SFDC Protection Guide: 10 Ways to Protect Your Salesforce Data in 2023

Welcome to 2023, the year that professionals in every industry will be charged to do more with less as companies push for a seamless customer experience while simultaneously operating with reduced staff and nervous investors. This is not the first time that companies have squeezed their teams to deliver with less, but this is the first time that this tightening of the belt corresponded with customer expectations for fully personalized business interactions. The automated phone systems of the 2000’s and offshore, untrained call center agents simply will not cut it anymore!

Turning data into actionable insights has never been more critical in this climate, particularly the transactional customer interactions captured minute by minute in Salesforce. Regardless of the economic environment, data will always be the lifeblood of every business. Therefore, a CRM implementation, particularly a SaaS solution like Salesforce, should be designed to protect the data entered into the CRM. Keep reading for ten actions you can implement in your business strategy today to protect Salesforce data in 2023.

1. Protect Access to Your Salesforce Database

To protect your Salesforce org, you should use Salesforce’s Security Health Check tool to get a clear view of your database’s health and provide you with a comprehensive assessment of your security. Scores range from “Excellent” to “Very Poor” and will give you a baseline understanding of the potential security risks within your org. 

Once you have the results of your Security Health Check, it’s time to spring into action. Ensuring you limit access to your SFDC org by establishing the proper security measures to protect your org’s data is business critical. There are several ways to step up your efforts to limit access, including:

Enabling Multi-Factor Authentication (MFA) 

Requiring your users to go through more than one level of authentication is one of the most effective ways to protect your Salesforce org. Salesforce has even started requiring it starting February 2022. MFA works by having every user validate their identity with more than one form of authentication, such as their username and password, and using logins on third-party apps or security keys outside their central system.

Operating on a Least Privileged Data Access Model

There are some instances in which you want a Salesforce user to have access to all data but leveraging View All Data or even Modify All Data permissions, but when the data model is too open, or the rules are too vague, you run a much higher risk of a user accidentally corrupting or even deleting data. The concept of privileged data access means any given user will only have access to the data required to complete their current role in the organization. I.e., A sales team working on opportunities should not have access to update support cases and vice versa. This will cut down on data loss, data corruption, and the potential of any unauthorized data access. 

Limiting User Login Hours and IP Ranges 

Putting limits on when and where users can access Salesforce will significantly reduce the risk of a cyber attack. Of course, this can be difficult to maintain in a growing, global business. However, the advantages will significantly outweigh the implementation and maintenance time to leverage this feature. For example, if a user tries to access your Salesforce org from an unknown IP address not tied to their profile, Salesforce does not allow access, even if the user provides the correct credentials! 

The risk of data loss is minimized when you have the who, what, when, and where of your Salesforce database access set. This, in turn, allows you to continue with business-critical decisions while knowing your Salesforce org has safeguards against attacks that can sideline your org.

2. Educate Your Salesforce Users

Do your users have sticky notes on their desks with passwords and logins? It might be time to train! The easiest way to breach an otherwise secure system is to have login credentials. On the other hand, your users have access to vital information, so it’s time to implement new methods to ensure that data doesn’t get into the wrong hands. 

Right off the bat, your users need to understand how big a role passwords play in the health of your Salesforce org. You can easily set password requirements for your org’s users! Passwords are essentially the first line of defense, so there are a few steps you can take to maximize their value:

  • Don’t share your password or your login. This is the most critical aspect of having a secure password. As the saying goes, a secret is no longer a secret if someone else knows. 
  • Choose original passwords. Don’t use the same password for multiple websites; it only takes one hack to access everything. 
  • Make your passwords complex. Sometimes it might seem easier to have “Dog123” as your password, but that’s just setting your system up for hacking. Using numbers, special characters, different capitalization, and uncommon words mean hackers have even more hurdles to jump through before entering your Salesforce org.
  • Use a password manager. For the sticky notes stuck to your monitor, a password manager is the best way to keep your passwords strong and secure. These allow you to create and store passwords in a secure database for every website you use. If you’re in the market for a proper password manager, Cybernews has curated this list for 2023.

In addition to protecting your passwords, another line of defense your users should be well-versed in is how to spot potential malware attacks. Train them to spot one of these phishing attempts, and they’ll be less likely to open one of these common emails accidentally. This will spare your company the headache when an entire Salesforce org is disrupted. 

3. Monitor User Behavior

There are several ways to monitor Salesforce user behavior, the primary one being the analysis of event logs. Unfortunately, these logs can be difficult, if not impossible, to analyze on-platform comprehensively, but CapStorm enables incremental backup of these monitoring files for near real-time trend monitoring. 

While not perfect, Salesforce’s Event Monitoring tool allows some activity monitoring. A fundamental limitation here is the time logs are available — 1 day of logs by default with an option to pay for 30 days of history. It’s hard to monitor for abnormal trends with only 30 days of events! In addition, robust event monitoring requires a more extended range of data than is natively available in Salesforce. 

4. Schedule Permissions Audits

Robust least-privileged data access models are simple to forget when adding new users or transitioning Salesforce admins. Your team needs to know who has access to what and whether any changes to those permissions have been adequately reported. When the wrong user has access to the improper permissions, you’re opening your Salesforce org up to potential threats or attacks. Therefore, scheduled permissions audits are a preventative maintenance must! 

5. Backup Your Data

Your organization is going to have a considerable amount of Salesforce data that has been accumulated over the years. Often, this information constrains all instances of customer interactions and, therefore, is of high value for current day-to-day operations and long-term business intelligence. A loss of this data would prove detrimental, but having proper backup protocols in place means any loss due to user error or an attack is drastically lowered. Salesforce’s native backup options might not be the best choice for your business given limitations on what data is backed up, so this is where third-party solutions like CapStorm come into play. Some additional items to consider with any backup solution include:

Backup Frequency

Some providers, including Salesforce, offer a backup once a day. Not only is this a significant amount of time, this means that the best data available for recovery could be nearly 24 hours old or that a data loss scenario may be missing almost a day’s worth of data! On the other hand, CapStorm allows incremental backups every three minutes, getting you the data you need on time.

Recovery Cost 

There is a big difference between having a “backup” and having a “backup and recovery solution.” Having confidence in your Salesforce backup and your ability to recover is critical. The best way to do this is with fire drill tests that simulate data loss and corruption scenarios. The cost of recovery is much more than the price of a solution! Having a standard backup & recovery solution can save you time, loss of revenue from downtime, and incurred long-term costs. CapStorm’s backup and recovery solution accounts for all of this and is the standard solution for small, mid-size, and large enterprises alike.

Data Format 

Are you storing your Salesforce backups in S3 or CSVs? Make sure recovery is validated with real-life complex scenarios like a data hierarchy restore. A sample test case is the recovery of an Account along with all of its child records or a CPQ configuration recovery, or even restore of a deleted Knowledge article. An excellent way to think about the complexity of these tests is to tip over a file cabinet and put everything back in the correct order it was before. That’s an arduous task for even the most devoted follower of Marie Kondo! 

One of the more surprising aspects of backing up data is that Salesforce recommends using third-party backup services. With that in mind, ensure your regular Salesforce backups provide an accessible and verifiable way to protect data with off-platform storage. 

6. Backup Your Metadata

You will also want to back up critical elements like reports, dashboards, profiles, and permissions, along with your regular Salesforce data backups. These can be just as critical as the underlying data. Imagine losing control over who can access what data! For example, you might recall the 2019 Salesforce incident that accidentally increased visibility privileges for thousands of Salesforce users to the extent that Salesforce locked out entire production orgs. As a result, customers could not access Salesforce for up to two days while Salesforce performed an internal recovery. After Salesforce unlocked all customer orgs, each customer needed to find a solution to get the data visibility privileges back to the way it was before the incident. The solution? Metadata restore! Those without a metadata backup, external backup, or a recently refreshed sandbox were forced to rebuild permissions manually before it was safe to reinstate users. 

7. Validate Your Recovery

A backup is only as good as the ability to restore. Regularly test data and metadata recovery processes to ensure a validated business continuity plan. We touched on this already, but businesses must not ignore the value of a tested recovery plan. Not testing real-life recovery scenarios with your backup solution is like hiring an employee without looking at a resume or performing any validation of their qualifications. Will the new hire be qualified to succeed in their new role? Maybe. Have you done the due diligence that your company deserves? No. It’s the same with Salesforce backup and recovery – a backup solution that isn’t validated is unreliable.
  

8. Understand Integrations

Two-way integrations can easily cause accidental data loss or corruption. For example, many Salesforce Orgs have integrations that either push data into Salesforce or perform a two-way sync between Salesforce and external systems. While such integrations are critical to making Salesforce an essential system for customer interactions, they can also be dangerous if, for example, a new product owner needs to understand the potential downstream impacts. Want to hear how a simple mistake caused mass data corruption that orphaned every opportunity record in a ten-year-old Salesforce implementation? Read about it here. 

9. Encrypt Data

Leverage Salesforce Shield to implement field-level encryption on-platform for implementations that include sensitive data like social security numbers, credit card numbers, or personal health information. In addition to Salesforce’s standard data visibility controls, Salesforce Shield can provide the level of protection needed on-platform to protect your customers and your company in the case of a cyber-attack. Be aware, however, that any controls implemented in Salesforce will only protect data on-platform. As integrations pull data into third-party systems or as data is synched into your data warehouse, additional protection is needed to maintain the same level of visibility controls. CapStorm’s CS:Govern solution automatically mimics Salesforce Shield rules to create a mirror image of Salesforce off-platform. This mirror acts as a staging database for integrations, analytics, and disaster recovery, all with the same protections in place with Salesforce Shield.    

10. Limit Potential Risk

When leveraging SaaS apps that store or process data, it is critical to understand all points at which Salesforce data leaves the platform. Further, remember that your data security is only as good as the least secure place where your data is stored.

Now that you know the basics of protecting your Salesforce data, it’s time to implement the actions that will have you smooth sailing through 2023. Want to learn more? CapStorm has partnered with global companies for 10+ years to protect their investment in Salesforce with solutions for an accessible, verifiable, near real-time Salesforce backup. If you’d like to know more, our experts are here to answer any questions about maximizing your Salesforce investment! 

Rebecca Gray

Rebecca Gray

Rebecca is 5 year Salesforce fanatic and certified Salesforce Admin, Service Cloud Consultant, Sales Cloud Consultant, and App Builder. She volunteers in the Salesforce community, leading the Saint Louis, MO Salesforce Admin Group and is a former Lightning Champion. In her day job, Rebecca supports Customer Success, helping CapStorm customers achieve their goals for Salesforce data management.

About CapStorm

CapStorm is the most technologically advanced Salesforce data management platform on the market. Billions of records per day flow through CapStorm software, and our solutions are used in every industry from credit cards, telecom providers, insurance agencies, global banks and energy providers.

Recent Posts

Follow Us

Become a CapStorm Insider

Become a CapStorm Insider

Subscribe to the CapStorm Forecast

Name
This field is for validation purposes and should be left unchanged.