Most Salesforce professionals will admit that cyberattacks aren’t often front of mind. However, the truth is that we can all be hacked; if an attacker has enough time, enough motivation, and enough skill, anybody can be deceived. Today’s phishing attacks are highly sophisticated and targeted, and they’re often impossible to catch with human diligence alone.
This guide will explore how important it is to secure your Salesforce org against cyberattacks. We’ll look at the current cybersecurity landscape, the different security responsibilities Salesforce has versus you (the customer), and finally, the various ways you should bolster your org’s security.
Case Study: The Reddit Cyberattack
Humans are often the weakest link when it comes to cyber defenses. Reddit recently experienced a successful phishing attack which led to a data breach. This was due to human error, where an employee was convinced to enter their credentials on a cloned gateway (including multi-factor authentication), which gave the threat actor access to Reddit’s internal systems.
Luckily, the breach was reported swiftly – the employee did everything by the book, but as fast as they were, the attackers acted even faster.
This could be considered a ‘classic’ case – where an attacker creates a fake service that looks just like the original one, followed by a user signing into the fake service and giving the attacker their credentials in the process. Again, this highlights the fact that humans can often be the weakest link in your cyber defenses.
Mistakes Happen… Now What?
The question that organizations need to be asking themselves is this: “Are you happy to trust the sole judgment and prowess of your end users?”
When human error happens, it can be a tricky situation for both the organization and the individual who made the error. You messed up, so now what?
In the Reddit case, the employee reported the incident instantly – while they didn’t try to cover it up, they did make a mistake, and ultimately, that’s a hard pill to swallow.
Now, from the organization’s point of view, follow-up communications become a pretty delicate matter. Think about asking:
- How openly should the incident be communicated?
- How should the human error be addressed?
The reality is that human error happens (we are human after all!) – it will continue to happen, but this shouldn’t become a ‘blame game’.
Employees need to be encouraged to report these incidents proactively, and without shame, so that attackers can be stopped as quickly as possible.
Which Channel Is the Most Popular for Cybercriminals to Target?
There are a host of different ways to breach organizations, but which channel do you think is most popular for cybercriminals today? Is it email, social media, or physical breaches? Or do we think it’s another channel altogether, perhaps cold calling?
In our recent webinar, the results from the audience were as follows: 64% responded with email, 33% said social media, and about a 2% split between physical breaches and other.
So, yes, email is by far the most common channel for cybercriminals.
There are over 180 million business accounts on Microsoft 365 alone. And, if you had to guess how many of those would be operating without any malware protection today, what would you say? The reality is that absolutely zero of those inboxes are operating without any sort of malware protection.
Phishing emails are a reality of everyday life. We receive malicious content on a weekly – if not daily – basis.
Employees are more cybersecurity aware than ever before. Organizations are putting a greater emphasis on training employees to catch phishing attempts and act accordingly.
Email solutions today generally have strong built-in security capabilities, plus larger organizations will often deploy complementary security solutions to safeguard those inboxes further. I’m sure we’ve all been prone to our IT or security team sending us practice phishing emails to see if anybody falls for it! These practices are common nowadays because email is the most popular channel for cybercriminals to attack.
However, attackers know this, which means they’re not just targeting email anymore. They’re also starting to target legitimate SaaS platforms like Salesforce.
SaaS + Cyberattacks
When it comes to SaaS, however, the game changes.
Let’s take a service agent, for example, whose job is to communicate with customers to rapidly resolve their issues. The agent often needs to open attachments and other information to be able to serve their customers.
It shouldn’t solely be that user’s responsibility to interpret whether or not content is safe. As system administrators, we need to give our service agents and all of our colleagues the tools they need to be able to move confidently and quickly – in this case, to keep customer satisfaction high.
The additional security solutions that have become the norm for email aren’t necessarily everyday staples when it comes to SaaS providers.
Users aren’t necessarily thinking about phishing attempts when working with Salesforce in the same way they might be when working inside their inboxes.
Every platform also has different vectors, different built-in capabilities, and different risks. This is plenty for administrators and IT professionals to keep track of!
Security tools, like malware protection, aren’t assumed to be necessities; I talk to Salesforce customers every day who are surprised to learn they need to account for this additional layer of security.
Cyberattackers are Opportunistic
Most cyberattacks are opportunistic. Attackers are looking for any way into an organization’s systems – pretty much any ‘backdoor’ is going to do.
Attacks are performed in bulk and they’re extremely sophisticated; not only are they advancing at record speeds, they are also being bolstered by new AI tools like ChatGPT.
Beyond email, attackers are looking at SaaS platforms, web forms, web chat, support portals, and weak user passwords. There are also system vulnerabilities such as misconfigurations and malfunctioning systems. And there are always physical break-ins (think of an imposter posing as a handyman and wandering into the office).
All of these are different methods that attackers use to breach organizations.
Salesforce Security: Who’s Responsible?
When it comes to securing cloud platforms (such as Salesforce) against phishing attacks, who is actually responsible?
It turns out it’s not just the platform vendor, it’s also your responsibility – the customer!
This is due to what SaaS providers call the “shared responsibility model”. In this model:
- Salesforce is responsible for: Network and infrastructure security, ensuring that data centers are secured, and that they perform penetration testing.
- The customer is responsible for: Correctly implementing what the vendor provides – multi-factor authentication, object and field-level security, and access controls. You’re also responsible for making sure the content that’s coming into your environment, such as files and URLs are stored on records.
Now we know that content security and malware protection falls onto your plate, as a SaaS customer, the question becomes: How seriously do I need to take this?
Malicious Files and URLs
Malicious files and URLs are an increasingly well-known vulnerable vector, and attackers are acting accordingly.
Salesforce offers built-in, and add-on, security capabilities – these include Shield, Privacy Center, and trusted services solutions. While these are amazing tools, they do inherently different things than a solution like WithSecure. A prime example is preventing malware and phishing links from entering your Salesforce environment.
So, solutions on the market (like WithSecure) are solving for an entirely different problem – complimentary solutions to the tools provided by Salesforce, not duplicative.
Steps to Protect Sensitive Salesforce Data
Protect sensitive customer and commercial data that’s stored in Salesforce from ransomware zero-day malware, viruses, Trojans, and phishing links.
This is achieved in multiple ways, leveraging:
- Multi-gen, anti-malware.
- Real-time threat intelligence
- Smart sandboxing tools.
- Thorough and flexible scanning methods:
- These can be configured to continuously run every time a file or URL is posted in your Salesforce organization. Should a malicious file be found, it can be removed and placed into the Salesforce recycling bin so that no users can access it. In its place will be a text file to explain why it’s been removed, which guides users away from asking for the attachment to be sent again.
- Run on-demand scans on the existing content in your org.
- Malicious files are scanned and automatically removed both when uploaded and downloaded from your system.
- URLs in your Salesforce environment:
- These are rechecked every time a user clicks on them, which helps prevent them from time-delayed phishing attacks (which are also becoming more common).
- Filter the content that’s coming into your Salesforce environment:
- You want to ensure that your users are never exposed, or redirected to a gambling website or an adult website, for example.
- Map out your ‘attack surface’ with a content risk assessment tool.
Preventing and stopping these attacks is one side of the picture. Having insight into what’s going on is just as important to ensure you are equipped to investigate and prevent future attacks.
How to Prioritize Salesforce Security
This leads us to the question: Do different clouds have heightened security risks when it comes to cyber attacks?
There are seemingly infinite ways to leverage the Salesforce platform (that’s the beauty of it!). If you are using the Salesforce platform to communicate with external individuals (e.g. customers, prospects, partners) that’s when your risk is higher, versus the ways you’re using Salesforce for internal users. Prime examples are Service Cloud, Experience Cloud, Sales Cloud, and Marketing Cloud.
Don’t Forget Sandboxes
The conversation around DevOps is hot. In addition to your production org, the security best practices we’ve discussed fit with practices when working across different sandbox environments; any sandboxes need scans running to test the configurations before they are deployed to production.
- Cyber criminals are constantly looking for new ‘backdoors’ into your systems. Salesforce and other SaaS platforms are increasingly lucrative for these attackers because they hold such important customer data.
- It’s your responsibility to secure your Salesforce instance against malicious content, and you should ensure that the attackers can’t use your business processes in these cyber attacks, such as your support process becoming risk factors.
- Map out your ‘attack surface’ with a content risk assessment tool. This one, offered by WithSecure, makes it quick to understand the extent to which your Salesforce instance is exposed to cyber attacks.
- Prevention is easier, faster, and cheaper than ‘firefighting’ attacks once they’ve already happened. Security breaches cost millions of dollars, and often this doesn’t even account for the ransom that companies may have to pay, or the reputational damage to companies who have been breached. Preventative technology layers are the answer.
- Automatically protect your Salesforce instance against phishing attacks and malicious files in real time. From a Salesforce Admin’s perspective, you’ll want to find a tool that is easy to get up and running with minimal ongoing maintenance.
- Don’t forget sandboxes! Any sandboxes need scans running to test the configurations before they are deployed to production.
Once the above points have been actioned, you’ll be able to rest easy knowing that your environment is secure and being guarded against a variety of increasingly sophisticated attacks.