Admins / Users

Insider Threats to Salesforce Security: How to Keep Your Data Secure

By Mike Mason

With insider threats on the rise, for companies that use Salesforce, it’s critical to have the proper controls in place to prevent data loss.

Insider threats to company data are only expected to grow in number, and with new types of threats, 88% of organizations think insider threats are a cause for alarm. For organizations that use Salesforce (the largest CRM platform in the world used by over 150,000 companies globally), there are countless opportunities for insider threats to take advantage of corporate data housed on the platform. The impact of insider threats is immense, with 47% growth since 2018, while the average annual cost of insider threats has increased 31% to $11.45 million—that’s a lot of money on the line.

In this article you’ll learn which insider threats are specific to Salesforce and how to mitigate the risk of data loss due to this growing threat.

What are Insider Threats in Salesforce?

The growing insider threats at the hands of employees, third-party contractors, and other internal players means companies are further challenged with how to prevent and contain a data breach. Any Salesforce user can be an insider threat based on their permissions and profile, which is also dependent on their level of access to make changes, so it’s important for companies to close any gaps in security that create a loophole for insiders.

Common insider threats to Salesforce data include:

  • Departing employees who take data to their next job
  • Malicious insiders who want to harm a company’s reputation by leaking data
  • Negligent insiders who don’t have bad intentions, but make an error that can subject a company to security threats
  • Privileged user abuse, which occurs when users are granted more access rights than they need to perform their duties
  • Compromised credentials, where a user’s account information such as username and password are in the possession of the wrong person

It is also important to understand the impact of today’s workplace landscape on Salesforce data security because continued remote work has created an added layer of potential threats. At the beginning of COVID-19, companies temporarily loosened access control to get teams online faster, but many never went back to tighten security controls, creating serious repercussions today.

Why Insider Threats are Unique to Salesforce

Insider threats are broadly prevalent in any industry, but for companies that use Salesforce, these threats should be a top concern for security in a cloud environment. Salesforce operates and stores data in the cloud, which means employees may inadvertently or intentionally share or take sensitive data.

Organizations that use Salesforce need to keep the shared responsibility model of security in mind: Salesforce secures the platform, but once a company inputs its data, it’s up to the organization to protect its information. Without an extra layer of security beyond what Salesforce has incorporated into its own platform, data can be stolen, lost, compromised, deleted, exposed, or breached. This can incur a variety of consequences from competitive losses and revenue loss to non-compliance fines, legal fees, and loss of trust.

How to Prevent Salesforce Data from Getting into the Public Domain

Salesforce data can leave a company in many ways. In order to catch potential incidents of data loss, companies should implement a combination of policies and technology that can make the process automatic. This combination also provides a strategy that goes above and beyond Salesforce’s innate security controls, which is necessary when thinking about the shared responsibility model.

To prevent data loss and ensure this strategy permeates throughout an organization, companies should take the following steps:

  1. Understand what normal activity within your organization’s environment is, which will put a spotlight on understanding what activities are considered abnormal.
  2. Implement the principle of least privilege, which gives users the minimum level of data access necessary to do their job. It eliminates insider threats such as privileged user abuse.
  3. Ensure employees are educated on company policies surrounding data usage. When an employee knows how to spot a red flag or is able to report abnormal activities within the organization anonymously, they are more likely to immediately alert managers to these threats.
  4. Establish a robust data protection program with user activity monitoring and alerting. Technology can provide in-depth visibility into user behaviors, which allows for tracking what users are doing with data and receiving alerts if they are acting in ways that could harm the business. For example, if an employee is accessing a file that is outside of the scope of information needed to get their job done, user monitoring technology can automatically send an alert to managers or IT administrators as a red flag of potential insider threat behavior. Then the alert can be investigated by the appropriate parties.


As insider threats trend upwards and workforces continue to operate remotely, companies need to mature their security programs. These programs should comprise a set of policies for users to abide by, with the support of user activity monitoring. With 76% of organizations experiencing one or more data breaches involving the loss of sensitive information contained in files, companies should prioritize efforts to plug the gaps in Salesforce security thus avoiding a potential data breach and negative consequences.

The Author

Mike Mason

Mike is the Regional Sales Director at Varonis and an accomplished entrepreneur with nearly two decades of experience in product, implementations and sales.


    March 17, 2022 2:31 am
    What if someone knows how to cheat in Salesforce certification exam, passes it without no knowledge, hires a real developer from another country for a very low wage, gets a job with the real developer's support, now the real developer has the access to this fake developer's company computer, does every job but the company does not really know what kind of information is in the hands of whom? Does that mean an insider threat? If so, what kind of insider (outsider) thread is that?

Leave a Reply