You can’t mitigate risk if you don’t know it exists.
To identify potential Salesforce data security threats, reduce operational risk, increase security performance, and achieve key privacy objectives, many organizations conduct risk assessments. In-depth evaluations are vital in a digital environment where risk factors continually change – companies may see new data, users, regulations, and procedures on a routine basis, complicating their compliance and Salesforce data protection efforts.
A Salesforce data risk assessment provides extensive visibility that reveals how users interact with Salesforce data – including sensitive information that needs to be protected. Which users are accessing what data, when, from where, and what are they doing with it? These insights, attainable with a risk assessment, are critical for robust data security, privacy, governance, and compliance efforts.
To obtain much-needed visibility, organizations are partaking in FairWarning’s Salesforce data risk assessment that examines 28 data elements across five categories of risk:
- Access Control
- Privileged User Monitoring
- Data Exfiltration
- Application Performance
- User Adoption
In this post, we selected a small sample of findings to highlight the very real data security threats that live in the average Salesforce environment. Read on for eleven threats that took a diverse subset of organizations – ranging from IT services to marketing automation – by surprise and how they closed the gaps.
**Editor’s note: Identifying names have been removed to preserve individuals’ and companies’ privacy.
Company S: “Former employees are trying to log in to Salesforce.”
Security wasn’t always top of mind for Company S, an IT services provider. For a long time, they operated under the assumption that if Salesforce is secure, their data must be secure, too, right? Not exactly. While Salesforce as a platform is extremely secure, once companies add data, it becomes their responsibility to protect. Once the team realized they needed to tighten their security because they were storing more information in the platform, they wanted a snapshot of their org and recommended best practices from a trusted partner that would give them the insights they need to protect their data.
Thanks to a data risk assessment, Company S discovered more information about their access controls and privileged users than ever before. The Director of Technology, Sam, finally had visibility into details like how many logins failed over one week, how many users or applications were logging in from outside of the country, how many users had high-risk permission sets, and more.
Finding: 458 of 503 total Salesforce users had high-risk permission sets, including the ability to export data
On top of that, 17 third-party applications were accessing their Salesforce org, many of which were legacy applications they weren’t aware were still active.
Why it matters: Even if Sam’s team wasn’t utilizing the legacy apps, as long as third-party developers or solutions have access to data, there’s a risk it could be breached. By identifying inactive integrations and seeing which users had risky permissions, they could mitigate unnecessary access levels and thereby reduce the potential for malicious activity.
Sam’s team was eager to learn more about their privileged users’ access because, from a security standpoint, anyone with system admin abilities has the keys to the kingdom – they can log in as any Salesforce user and export data, escalate privileges, alter whitelisted IP addresses, and more. With the data risk assessment, they saw where users were logging in from, including location details like country and IP address, which helped them combat compromised credentials.
Finding: Multiple inactive users were trying to log into Salesforce
Why it matters: One of these inactive users was trying to log in with a personal email address, which was alarming because it wasn’t a business email address and had no business accessing Salesforce. The risk assessment identified the inactive user – a former part-time developer – allowing Sam to revoke their access, which hadn’t been fully deprovisioned. Without the risk assessment’s visibility, they may never have known multiple inactive users attempting to log in. Now, they can conduct investigations to pinpoint why the activity is happening and close the security gap.
Company A: “Almost all of our users can export data.”
As part of the insurance industry, Company A wanted to step up their data protection efforts as they began adding more customer personally identifiable information (PII) to Salesforce. The threat of a potential data breach or data loss loomed over Company A’s security team, and they knew they needed better controls. The problem was, they lacked visibility into the activity surrounding their Salesforce data. Plus, they were facing a resource shortage when it came to understanding and leveraging Salesforce log files.
The IT Security Analyst, Adam, discovered FairWarning’s free risk assessment for Salesforce data that promised better visibility and insights into potential threats. What did they uncover?
Finding: 94% of their Salesforce users had full export capabilities
Why it matters: Company A’s users could easily download data from reports and other records onto their computer or mobile device. From there, any user could take the company’s data to a competitor or sell it to the highest bidder.
After Adam’s team learned which users had export abilities, they could adjust permissions to the appropriate level so only those who absolutely needed to export data had the power to do so. This significantly reduced the opportunity for data exfiltration or accidental PII exposure that could violate terms set forth in CCPA, GDPR, and other regulations.
Finding: On average, 63,000 rows of data were accessed via reports every day
Why it matters: Salesforce data frequently contains PII or sensitive information, so knowing that data access among users was elevated alarmed Adam and his team – any one of those users could have caused a data breach. In addition, the IT team discovered that more users had system admin privileges than necessary. To minimize risk, Company A used their newfound visibility to adjust profiles and permissions, following the principle of least privilege.
Finding: In one week, three users ran 13 reports that contained more than 10,000 rows of data
Why it matters: While they may have had business reasons for doing so, 130,000+ rows of data was a lot for just three users to access in one week, especially when the average across the org was only 2,700 per export. With full export abilities, these users could have walked away with the company’s most valuable asset undetected. Once Company A obtained in-depth visibility into activity – including which users downloaded what data, when, from where, and how often – they could address potential threats before they become a breach.
Ultimately, the data risk assessment gave Company A the peace of mind knowing that, as they grew, they had visibility into their user activity and could act on any threats that arose.
Company N: “Departing employees are stealing our valuable data.”
A leader in enterprise content and marketing technology, Company N operates in the highly competitive marketing and advertising industry. As the business grew, the Director of Revenue, Noah, had a sneaking suspicion that employees were taking data to competitors when leaving the organization. Company N couldn’t completely lock down their users’ roles, profiles, and permission sets in Salesforce because the employees still needed certain levels of access to do their job. If they revoked export ability for every user, those who needed to generate reports as part of their role would be unable.
They needed a tool to monitor which users were accessing the wealth of confidential information in Salesforce. To help them gain the visibility they needed, Company N requested a data risk assessment to identify activity across 28 data elements within five categories of risk. What they found confirmed the Director of Revenue’s fears – there were signs of elevated data exfiltration, particularly from departing employees.
Finding: Users exported more than 50,000 rows of lead data
Two users (we’ll call them Nathaniel and Nancy) ran and exported a significant number of reports over the previous week. Nathaniel exported an unsaved report with more than 30,000 rows of data and Nora exported a lead report with over 20,000 rows of data.
Why it matters: These numbers shocked Company N – not only were Nathaniel and Nancy not in a department that should be accessing or exporting the data in question, but the row counts were more than double the average export for the company. This perfectly exemplified the vast threat that departing employees posed to the organization. With this information, Company N adjusted permissions to enforce the principle of least privilege and prevent their greatest fear – data being stolen and taken to a competitor, thus hurting their business.
Company E: “Our data is severely overexposed.”
A cloud-based software provider, Company E uses Salesforce for many reasons, but primarily to store and share customer and prospect data with wholesale distributors. The Head of IT, Edward, had plans to align with ISO 27001 to address gaps in their Salesforce security and allow them to work with larger resellers, but feared the pitch to the board didn’t have sufficient data to warrant budget. To justify the budget with concrete data, Edward followed a Salesforce Account Executive’s suggestion to pursue a data risk assessment.
The assessment uncovered a bevy of overexposed permissions, which Edward’s team previously feared but could now prove.
Finding: Most of Company E’s Salesforce users had export abilities, and all users had API enabled
Why it matters: Salesforce APIs (application program interfaces) allow other applications to access data in Salesforce. While the API structure is designed to be simple and secure, it still provides data access to external sources, which creates the possibility of data compromise or theft.
Finding: Load time for essential Visualforce pages exceeded 15 seconds, and some took almost a full minute to populate
Why it matters: With a legacy development team and outdated development practices, Edward knew his admins and developers weren’t writing the most efficient Visualforce and Apex codes – primarily because they were receiving negative feedback from users who were experiencing painfully long page-load times. From Edward’s point-of-view, Company E was making strides in operationalizing and expanding their core team, but for the users who were adding information to accounts (customers) and objects (orders), Salesforce was inefficient. Even a one-second delay can decrease satisfaction by 16%, so seeing that pages were slow to load was a wakeup call for Edward.
“If we take that minute, on average, and then scale that out by 200, 300 core center staff that are waiting to process information on each of these pages, then there is a serious opportunity to increase operational return on investment,” commented Edward. Once his team identified the problem pages, they resolved the issue by optimizing Visualforce pages to speed up performance.
Using the performance impact as a key driver along with overexposed permissions, Company E used the data risk assessment findings to accelerate company-wide growth and performance, obtain budget for ISO 27001 resources, and mitigate potential data loss.
Company Q: “We’re losing thousands of dollars on something we could have fixed easily had we known about it.”
As an engineering firm that stores network, client, B2B, infrastructure, and partner information in Salesforce, Company Q had concerns about transitioning to a fully remote workforce. The Head of IT, Quincy, worried about user behavior while outside of the office – particularly, who could access what data, and what data is locked down? Operationally, they wanted to streamline overheads with a remote workforce, but first had to obtain the necessary controls and monitoring. After a review, it quickly became apparent they lacked the needed security, visibility, and governance controls to feel comfortable operating remotely.
At the recommendation of a consultant, Quincy sought a data risk assessment to gain visibility into Company Q’s Salesforce org. What did they discover?
Finding: Every Salesforce user had full export and API abilities
Why it matters: With users’ full export and API capabilities, Company Q’s sensitive data was severely overexposed and rife with opportunity for a breach. They also never expected to see that users were accessing an average of 4.3 million rows of data every day, which was another source of exposure that increased the risk of malicious activity. Exports were also elevated – just four users were exporting reports with more than 50,000 rows of data, and the daily average for exports included over 430,000 rows of data. Data is a high-value asset, so exporting – especially exports of that size – could be a sign of malicious activity.
Finding: Field employees were using personal devices to access Salesforce
Why it matters: Logging in to Salesforce using a personal device instead of company-provided smartphones was a major corporate policy violation. This policy wasn’t to complicate the field team’s work; rather, it was to ensure that all Salesforce access was as secure as possible because the company-provided phones were frequently updated with the latest software patches and security measures. Company Q identified which users were logging in on their personal phones and took corrective action to ensure that employees weren’t inadvertently creating risk in the course of business.
Finding: The Field Service Lightning page had significant lag times of almost 30 seconds
Why it matters: As an engineering company, Company Q has to claim job bids as soon as they’re published. However, because the slow loading time prevented them from allocating engineers to perform jobs quickly enough, their booking process was severely impeded. The delay was costing Company Q more than $10,000 in lost revenue per month.
After pinpointing the problem pages, Quincy’s team applied best practices to increase loading speed and help the company claim more job bids.
The most underacknowledged Salesforce data security risks
The data risk assessments revealed a common truth: a significant amount of risk to Salesforce data goes unacknowledged. Common threads among the companies revealed that access controls and a false sense of security were underacknowledged sources of risk that can be prevented with the right visibility and controls.
Many organizations underestimate how much data their users can access in Salesforce. Depending on their permissions, a user could enable third-party application access, change permissions, or even delete data, for example. By monitoring users’ access controls, you can mitigate risk by decreasing opportunities for inappropriate data access.
Even if users don’t have an admin’s “master key” to your Salesforce environment, they may be able to access significant amounts of your company’s data. From there, they have the power to harm your business by exporting the data, sharing it with competitors, or selling it. Simply gaining visibility into your users’ access levels is the first step in understanding what they’re doing with data. Altogether, this visibility helps reinforce data security, privacy, compliance, and governance efforts.
A false sense of security
Salesforce as a platform is completely secure. But, like Company S, many organizations operate under the assumption that if Salesforce is secure, their data must be as well. However, as part of the shared responsibility model between SaaS providers and customers, Salesforce’s responsibility is to provide a secure platform; it’s up to the customer to manage appropriate access to the data within.
Salesforce goes beyond the requirements outlined in the shared responsibility model by providing tools to support data security efforts, such as Salesforce Shield. However, the organization is in charge of how they use and manage the tools. So when admins or security teams clone user profiles and assign permissions without a second thought, they are inadvertently creating risk that organizations don’t know about. And without the proper visibility, they never would know that they could prevent a data breach or an employee stealing data by simply adjusting permission accordingly.
Conduct regular data risk assessments to identify and mitigate threats
Routine risk assessments are an essential part of a robust data protection program because they identify threats you didn’t know existed. User activity monitoring can act as a long-term risk assessment by constantly scanning for and detecting suspicious data access, allowing you to reap the benefits of an assessment 24/7.
If you’re interested in conducting a free Salesforce data risk assessment to discover the hidden data security threats in your Salesforce org, reach out to FairWarning to get started. It requires less than 30 minutes of your time to identify risks like repeated failed login attempts, significant data exports, and more.