increasing scrutiny over what kind of data they use, how they collect it, how they store it, and what prudent measures they take to protect it. In the healthcare space, the Health Insurance Portability and Accountability Act applies to only a small portion of the industry, but it has become a broad standard informing how patients access their information and how providers treat this data.
The United States Congress passed the Gramm-Leach-Bliley Act in 1999 to establish broad data reporting requirements in the finance industry, but there’s also legislation at the state level across the U.S. The New York Department of Financial Services passed Cybersecurity Regulation 23 NYCRR 500 in 2017, for instance, which requires covered entities to conduct cybersecurity risk assessments and put together plans that promise to mitigate those risks.
Other legislation, such as Europe’s comprehensive General Data Protection Regulation, applies across industries. Even companies based outside of Europe are held to GDPR standards if they do business with European customers and thus interact with their data. Without equivalent regulation at the federal level in the U.S., some states — including California with the California Consumer Privacy Act, or CCPA — are looking to pass their own sweeping GDPR-like legislation.
When you combine the tangled web of compliance demands with the overarching capabilities of a cloud program such as Salesforce, it’s easy to see how compliance can go from a nuisance to a nightmare. While many client companies expect Salesforce to take care of security, they often fail to realize that the platform is only partially responsible for the data contained within it.
One of the first lawsuits citing the CCPA was Barnes v. Hanna Andersson, LLC, in which a plaintiff sought damages against the retailer of children’s apparel after a 2019 data breach gave hackers access to the personally identifiable information (PII), including credit card data, of more than 200,000 customers. Salesforce was also named as a defendant because the retailer utilized the cloud provider’s e-commerce platform. But while Hanna Andersson is paying $400,000 in damages, Salesforce isn’t contributing a dime.
Why is that? Salesforce takes the platform’s security very seriously, but that doesn’t mean the provider is responsible in the event of a breach. Ultimately, much of the security burden falls on customers, whose actions can either increase the safety of their data or put it directly at risk. Our experience has taught us that misconfigurations drive 99% of security failures, which means the blame for a breach is almost always squarely on the Salesforce customer.
To identify these security shortcomings before they blow up into breaches, your organization will need to conduct thorough audits that produce actionable intelligence.
Whether they’re conducted by internal compliance professionals or enforcement officers sent by regulatory bodies, audits are a necessary part of security. The audit process helps identify what information is present in your Salesforce Orgs, what kind of risk that information poses to your organization, and ways to secure your data against both internal and external threats.
Audits are also valuable in that they give technology and product ownership teams an opportunity to step away from their typical deployment activities and work with compliance and security professionals. As a result, non-security personnel come away with a better understanding of their roles in security. Developing a culture that prioritizes security takes time, but audits will help put you on the path toward this goal.
In the meantime, to prepare for the audit process and improve audit outcomes, focus on these five strategies:
Internal compliance professionals often have little understanding of Salesforce security and how the platform is utilized throughout the business, but that’s our specialty. RevCult works with clients in various stages of security preparedness. An alarming 75% of our customers come to us with dangerously misconfigured access and security settings. Even on the more diligent end of the spectrum, we have yet to encounter a Security Risk Assessment customer with a full classification of the data being stored in the Salesforce Org.
A successful audit of your Salesforce platform and the associated risks is impossible without knowing what kind of data is stored and how its utilized throughout your organization. To make the most of your organization’s audits, you should strongly consider working with a third-party expert.
The Salesforce platform has gone far beyond a simple CRM, and it now offers an entire suite of powerful enterprise applications. The incredible variety of solutions is undoubtedly a strength of the platform, but it
can lead to weaknesses in security for the businesses that aren’t prepared to conduct proper audits. At RevCult, our business is Salesforce security and governance so that your business can focus on what it does best. We help auditors navigate complex compliance requirements, implement appropriate security configurations, and manage an organization’s data sprawl within the broader Salesforce platform.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.