Security should be a high priority for any Salesforce role, but for consultants, it might be more difficult to ascertain how it directly applies.
However, for a role that helps customers navigate complex implementations, security should remain at the forefront of a consultant’s business practices, and fortunately, this does seem to be the case for many consultants in the industry.
Why Should Security in Salesforce Be a Priority?
No matter how solid an implementation is or how organized a rollout is, if a business can’t ensure its users and customers will have their data protected in the org, everything can quickly fall apart.
“Security in Salesforce is a shared, ongoing responsibility and not just a checkbox for IT,” Richard Tuharsky, a Salesforce Consultant at IBM, told Salesforce Ben. “I enforce least-privilege access, require MFA, secure integrations with minimal OAuth scopes, and enable monitoring and auditing from day one.”
An interesting highlight here is MFA (Multi-Factor Authentication). As a fairly simple yet robust security option, it increases protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers, as stated by Salesforce.
“I think one of the biggest things I think people need to be cognizant of is the benefits of MFA,” said Travis Dykstra, a Salesforce Technical Consultant. “I still hear a lot of people complaining about having to use it, but it really is a critical component for credential security, and one of the easiest ways to prevent unauthorized access through social engineering and phishing attacks.”
There is no better time to be aware of its benefits, either, especially with the ongoing Salesforce-Gainsight data breach.
Andrew Day, a Salesforce Technology Systems Consultant, said that although data breaches like this are a stark reminder of how pertinent appropriate security measures are, consultants or any Salesforce role should not just wait for one to occur to take action.
“When it comes to security, people seemingly elevate its importance after a cybersecurity incident has already occurred,” he told Salesforce Ben. “By that point in time, on average, the event is already over 200 days old and has cost the company over $4M. How you’re going to protect your data should be one of the first thoughts before building to store it.”
What Should More People Know About Salesforce Security?
Whether it’s clients, customers, or stakeholders, it is evident from speaking to the Salesforce Consultant community that there are still many considerations they wish these parties would keep in mind.
“What we always tell clients is that good security is less about being restrictive and more about being thoughtful,” said Umar Rafi and Muhammad Zohaib, both Salesforce Consultants. “For example, instead of turning admins, for even users for that matter, into “heroes” with too much access, sticking to least-privilege keeps your org safer and far easier to maintain. Minimal profiles and expiring permission sets may feel slower at first, but they prevent messy access sprawl that’s painful to unwind later.
“Also, most data doesn’t leak because someone hacked Salesforce. It leaks through reports, exports, integrations, or users pulling more than they should. Monitoring those exits and alerting on unusual activity is what keeps small mistakes from becoming major incidents.”
Consultant Security Horror Stories
At the heart of all of this – the main reason security should always be a top priority – are the horror stories of what happened when it wasn’t.
For some, this may just be someone in the org being able to access records or reports that they shouldn’t be able to. For others, it could be a full-blown, large-scale breach, putting the data or everyone in the org at risk.
Andrew explained that he has seen his fair share of different security issues, ranging from inconvenient to detrimental.
“I’ve seen quite a diverse range of security concerns across a lot of organizations,” he said. “An enterprise organization had an admin-to-user ratio of over 350%, well above the recommended 1:100. A healthcare company that routinely exports information out of Salesforce as part of their day-to-day operations, because they didn’t understand how to use it or trust it due to their self-implementation, and did not want to invest in the platform’s success.
“The common theme behind these examples is one, an unwillingness to learn and implement proper security controls while kicking the can down the road, saying ‘we will worry about that later’. Two, prioritizing usability over protection of their data, their customers/patients, and the system environment. Three, a lack of training and investment in the staff to adhere to best practices and regularly test those boundaries to confirm their proper use.”
For Umar and Muhammad, their worst security story kept them up at night.
“It started with an Experience Cloud site that seemed harmless on the surface,” they explained. “Underneath, though, a custom LWC was calling an @AuraEnabled Apex method running without sharing, with zero CRUD/FLS checks. To make things worse, the Guest User still had legacy read access to sensitive objects. A security researcher found the gap, enumerated records, and pulled PII over a weekend.
“The impact was painful: thousands of contact records exposed, and because Event Monitoring wasn’t enabled, nobody saw it happen. We only found out through a responsible disclosure days later – which is not a great feeling.”
Security Tips for Salesforce Consultants
As a consultant, you will often be one of the first professionals in line to navigate a client’s org, assisting in set up, rollout, and adoption, so the pressure to deliver something functional, scalable, and safe is weighty.
With that in mind, here are three security tips to keep in mind going forward:
- Approach security from relevant angles. Utilize everything from MFA to a strong password policy, to adhering to the principle of least privilege.
- If someone doesn’t need to read into the information, they don’t need to see the information. As Andrew, who is a USAF veteran, puts it: “In the United States Department of War, they grant security clearances for information. We should all treat our environments with the same level of scrutiny and infosec principles when we are opening up access for our users.”
- Do not skimp out on appropriate monitoring. Even when security measures are put into place, the job isn’t finished yet; they need to be monitored. As Umar explained it: “[For example], Event Monitoring flows into a SIEM, Transaction Security Policies catch risky activity in real time, and dashboards flag spikes in API calls, report exports, or data access.”
Final Thoughts
Salesforce consultants need to treat security as a continuous, shared, and important part of every project, weaving strong data protection in at all times. Key actions are forcing MFA, giving access only to what users need (least-privilege), and keeping an eye on data access.
Putting off security because it’s easier now is not an option – and it could very well lead to a plethora of issues, including breaches, leaks, and more.
