Last year changed everything, and traditional ways of doing business went out the window alongside the mass exodus from the office. As employees were forced to learn their way around unfamiliar collaboration tools, share workspaces with spouses, and juggle childcare and distanced learning demands during the ensuing chaos, details like security and compliance often lay neglected near the bottom of the priority list. The same was true all the way up the corporate ladder, and one survey of C-level executives on Infosecurity Magazine found that 90% had canceled or postponed critical security projects on account of the transition to remote work.
Recognizing that the survival of many companies was at stake in the early days of the pandemic, numerous regulatory bodies opted to give these businesses a compliance grace period in the same way banks and utilities let missed mortgage payments or electricity bills slide without penalizing customers or withholding service. As investment adviser representatives relocated to shelter-in-place, for example, state regulators in Delaware and Alabama offered now-expired grace periods. Maine extended its grace period until Jan. 29, 2021, and New Hampshire continued its grace period indefinitely.
Cybercriminals were of a different mind. Instead of giving the world time to come to grips with the pandemic and get security matters in order, they redoubled their efforts: The same Infosecurity Magazine report saw 90% of CXOs reporting an increase in cyberattacks since remote work began in earnest.
The High Stakes of Security
Cybercrime isn’t carried out by enterprising computer engineers looking to make a quick buck. These hackers are hardened criminals, and a report by the Federal Bureau of Investigation in conjunction with the Department of Homeland Security and the Department of Health and Human Services illustrated that hacker groups are deliberately targeting the most vulnerable systems — including those relied on by healthcare providers — at the height of the COVID-19 pandemic.
Network insecurities can have devastating consequences for healthcare providers and their patients, but a business breach can also threaten the survival of the company that falls victim. The loss of valuable data, the substantial time and effort to get systems back up and running, and the very real damage to a company’s reputation all add up to an astronomical cost — and that’s before considering the fines and fees sure to be levied by a large and growing number of regulatory bodies that keep industries in check.
Cutting Through the Complexity of Compliance
The days of the Wild West of data are behind us, and businesses around the world face ever-increasing scrutiny over what kind of data they use, how they collect it, how they store it, and what prudent measures they take to protect it. In the healthcare space, the Health Insurance Portability and Accountability Act applies to only a small portion of the industry, but it has become a broad standard informing how patients access their information and how providers treat this data.
The United States Congress passed the Gramm-Leach-Bliley Act in 1999 to establish broad data reporting requirements in the finance industry, but there’s also legislation at the state level across the U.S. The New York Department of Financial Services passed Cybersecurity Regulation 23 NYCRR 500 in 2017, for instance, which requires covered entities to conduct cybersecurity risk assessments and put together plans that promise to mitigate those risks.
Other legislation, such as Europe’s comprehensive General Data Protection Regulation, applies across industries. Even companies based outside of Europe are held to GDPR standards if they do business with European customers and thus interact with their data. Without equivalent regulation at the federal level in the U.S., some states — including California with the California Consumer Privacy Act, or CCPA — are looking to pass their own sweeping GDPR-like legislation.
When you combine the tangled web of compliance demands with the overarching capabilities of a cloud program such as Salesforce, it’s easy to see how compliance can go from a nuisance to a nightmare. While many client companies expect Salesforce to take care of security, they often fail to realize that the platform is only partially responsible for the data contained within it.
Hanna Andersson Gets Hacked
One of the first lawsuits citing the CCPA was Barnes v. Hanna Andersson, LLC, in which a plaintiff sought damages against the retailer of children’s apparel after a 2019 data breach gave hackers access to the personally identifiable information (PII), including credit card data, of more than 200,000 customers. Salesforce was also named as a defendant because the retailer utilized the cloud provider’s e-commerce platform. But while Hanna Andersson is paying $400,000 in damages, Salesforce isn’t contributing a dime.
Why is that? Salesforce takes the platform’s security very seriously, but that doesn’t mean the provider is responsible in the event of a breach. Ultimately, much of the security burden falls on customers, whose actions can either increase the safety of their data or put it directly at risk. Our experience has taught us that misconfigurations drive 99% of security failures, which means the blame for a breach is almost always squarely on the Salesforce customer.
To identify these security shortcomings before they blow up into breaches, your organization will need to conduct thorough audits that produce actionable intelligence.
How to Ace Your Next Audit
Whether they’re conducted by internal compliance professionals or enforcement officers sent by regulatory bodies, audits are a necessary part of security. The audit process helps identify what information is present in your Salesforce Orgs, what kind of risk that information poses to your organization, and ways to secure your data against both internal and external threats.
Audits are also valuable in that they give technology and product ownership teams an opportunity to step away from their typical deployment activities and work with compliance and security professionals. As a result, non-security personnel come away with a better understanding of their roles in security. Developing a culture that prioritizes security takes time, but audits will help put you on the path toward this goal.
In the meantime, to prepare for the audit process and improve audit outcomes, focus on these five strategies:
- Keep thorough records
With the first vaccines finally in distribution around the globe, there’s light at the end of the tunnel. People are starting to picture a post-pandemic world, and as auditors start making their rounds and working through backlogs, they’ll be visiting your organization sooner than you think. When auditors arrive, you’ll need to demonstrate how decisions made during the chaos of the pandemic took into account the compliance demands of your specific industry.That means you should keep extensive records of those decisions and the thought processes you followed in order to arrive at them. Compiling these records will help you navigate the audit process whether the time comes tomorrow or months from now, but they’ll also help you work through the next crisis that could be years down the road. Records are a valuable source of information for outside auditors, but they can also inform all kinds of improvements within the organization.
- Put people first
It’s tempting to view security problems through a technological lens, but almost every security lapse has people at its core. Education can ensure your employees are aware of Salesforce security best practices, such as the importance of using secure networks, unique passwords and multi-factor authentication, but don’t forget to adapt educational programs to the ever-changing security environment.
Changes brought on by the pandemic have put a whole new set of demands on employee education. Workers who have always logged onto your corporate Wi-Fi might not know how to use a VPN, and phishing can pose an even greater risk with so many additional interactions taking place digitally. Conversations that used to occur in-person are now happening via email or messaging platforms such as Slack. Employees in a rush can easily miss a small clue that these communications aren’t from the person they assume and accidentally divulge sensitive information without a second thought.
Digital interactions also produce data, whether it’s in the form of emails, recorded video chats, or any one of the many data types supported by a cloud platform like Salesforce. To ensure that data doesn’t get into the wrong hands, it needs to be classified in a way that prioritizes security and compliance.
- Assemble a complete team
Internal compliance or audit professionals can’t bear the entire burden of regulatory compliance. Instead, it’s important to assemble a team or committee consisting of internal or third-party compliance experts, certified information security professionals and Salesforce app owners who can all work together to ensure that information is protected.
Security is a big responsibility, and a multidimensional team can meet security goals more efficiently than siloed stakeholders. Compliance officers, for example, will be able to determine data classification and usage models, but that effort is valuable only if it percolates into the processes of security personnel and informs the app development methodology of your company’s computer engineers. By incorporating data classification into application delivery requirements, you can ensure developers are building applications with security top of mind.
- Implement Salesforce Shield correctly
Salesforce Shield is a powerful tool, but it’s useful only if your organization takes advantage of it. Many of our customers are spending money on Shield without ever taking the time to implement its capabilities. Any audit should identify the resources available for securing your organization, including Salesforce Shield and its Encryption, Event Monitoring, and Field Audit Trail features.
- Rely on a third-party expert if necessary
In the shadow of the pandemic, organizations are focused on meeting business requirements and supporting existing application functionalities, but few have the capacity to integrate security into the development and release process used for Salesforce. As a result, security gaps are growing, and cybercriminals are poised to take advantage of the exposure.
Internal compliance professionals often have little understanding of Salesforce security and how the platform is utilized throughout the business, but that’s our specialty. RevCult works with clients in various stages of security preparedness. An alarming 75% of our customers come to us with dangerously misconfigured access and security settings. Even on the more diligent end of the spectrum, we have yet to encounter a Security Risk Assessment customer with a full classification of the data being stored in the Salesforce Org.
A successful audit of your Salesforce platform and the associated risks is impossible without knowing what kind of data is stored and how its utilized throughout your organization. To make the most of your organization’s audits, you should strongly consider working with a third-party expert.
The Salesforce platform has gone far beyond a simple CRM, and it now offers an entire suite of powerful enterprise applications. The incredible variety of solutions is undoubtedly a strength of the platform, but it
can lead to weaknesses in security for the businesses that aren’t prepared to conduct proper audits. At RevCult, our business is Salesforce security and governance so that your business can focus on what it does best. We help auditors navigate complex compliance requirements, implement appropriate security configurations, and manage an organization’s data sprawl within the broader Salesforce platform.
Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.