Fortunately, you don’t have to be a cybersecurity expert to take advantage of some more of these powerful   Salesforce  security measures. We’re going to dive in on 7 key tools besides Flosum that you can institute today that   will help secure your Salesforce organization from threats and hackers.

 1. Multi-Factor Authentication

 According to Microsoft, multi-factor authentication blocks 99.9% of automated cyberattack attempts. There are not   many cybersecurity tools that can boast that kind of record, so it’s a must-have for any company looking to bolster its   security.

 Multi-factor authentication (MFA) works by asking the user to authenticate a login through another device or method.   Instead of just inputting a password to gain access, MFA requires the correct password and then a secondary   verification such as a code sent to your phone or email address. Of course this really doesn’t help if the password for   your email is the same as for Salesforce, so we’d recommend making sure they are different.

 You can enable multi-factor authentication in your organization by going to the profiles area in setup and selecting   the  “Two-Factor Authentication for User Interface Logins” setting. There is an article that details the entire process   that can be found at this link here.

 2. Set IP Ranges

 If your employees work out of specific locations, then setting IP ranges for logins can be very effective. Login IP   ranges limit access to Salesforce by requiring users to login only from computers in a specified range. While no one   outside your network will be able to log in, it does make working from home quite difficult. Security is all about   managing trade-offs though, and each of these security measures will have trade-offs with accessibility to different   degrees.

 The IP Ranges setting can be found in the same place as the Multi-Factor Authentication under profiles. If you would   like more information on how to define IP ranges for profiles, Salesforce has a great article here that details the   process.

 3. Password Policies

 Probably the easiest one to think of, but often overlooked, is enabling and defining password policies for users.   Salesforce makes several recommendations about password policies that would be wise to follow:

 1. Set passwords to expire after 90 days to force users to reset their passwords consistently.
 2. Set a minimum password length of 8-10 characters.
 3. Add complexity by setting passwords to include a mix of alphanumeric and special characters.

 These password policies only work if users are diligent in not sharing their passwords. Make sure to remind your   company’s employees to never share their Salesforce passwords with anyone. Admins can access anyone’s account   and Salesforce representatives will never ask, so there’s no reason anyone should give out passwords.

 4. Salesforce Shield

 Looking for something a little more comprehensive? Well then Salesforce Shield has got you covered. Salesforce   Shield is an additional package that installs into any organization that basically injects steroids into the security   systems. Similarly  Salesforce Shield provides field and file encryption allowing companies to easily store sensitive   information for PII, HIPPA, and PCI compliance standards.

 If your company is publicly traded, then you need to follow SOX compliance standards. If you have not heard of   Salesforce Sarbanes-Oxley compliance, we have a great article about Salesforce and SOX here. With Event   Monitoring  and Field Audit Trail from Salesforce Shield, Salesforce tracks every interaction so an auditor can easily   see who is accessing any data, anytime, anywhere.

 Interested in Salesforce Shield and want more information? Get the full datasheet by filling out this form here.

 5. My Domain

 On top of having a cool custom domain to increase employee pride, My Domain offers several added security   benefits. On top of being a requirement for multi-factor authentication, My Domain can block or redirect login   attempts from urls that do not use the new domain name. My Domain also allows users to work in multiple   organizations at the same time. And login using social accounts like Google or Facebook.

 In other words To enable My Domain you will have to create a custom one for your company. The settings to activate   this can be found by going to the setup area and entering “My Domain” into the quick finder.

 6. Session Timeouts

 Employees often leave for meetings or lunch breaks and with their computers open. This poses a serious security   risk  as anyone in the building can sit at their desk and access the system. It’s always good to assess if this security   risk pertains to your company specifically.But if it does, then decreasing the session timeout time can help limit that   vulnerability.

 The session timeout time can be set between 30 minutes and 8 hours, with the default being 2 hours. Talk to your   security and IT advisors to set an appropriate time depending upon your risk level.

 7. Education

 At the end of the day, security policies can only go so far to prevent breaches. A door can have a hundred locks that   instantly become useless if someone inside opens it. That’s why continuing education is so important for maintaining   a strong security system.

 According to Purplesec, 98% of cyber attacks rely on social engineering. Hacker tricks a user into opening door by   clicking on a link or downloading a file, that’s called social engineering. With the COVID-19 outbreak, there has been   a noticeable uptick in the number of cyber criminals who are attempting social engineering schemes. Also Keep your   company protected by holding company seminars about recognizing phishing attempts and best internet practices.

 However, What goes into creating a good Salesforce security profile is not any individual tool we discussed, but   instead a combination of them. The more of these security tools that you implement, the more secure your   organization will be.

signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin