Salesforce has a lot of built-in security measures that make working from home just as secure as being physically in an office. In the age of information, it’s important to keep data secure not only for your clients but also for your own peace of mind. In 2019 alone, over 1400 data breaches were discovered resulting in millions of dollars in fines. Data Breach Insurance is becoming increasingly popular as well. It’s our duty as businesses, operating with consumer data, to take every precaution to protect our client’s PII (personally identifiable information). Let’s go over some of the ways Salesforce empowers us to do just that.
2 Factor Authentication
One of the best defenses offered by Salesforce is 2 Factor Authentication (2FA). With 2FA, a user is required to have his or her device on hand in order to validate each and every login. If a user in your organization was to have their password stolen the malicious actor on the other end would not be able to get to any data without also having physical access to their smartphone. The idea around 2FA is to protect your account with both something you know and something you have.
Getting started with 2 Factor Authentication in Salesforce is easy. Just head to the 2FA Admin Rollout Guide provided by Salesforce to get started
Another security feature that Salesforce has is login hours. For example, Andrew works 8:00 am to 5:00 pm Monday through Friday. We can configure a login window to only allow him to log in and log out from 7:00 am to 6:00 pm Monday through Friday. This acts as an additional layer of protection from potential abuse or data theft.
Here is a quick guide from Salesforce on setting up login times for your users.
In the work-from-home environment, it is sometimes important to ensure that users are logging into your Salesforce organization through a VPN or home address. One way Salesforce can enforce this is through IP address whitelisting. We consider this a more advanced feature. You can read more about setting it up here.
Disable Export Report
Disabling a user’s ability to export reports can help prevent protected information from being downloaded. Under General User Permissions you can uncheck “Export Reports” to remove this feature. While it does not stop them from printing and copy-pasting data it does prevent them from immediately having access to data in a well-formatted way. For additional security, you will want to consider Salesforce Shield.
Organization-Wide Password Policies
It is important to not only use secure passwords but rotate them often. A data breach involving a third-party site could end up affecting your organization if users have the same password. This is not uncommon, which is why many websites recommend using unique passwords for every website you are subscribed to. Expiring passwords organization-wide ensures that the likelihood of this occurring is very small.
Secure Password Generation & Sharing
Sometimes in an organization, we need to share logins with other individuals. DO NOT USE A SPREADSHEET FOR THIS! In smaller businesses, it’s tempting to simply have a text document or a spreadsheet to keep passwords on. This is insecure firstly because it’s not encrypted. Secondly, if you lose access to the machine, the passwords are all compromised. At MyOutDesk, we use 1Password to securely generate a random password and share any login information between devices or other users. Never share a Salesforce Login! We are listing this tip here since passwords are sometimes used in multiple places and it’s important to make sure Salesforce is not one of those.
If the data inside your Salesforce instance is subject to strict compliance standards such as HIPAA then you will want to look into using Salesforce Shield. Salesforce Shield offers additional encryption features suitable for Financial services, healthcare, or businesses looking to protect certain IP or trade secrets. Shield also offers special Event Monitoring services which keep track of all data into and out of your system (reports, saved data, API access, etc). Additionally, this data is constantly monitored by Salesforce for unexpected behavior and unusual activity.