Salesforce Security | 7 Ways to Lock Down Your Org
Cybersecurity is all the rage now, and for good reason too. With over 62% of businesses reporting phishing and social engineering attacks in 2018 alone (Cybint Solutions), it’s clear that attacks have been on the rise. At Flosum, one of our main concerns is the security of our customers’ valuable data. While we know there are security precautions that Flosum provides, such as being a native app that doesn’t require access to your data or have the ability to set up user permissions, there are still many more precautions every organization can take to ensure that their orgs and Salesforce data remain secure.
Fortunately, you don’t have to be a cybersecurity expert to take advantage of some more of these powerful Salesforce security measures. We’re going to dive in on 7 key tools besides Flosum that you can institute today that will help secure your Salesforce organization from threats and hackers.
1. Multi-Factor Authentication
According to Microsoft, multi-factor authentication blocks 99.9% of automated cyberattack attempts. There are not many cybersecurity tools that can boast that kind of record, so it’s a must-have for any company looking to bolster its security.
Multi-factor authentication (MFA) works by asking the user to authenticate a login through another device or method. Instead of just inputting a password to gain access, MFA requires the correct password and then a secondary verification such as a code sent to your phone or email address. Of course this really doesn’t help if the password for your email is the same as for Salesforce, so we’d recommend making sure they are different.
You can enable multi-factor authentication in your organization by going to the profiles area in setup and selecting the “Two-Factor Authentication for User Interface Logins” setting. There is an article that details the entire process that can be found at this link here.
2. Set IP Ranges
If your employees work out of specific locations, then setting IP ranges for logins can be very effective. Login IP ranges limit access to Salesforce by requiring users to login only from computers in a specified range. While no one outside your network will be able to log in, it does make working from home quite difficult. Security is all about managing trade-offs though, and each of these security measures will have trade-offs with accessibility to different degrees.
The IP Ranges setting can be found in the same place as the Multi-Factor Authentication under profiles. If you would like more information on how to define IP ranges for profiles, Salesforce has a great article here that details the process.
3. Password Policies
Probably the easiest one to think of, but often overlooked, is enabling and defining password policies for users. Salesforce makes several recommendations about password policies that would be wise to follow:
1. Set passwords to expire after 90 days to force users to reset their passwords consistently.
2. Set a minimum password length of 8-10 characters.
3. Add complexity by setting passwords to include a mix of alphanumeric and special characters.
These password policies only work if users are diligent in not sharing their passwords. Make sure to remind your company’s employees to never share their Salesforce passwords with anyone. Admins can access anyone’s account and Salesforce representatives will never ask, so there’s no reason anyone should give out passwords.
4. Salesforce Shield
Looking for something a little more comprehensive? Well then Salesforce Shield has got you covered. Salesforce Shield is an additional package that installs into any organization that basically injects steroids into the security systems.Similarly Salesforce Shield provides field and file encryption allowing companies to easily store sensitive information for PII, HIPPA, and PCI compliance standards.
If your company is publicly traded, then you need to follow SOX compliance standards. If you have not heard of SOX compliance, we have a great article about Salesforce and SOX here. With Event Monitoring and Field Audit Trail from Salesforce Shield, Salesforce tracks every interaction so an auditor can easily see who is accessing any data, anytime, anywhere.
Interested in Salesforce Shield and want more information? Get the full datasheet by filling out this form here.
5. My Domain
On top of having a cool custom domain to increase employee pride, My Domain offers several added security benefits. On top of being a requirement for multi-factor authentication, My Domain can block or redirect login attempts from urls that do not use the new domain name. My Domain also allows users to work in multiple organizations at the same time. And login using social accounts like Google or Facebook.
In other words To enable My Domain you will have to create a custom one for your company. The settings to activate this can be found by going to the setup area and entering “My Domain” into the quick finder.
6. Session Timeouts
Employees often leave for meetings or lunch breaks and with their computers open. This poses a serious security risk as anyone in the building can sit at their desk and access the system. It’s always good to assess if this security risk pertains to your company specifically.But if it does, then decreasing the session timeout time can help limit that vulnerability.
The session timeout time can be set between 30 minutes and 8 hours, with the default being 2 hours. Talk to your security and IT advisors to set an appropriate time depending upon your risk level.
At the end of the day, security policies can only go so far to prevent breaches. A door can have a hundred locks that instantly become useless if someone inside opens it. That’s why continuing education is so important for maintaining a strong security system.
According to Purplesec, 98% of cyber attacks rely on social engineering. Hacker tricks a user into opening door by clicking on a link or downloading a file, that’s called social engineering. With the COVID-19 outbreak, there has been a noticeable uptick in the number of cyber criminals who are attempting social engineering schemes.Also Keep your company protected by holding company seminars about recognizing phishing attempts and best internet practices.
However, What goes into creating a good security profile is not any individual tool we discussed, but instead a combination of them. The more of these security tools that you implement, the more secure your organization will be.