With all of the sophisticated tools available to enhance your Salesforce org’s security — like Shield, Security Center, and vulnerability assessments — it can be easy to overlook the basics. It’s important to conduct regular security reviews, both on a technical level within your Salesforce org and on a policy level with your Center of Excellence.
In addition to ongoing security reviews, if you’ve just become the new admin of an org, it’s imperative that you dig into security right away! Older Salesforce orgs may not be taking advantage of the latest and greatest features, and sometimes a well-meaning previous admin may have loosened up security more than necessary.
Here are four simple, but impactful items to check:
#1 — Password Policies
Global password policies, such as password expiration intervals, minimum password length and complexity, minimum invalid login attempts, and password history can easily be configured in Setup. Salesforce recommends the following settings at a minimum, but it is critical to check with your IT department to understand your company-specific policies:
- Password Expiration: No more than 90 days
- Password Length: 8-10 characters
- Password Complexity: Mix of alpha, numeric, and special characters
If your company doesn’t have a formal policy about passwords, bring this up in your next Center of Excellence meeting!
Also — this is very important! — don’t forget that password policies can also be set at the profile level. Profile password policies override the org’s global policies, so check each profile in your org carefully.
#2 — Login Timeout
We’ve all had it happen to us: it’s the end of the day on Thursday and you’re looking forward to happy hour with your colleagues. You decide to leave your laptop at your desk while you’re gone. When you get back a couple of hours later, you realize that you never locked your screen. While this is a simple mistake to make, it can cause a big security risk! Any number of other people could have been in the building while you were gone, with open access to your computer and your company data at their fingertips.
It’s critical that your company reminds and enforces employees to always lock their computers when they’re away from their desk. But let’s face it — no one is perfect, and it’s possible to forget. Thankfully, Salesforce has a security setting you can activate. To help protect your company data in Salesforce, set a session timeout; this will force users to log in again after a period of inactivity!
When it comes to session timeouts, there’s a balance between usability and security that needs to be considered. Salesforce recommends that your session timeout value is no more than two hours. Again, check with your IT department about your company’s policies and make sure that your Salesforce settings support them.
#3 — Export Reports Permission
Salesforce provides a great deal of security for your data. However, once the data is exported from the system, that security no longer applies. With the Export Reports permission, it’s easy to move data out of Salesforce and into an Excel file. This can be very useful in certain situations, but it can be a security risk. It’s important to determine if all of your Salesforce users need to be able to export reports. Saving data locally outside of Salesforce opens up a slew of potential security concerns.
Consider giving some thought to which of your Salesforce users need to be able to export data and why. Many users should be able to do their jobs by simply viewing reports and dashboards directly in the system. Once you’ve documented your policy, check your profiles and permission sets and update the Export Reports permission as needed.
If you want to take an intermediate approach, you can use session-based permission sets to allow a user to only be able to export reports when their session is within a specific IP range (for example, when they are physically in the office).
#4 — Multi-Factor Authentication
…it’s coming! Starting in February 2022, Salesforce will require all internal users to use Multi-Factor Authentication (MFA) each time they log in. MFA adds another layer of security to your login process and helps to protect against threats like credential surfing, phishing attacks, and account takeovers.
Stay tuned for our next blog post, where we will provide some tips on change management and helping your users get ready for MFA.
Concerned about the safety of your Salesforce org? Connect with our Healthcare and Life Sciences team to discuss the security of your environment!
With the rapid evolution of technology, Salesforce solutions are ever-changing and improving features. Contact our team for up-to-date information.