As the volume, variety, and velocity of data increases in your Salesforce Org, top security professionals face a data confidence crisis. How can you protect your mission-critical data from a growing list of threats? What data do you hold, who has access to it, and how much damage can they do? How can you safely leverage your data to accelerate digital transformation?
To help answer those questions, Own (formerly OwnBackup) compiles and anonymizes data from the Security Risk Assessments and projects we conduct each year. The resulting information is published in our annual Salesforce Data Risk Report, and provides a real-world look at the vulnerabilities your organization faces.
Here is a summary of the key findings in the 2022 report:
Unsuccessful data classification
Precious few Salesforce users have successfully classified their data. In fact, the average Org has classified a total of zero fields within Salesforce. This is a huge problem. Data classification is a foundational exercise—you must know what data exists in Salesforce before you can properly protect it.
We’ve found that organizations know they need Salesforce data security and most have a data classification policy, but the vast majority haven’t identified—in a fine-grained, actionable manner—what data requires protection.
Major gaps between InfoSec & Salesforce teams
Line-of-business units (LOBs) drive SaaS proliferation throughout an organization and the priority is always to innovate faster, without being constrained by InfoSec or Audit. Supporting those LOBs, Salesforce teams are often finding themselves at odds with InfoSec. There is both a knowledge and language gap between the two teams: InfoSec doesn’t know the nuances of Salesforce, and Salesforce teams are only speaking to control findings, instead of risks.
Because Salesforce is designed to give unprecedented visibility into customer records, it’s important for internal teams to understand that Orgs will always contain sensitive information, and that Salesforce must be treated like any other SaaS application. As businesses continue their rush to the cloud, InfoSec and Salesforce teams need to find ways to come together and facilitate conversations about risks surrounding the people, processes, and technology that interact with the platform.
Too many privileged users in production
Our 2022 Salesforce Data Risk Report found that, in the average Org, 88% of users are over privileged and 50% of total users can export data/reports. More specifically, there are too many privileged users in production environments. We see Orgs with scores of system administrators, when there should only be a handful. Additionally, companies aren’t using the Session-Based Permission Sets feature that was released by Salesforce almost two years ago to help address this problem.
In short, companies are leaving their data vulnerable by ignoring the two key privileges of Salesforce implementation in regulated environments: the Principle of Least Privilege and Segregation of Duties.
Lack of resilient continuity solutions
Most companies do not have effective backup and recovery solutions. The companies that do have a backup typically don’t have robust recovery tools and strategies that would position them to be resilient. Neglecting detection and restoration is happening in organizations of all sizes, from small businesses to Fortune 100s.
It was clear from our findings that companies need to rethink how they handle continuity. The approach should be bigger than a single application or provider, and instead span the entire enterprise and overall security strategy. Remember that according to the shared responsibility model, providers are responsible for security of the cloud, and customers are responsible for security in the cloud.
Fortify your Salesforce data security
Salesforce is not running in isolation. The platform is integrated with your entire enterprise, receiving information upstream, sending data downstream, and touching expensive resources on a daily basis to help you service customers, sell to prospects, and market to new audiences. It’s critical to prioritize data security in Salesforce, and we can help.
With Own Secure, you can easily identify data exposure risks and proactively take action to protect and secure your data-all within Salesforce. Download the 2022 Salesforce Data Risk Report to learn more about the most common vulnerabilities you need to protect against in your Org, and how we can help.