Salesforce Security: 7 Most Common Mistakes That Put Your Org at Risk

Posted by Pete Thurston on Mar 13, 2019 2:42:44 PM
Pete Thurston”


Are you using Salesforce in the most secure way? Security is not a “set it and forget it” thing. We conduct Salesforce Security Risk Assessments for a number of clients and tend to see recurring themes that expose companies’ data. Here are the 7 most common mistakes we see with Salesforce Security:

 

 

1. Not Knowing Who Can See What

Salesforce Security Comic 1

  • Not understanding how roles should be determined and configured.

  • Not knowing your user. As companies scale, it's hard for admins to really know their Salesforce users and who can/should see what data, across the enterprise.

 

 

 

 


2. Moving Too Fast

Salesforce Security Comic 2

    • It’s easy to forget security settings when creating new objects and fields.  Be present when adding new features. An extra 7 seconds per field to really reflect on every action will go a long way and prevent nasty future surprises.

 

 

 

 

 

 

3. Everyone’s an Admin

  • Falling into the trap of sharing everything with everyone is an easy way to expose sensitive information.

  • This can be an easy mistake when people are asking for more permissions to do their job. 

Salesforce Security Comic 3

4. Insecure Integrations

Salesforce Security Comic 4

  • Developers can publicly expose endpoints.  It's important to identify all the various types of integrations and make sure they are constantly being reviewed in your organization.

  • Duplicating encrypted info in other systems that are secure.

 

 

 

 

 

 

 

 

5. Replying Too Much on the “Health Check”

Salesforce Security Comic 5

  • There’s a lot the Health Check can’t check because it based on Salesforce's “baseline”. It can’t see beyond the health check objectives such as secure integration and users’ accessibility.

  • The Health Check can be a false positive if you're looking at the score without considering other risks that aren't included in the Health Check.
  • You need to determine the baseline specific to your company's security posture. 

 

 

6. Lack of Data Loss Prevention

Salesforce Security Comic 6

  • Most of your users having the ability and flexibility to delete data.

  • Common mistakes include... not tracking history on fields, not having a secure backup solution that allows you to restore old data, and a lack of "checks and balances" for exporting data.

 

 

 

 

 

 

7. Bought Shield But Not Implemented
(A False Security Blanket)

Salesforce Security Comic 7

  • Not realizing that just because you bought Shield does not mean it's "on" or implemented. 

  • Failing to understand that encrypting everything not a best practice.

  • Neglect the ongoing maintenance of Shield that's related to Salesforce releases (3x a year) and changing/adding new data to your org. 

 


 

 

 

 

Learn about our Security Risk Assessment which addresses these common mistakes, and more!

Topics: Salesforce Security & Privacy

Subscribe to Blog

Subscribe to Email Updates

Recent Posts

Follow Me