Large scale criminal hacking has grown at an exponential pace. Within the last few months, Target has been in the spotlight for the hacking of their payment systems where 70-90 million shoppers’ personal information, including credit card data, was stolen. Because we are living in a digital world, it is important to keep in mind that we are not impervious to hacks – even our businesses.
According to a 2011 Computer World survey, 90% of respondents said that their company experienced a hack at least once in a 12-month span, and 60% said that their companies were hacked twice in that same 12 months. According to a more recent Forbes article, 10,000 websites are hacked every day!
Thankfully, Salesforce users benefit from some very robust security portals which come standard to Salesforce users. This is part of the benefit of a multi-tenant SaaS platform. Even so, your organization is not immune to security breaches. Users still create weak passwords and have poor computer habits (like opening that email from a Nigerian Prince). 36% of people don’t password protect their mobile device (cell phone or tablet) which leads to further potential data loss (especially in a BYOD environment).
The great news is that in addition to the great security we get from Salesforce, Administrators can reduce the odds of a breach by making some small tweaks to their Salesforce system.
According to a Deloitte report, 90% of passwords are vulnerable to hacking even if they follow the recommended security strength formula (upper and lower case letters, numbers, symbols and, at least, eight characters). Setting up strong password policies can reduce the chances of a user’s account being hacked by forcing strong passwords.
Administrators can set system-wide policies to enforce the use of strong passwords and limit access to the system after a certain number of failed attempts. Click Setup | Security Controls | Password Policies to access this information. Here, you can:
- Set passwords to expire after a certain duration requiring users to generate a new password.
- Determine how many passwords will be remembered to prevent users from recycling previously used passwords.
- Set a minimum character length and complexity requirements.
- Prevent the used password from being used as an answer to the user’s security question. (Sorry Sue, you can’t use your pet’s name as the password AND the answer to your security question).
- Determine the maximum number of login attempts a user can have before being locked out of the system.
- How long a user is locked out if they exceed those login attempts.
While users may not be very happy with some of these settings, it is important to remember that your company owns the data in Salesforce, and it is up to us to ensure that we are enforcing a good password policy.
Enable Login Restrictions
Login restrictions work in addition to password management to help prevent unauthorized access to your companies Salesforce org.
While not every company may find login hours useful or necessary, there are some organizations that want to ensure that certain users are only able to access Salesforce information during a specific range of hours. For example, you may want to prevent members of customer service from accessing Salesforce data while not on the clock.
Business hours can be set and restrictions can be enabled at the profile level by clicking Manage Users | Profiles | Profile Name | Login Hours. Be sure that you review the implications of users time zones settings if you have folks working remotely as the start and end times will be impacted based on their settings.
Many popular applications including Facebook, Twitter and Google now have two-factor authentication options. This type of authentication requires two stages of authentication – typically a typical username and password as the first stage, then a verification code as a second stage.
Here is a demo of Salesforce Two-Factor Authentication
Login IP Address Ranges
While setting business hours may restrict when users can access Salesforce, IP address ranges determine where a user can access Salesforce. By restricting access to a specific range of IP addresses, you can ensure that any attempt to access Salesforce outside of that range will be denied. If a user is accessing Salesforce within a specified range, they will be allowed to proceed as long as the standard challenges are completed successfully (such as username and password, two-factor authentication etc.).
This is both good and bad and would require some thought. For example, it is not a good idea to restrict access to sales reps who travel regularly as the IP addresses they use to access Salesforce will change frequently. Because IP restrictions are added at the profile level, you can be rather granular in who is awarded a specific range and who is not.
Organization-Wide Trusted IP Addresses List
Enabling these restrictions can be painful to users, but you can help alleviate these paint-points by enforcing the extra security challenges when users are outside of the office. Setting up an organization-wide trusted IP address list allows users to log into Salesforce without receiving a login challenge.
Administrators should be smart in the way that they activate these security settings. If done wrong, it is possible to cause extensive end-user frustration. If your company has a security team, I highly advise working with them to help communicate the desired security settings and help ensure the settings are correct.