Navigating Salesforce Threats: Your Largest Container of Data

Customer records, financial information, personally identifiable information (PII) — Salesforce is the virtual motherlode of data prized by cybercriminals. To properly guard your Salesforce data, you must be on the lookout for potential threats.  Data breaches are extremely costly...

Navigating Salesforce Threats: Your Largest Container of Data

Customer records, financial information, personally identifiable information (PII) — Salesforce is the virtual motherlode of data prized by cybercriminals. To properly guard your Salesforce data, you must be on the lookout for potential threats

Data breaches are extremely costly and can cause you to fall out of compliance with data security regulations. Every company can potentially lose millions of dollars from a seemingly harmless error that leads to data loss.

The average cost of a data breach in 2022 was $4.35 million. The Heroku breach is a perfect example of unseen risks compromising Salesforce environments. 94% of companies that experience a data loss event cannot fully recover.

Here are 10 threats facing your Salesforce environment and how to address them:

1. Generic Profile Settings

Upon creating a Salesforce profile, users are assigned permission settings that determine their level of access. Over time, profiles are customized and repeated for similar roles. However, automatically reusing profiles gives team members access to data sets they don’t need to perform their duties.

Giving exporting and editing capabilities to too many people greatly increases the likelihood of a costly, accidental deletion.

New Salesforce users should receive a profile with minimum access. From there, their permissions can be adjusted based on their specific function on the team.

However, that does not address legacy issues already in the system. Companies, no matter how large they are, should regularly audit existing profiles and ensure everyone has the appropriate access. Companies should consider using automated DevSecOps tools to scan profiles, reduce workload, and ensure total coverage.

2. Misconfigured APIs

An application programming interface (API) helps development teams speed up the production of new applications and updates. Additionally, APIs have the capacity to facilitate customer-facing services without requiring extensive back-end work.

APIs are great for cloud-based services because they connect an organization’s infrastructure with active functions. However, misconfigured APIs create data security vulnerabilities for companies running business functions in a public cloud.

A survey from the SANS institute found that 54% of information security professionals recognized these misconfigurations as a major concern. Attacks that target insecure APIs are becoming more frequent.

Protecting these essential functions requires intentional setup practices and a review of existing APIs. To begin the process, one must understand the various types of APIs, including:

Private APIs – Reserved for internal purposes and provide the highest levels of control. Partner APIs – Shared with strategic business partners to facilitate streams of revenue. Public APIs  – Open to everyone and interact with third-party applications.

Recognizing the differences between the various kinds of APIs helps properly configure the settings.

3. Error-Prone Applications

A streamlined DevSecOps pipeline offers a series of benefits for an organization. This includes happier customers, more stable systems, and industry credibility. It’s tempting to prioritize speed to be the first to bring a new product to market. However, rushing leaves more room for costly errors and bugs.

Buggy updates and applications can potentially create back doors for cybercriminals and spark a data loss event resulting from a misfire.

Technical debt is, unfortunately, an accepted practice in application development. This means that a company will go back and fix errors after production, focusing on producing an update or application as quickly as possible. Oftentimes, these bugs are lost. They never get fixed and create data security vulnerabilities.

It might sound overly simple, but the best way to address this problem is to produce healthy code the first time, every time. But how do you eliminate the effects of human error?

An automated code scanning tool like static code analysis provides total coverage over code health to ensure errors are immediately recognized and fixed. Not only will this save developers’ time, but it will also increase ROI and streamlines the DevSecOps pipeline.

4. Infrequent Data Backup Schedule

Properly protecting your Salesforce data requires a comprehensive view. This includes considering what will happen after a worst-case scenario occurs. And this might not be pleasant to think about, but it’s essential to have a disaster recovery plan in place.

It’s impossible to guarantee the safety of your Salesforce data. Every threat imaginable could be covered, but something uncontrollable, like a natural disaster, can still lead to an outage.

A recent study (enterpriseappstoday dotcom)/backup-statistics) found that 75% of small businesses don’t have a recovery plan in place during an outage.

Failing to properly back up sensitive data leaves your organization at risk of falling out of compliance.

Companies should analyze their needs in relation to a few considerations:

How quickly do they need to return to operations? How much data can they realistically store? Which data sets are critical to protect?

From there, companies should create a repeated and automated schedule of backups.

This might seem like a lot of work without immediate payoff, but you’ll thank yourself when the lights go out.

5. Relaxed Cybersecurity Standards for Team Members

Having a false sense of security can lead to becoming dangerously complacent on basic best practices for cybersecurity. Oftentimes, when you don’t experience a breach for an extended period, the threat of cybercrime feels less imminent. However, this is just an illusion.

Team members must maintain basic security standards at all times. Failing to do so makes your organization an easy target for cybercriminals.

There are several types of phishing attacks, which is why it is considered one of the most common forms of cybercrime. Team members must be consistently reminded of how to spot these attacks, so they don’t create an easy entry point for bad actors.

Another frequently ignored factor is the passwords your team uses to connect with the Salesforce environment. These passwords should: be at least ten characters, including a mix of letters, numbers, and symbols, and be updated at least every 90 days.

Maintaining cybersecurity standards through continued training establishes a base level of protection around your Salesforce data. There are already enough threats to your data. You don’t want to create more entry points through a lack of diligence.

6. Undefined Security Owner

Everyone is aware that cybersecurity is a necessary consideration. Team members focus on avoiding suspicious emails and updating their passwords. Developers focus on creating the most stable applications possible.

Isn’t that enough to secure your Salesforce environment?

No. Failing to explicitly assign responsibility for overseeing security considerations in each department opens the potential for something to fall through the cracks and create a data security risk.

A specified data security owner must maintain updated knowledge of security policy details and compliance requirements. They will also communicate these needs to other team members to verify all applicable requirements are met.

Nominate a team member to tackle these considerations. Depending on the size of your team, you might need to get individuals from several departments involved.

Managing the implementation of security tools, updated data security policies, and adherence to internal rules provides the level of oversight needed to protect your Salesforce environment from evolving data security threats.

Salesforce contains your most sensitive information. Make sure your organization is doing everything it can to protect critical data.

7. Incomplete Data Security Infrastructure

The way your Salesforce platform is set up significantly impacts the success of your data security strategy. Think of it like locking your doors: leaving entry points unlocked makes it much easier for a bad actor to cause problems.

Failing to keep the technological infrastructure of your platform in mind can lead to unnecessary risks—particularly for companies that work in the cloud. The increased adoption of remote work has also led to heightened cybersecurity risks.

To address the risks of remote work, considerations such as firewalls and working on-premises make it much more difficult for a cybercriminal to access your Salesforce environment.

Firewalls create a barrier between a system and the rest of the internet. This is a critical component of a complete data security strategy for companies working in the cloud. The additional layer of security helps fill in the cracks of other vulnerabilities.

Not every company can use on-premises hosting, but those that do get the most control over their environment. Salesforce users in highly regulated industries, such as finance and healthcare, should consider this option to keep sensitive information more secure.

8. Outdated Security Snapshot

Do you know what’s going on in your Salesforce environment right now? If not, there could be security vulnerabilities currently threatening your sensitive information. Technical debt and outdated permissions keep your sensitive data at risk.

For example, a recent study by Beyond Identity found that nearly one out of four former employees retained access to company data. This is a concerning exposure of data that can leave companies vulnerable to data loss and non-compliant with data security regulations.

To stay aware of emerging and existing threats, teams must conduct frequent audits, regularly analyze reports, and continually update dashboards.

Using a policy scanner, static code analysis tool, and other automated scanners is the best way to maintain a high-level view of the health of your Salesforce environment. This also reduces the burden of difficult tasks for team members.

To ensure protection, companies should run scans regularly. Quickly finding and fixing security issues reduces the damage an exposure can cause and can even prevent the damage from occurring in the first place.

Placing Too Much Trust in Salesforce Itself

Salesforce has more than 150,000 users. All of these individuals trust Salesforce with their most sensitive data. That said, with a company as large as Salesforce, it’s often assumed that there are data security systems in place to protect each individual environment.

Salesforce itself is secure. Your particular instance is not.

Every managed package, customization, and add-on we use to tailor our Salesforce environments to match our needs introduces another potential failure point. These environments are often connected to dozens of applications and systems, each of which has the ability to become compromised and serve as an entry point into your network.

We are in control of our own data security destiny. Salesforce users must take steps to protect their individual environment.

To start, someone in-house should manage using a third-party backup tool, working off-platform to avoid outages, and guarding access points. Failing to do so leaves coverage gaps that can be exploited by cybercriminals. This has the potential to put your data, records, and environment as a whole at risk.

10. Undeserved Complacency

It only takes a moment of weakness for a security breach to occur. Many companies go extended periods of time without any issues whatsoever, which makes it easier to slack on maintaining proper data security methods.

Because of this, strengthening your Salesforce environment is a constant consideration that needs continuous revisiting, analyzing, and updating.

Cybercriminals are constantly refining their methods of attack. Our defenses need to be just as sophisticated.

Hardening your Salesforce data means protecting your customers, team members, and business. In contrast, failing to preserve data for any of these entities will have catastrophic results.

To avoid this, teams should incorporate proper data governance—including sourcing new DevSecOps tools, overseeing success and failures in your data security strategy, maintaining frequent training sessions, and encouraging open communication. These approaches make all the difference between properly securing sensitive data and experiencing a detrimental breach.

Featured Image Credit: Photo by Nataliya Vaitkevich; Pexels; Thank you!

Prashanth Samudrala

Vice President of Products - AutoRABIT

Prashanth is the VP of Product Management for AutoRABIT. As a former Salesforce developer and architect, his knowledge of Salesforce DevOps comes from extensive experience. He currently lives in Chicago, IL and is a big fan of its food and beer.