In my last post, I shared a key way to protect your Salesforce implementation and still give your users the flexibility they demand, via Login IP Range restrictions. This important security control prevents unauthorized users from accessing your Salesforce org.
If you find that Login IP ranges do not work for your org or you want to find more ways to keep your Salesforce implementation secure (you can do ALL of these things), there are more things you can do to secure your organization against stolen credentials.
Use Two-Factor Authentication (2FA) to require that all login attempts have both login credentials and a second authentication factor. 2FA is often described as “something you know + something you have”. For example, “something you know” is your login credentials, and “something you have” is your mobile device, to which a 2FA solution can send a text message with an authentication code that you can then enter into your browser. The second authentication factor can also be a soft or hard token that provides an authentication code.
You can implement 2FA by using the Salesforce Authenticator app, or similar solutions from security vendors. Login attempts that do not have valid credentials from both sources will not be granted access to Salesforce. Learn how to implement 2FA here.
Educating users about identity confirmation is a great first step. Specifically, explaining to users that if they receive an identity confirmation SMS or email but are logging in from locations and devices that they have used before, they should be wary. This could be an attempt by attackers to use the user’s credentials from a new location and steal the identity confirmation code to complete the login.
Help users understand how to stop malware. Most cyber attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware. Here are some simple recommendations you can make to your Salesforce users:
Teach users to not be fooled by phishing, and to not click links or open attachments in suspicious emails. One of the most effective cyber attack techniques is tricking someone to click a link or open an attachment that installs malware. These are called phishing e-mails because they lure you into opening an email either by saying something intriguing, useful, or appearing to be a legitimate message from a real company (package delivery, payroll, undertakers, social networking, etc.).
Another simple rule with big impact is to never open emails from unknown sources. Hackers want people to click on their link so that they can infect the user’s computer. Similarly, teach that emails received from an unknown source should be evaluated based on the source and whether it makes sense. If not, it may be malicious. The sender’s address should always be verified and and any links to URLs can be hovered over to validate them. For example, if the link says it’s from Salesforce, then hovering over the link should show a URL ending in “.salesforce.com”.
Remind users to never reuse or share passwords. Reuse and sharing of passwords pose serious security risks. If a user uses the same password for their Salesforce account and for their ACME account and the latter gets compromised, it could put their Salesforce account at risk! Hackers can reuse stolen credentials to see what other high-value accounts they can compromise using the same credentials. Spend the time to create strong, unique passwords for all of your accounts and consider the use of a secure password manager to help you manage them.
If you share a password, you’ve lost access control over that account. In fact, there is never a legitimate reason you would need to share your Salesforce password or any other password with anyone.
Please visit trust.salesforce.com for the latest security information and best practices. If you’d like to learn more about malware, please visithttps://www.onguardonline.gov/articles/0011-malware.
In my last post, I shared with you how fast and easy it is to deactivate a Salesforce user who decides to leave the company. One of my recommendations in that post was to work closely with your company’s IT department to establish a process for which you are notified when an employee leaves the […]
These days people change jobs more than ever. And this means that your Salesforce users are constantly changing and shifting – folks leaving the company and new users being added when you add licenses or new services. As an Admin what do we do about deactivating users who leave the company? In this moment when […]
In the wild west of Internet security, enabling two factor authentication is the closest thing you can do to making your accounts hacker proof. In this post, I will walk you through why two factor authentication (“2FA”, and also known as two-step verification) enhances security and how you can set it up to make yourself […]
