3-Step Security Tuneup

Data breaches are becoming increasingly common, raising awareness about the various tools we can use to maintain security. Unfortunately, many long-time Salesforce customers haven't updated their security protocols and many of their users are logging in with the same password they have used forever on their gmail or social media accounts! Luckily, Salesforce has some great built-in security features that are easy to implement; here are three quick steps you can do today that will help you sleep more securely tonight.

1. User Login Audit
Salesforce provides a built-in tool for viewing login history. From Setup search, enter Login History, which takes you to a comprehensive report of all the logins for your org in the last six months. The amount of data can be overwhelming, so click the link to Create New View, and select the fields most important to you. You can also download the report as a CSV file. 

There are a few key fields that aren't in that Login History (for example, Last Login and Profile) so you can create a custom report and schedule it to run monthly. Create the report on the User object, with fields for first and last name, Profile, Application, Last Login, Source IP, Platform and Browser. Filter on Active equals True, and sort Last Login descending.

This report will help you analyze the following:
  • Spot any users who have recently left the company but still have access. 
  • Identify users who have access but aren't logging in regularly; culling these users can save you money, as well as reducing access risk.
  • Spot users accounts with and unusual number of Source IP Addresses, with multiple logins at the same time, or with multiple browsers/platforms; these could all indicate an intruder piggy-backing on a user's credentials.

2. Password Policies and Two-factor Authentication
Enforce these best practices for user passwords in your org. Have passwords expire; prevent users from recycling the same passwords; mix letters, numbers and special characters; and set a limit on invalid logins.

Next, set two-factor authentication login requirements in user profiles. You can use discretion to determine which users should be required to use it. For example, two-factor authentication is probably not needed for an Inside Sales team that has login access restricted to business hours and your internal IP address. But for your field sales reps who are traveling and logging in at all hours, two-factor with a mobile authenticator app is smart and convenient for the user. Find two-factor authentication setup instructions here.

3. Health Check
One of the best security tools is built right into Salesforce. Go to Setup > Security > Health Check. When you go to this page, it automatically does a security assessment of your org and returns a report with Critical issues, Warnings, and settings that are compliant. You decide which of the settings to bring into best practice compliance, and click the Fix Risks button to have the selected settings changed.

Other Considerations
These three steps are the bare essentials of securing your business data and customer privacy. There are lots of other things to consider, including these basics:
  • Field-level security and encryption
  • Object access through permission sets
  • Record access through a Roles hierarchy
  • Sharing settings
Salesforce updates their comprehensive security guide often, so google the latest version. If you need additional help with your security implementation, contact me.