.avif)
Intro
With the ever-growing need for cloud computing or cloud-based services, it's often wise to implement a layer of security practices to prevent cyber risks or human errors. One of the business goals is to reduce hacking or exposing vulnerabilities of your system.
Here is a list of security measures you can take to make your Salesforce more secure.
MFA (Multi-Factor Authentication)
Add a second proof of identity on top of the password, so a stolen password alone is not enough to get in. This is not optional. Salesforce has required MFA for all products since February 1, 2022, and it began automatically enabling MFA for direct logins on April 8, 2024. If you log in through single sign-on, your identity provider satisfies the requirement.
Use a strong verification method. Salesforce accepts the Salesforce Authenticator app, third-party authenticator apps, and security keys. It does not accept SMS or email codes for the MFA requirement, because both are easier to intercept. Admins set this up from Setup by following the official Salesforce MFA guide.
RELATED: 10 CRM Implementation Steps for Company Success
Limit Admin Access
This sounds obvious, but sometimes laziness can compromise security. An organization should be strict about who should be given admin access. It should be even detailed enough to restrict what type of admin access is needed for each person. There are a wide variety of strategies out there, but the simplest starting point is to, give enough access to get the job done. E.g. sales managers don't need access to customize fields or create entities. They should be given access to only manage sales-related entities.
Having Strong Passwords & Using Password Manager
The easiest defence from being hacked is to use a strong password. This reduces security risks and having a secure password with a strong password combination increases the time it takes to crack the password.
Length matters more than forced symbol-swapping. Use a long passphrase. Modern guidance from NIST favors length and breach-screening over complexity rules that push people toward predictable patterns. Salesforce's default minimum is 8 characters.
A password manager does the hard part for you. It generates a long, unique password for every login and stores it securely, so nobody reuses one password across systems. Pair that with MFA and you close the two most common account-takeover paths.
RELATED: 10 Questions About Salesforce
Report a Security Concern
If you find a vulnerability in Salesforce itself, report it through the Salesforce Security site rather than emailing an unmonitored address.
Security Health Check
Admins can use Health Check to find and fix weak settings, all from a single page. A summary score shows how your org measures against a security baseline, such as the Salesforce Baseline Standard. You can also save custom baselines and measure your org against your own standard instead of the default.
RELATED: Salesforce NPSP: Features & Pricing
Auditing
Auditing tells you how the system is actually being used, which is how you catch real or potential security concerns. Salesforce gives you the audit tools, but they only protect you if someone reviews them. Schedule regular audits to identify potential abuse.
To confirm that your system is really protected, run audits to track unexpected changes or unusual usage patterns.
Monitor Login History
Review successful and failed login attempts to your Salesforce org and Experience Cloud sites. The Login History page shows up to 20,000 user logins from the past six months. For a longer record, export the data to a CSV or GZIP file.
Watch for failed-login spikes, logins from unexpected locations, and access at odd hours. Those are early signals of a compromised account.
RELATED: Choosing the Right Salesforce Consulting Firm
Track Field History
Field History Tracking records changes to the fields you choose and shows them in the History related list on a record. Standard Field History Tracking retains data for up to 18 months in your org and 24 months via the API, and it does not count against your data storage.
If you need longer retention, Field Audit Trail, a Salesforce Shield capability, archives field history for up to 10 years. Pick the fields that matter for compliance and turn tracking on for those.
Monitor Setup Changes with the Setup Audit Trail
The Setup Audit Trail logs administrative changes to your org's configuration, including who changed what and when. Check it after any unexpected behavior, and review it regularly so configuration drift never goes unnoticed.
RELATED: A Brief Overview of Salesforce Lightning
Salesforce Shield
Salesforce Shield is a set of security tools for organizations with stricter compliance and governance needs. It has four components: Shield Platform Encryption, Event Monitoring, Field Audit Trail, and Data Detect. Together they encrypt sensitive data at rest, monitor user activity, archive field history, and identify where sensitive data lives. Ask whether Shield is included in your edition or available as an add-on.
RELATED: Salesforce Commerce Cloud Pricing
Real-Time Event Monitoring
Real-Time Event Monitoring tracks key events in your org in near real time, so you can detect and respond to threats faster. You can store the event data for auditing and reporting, and build transaction security policies with a point-and-click Condition Builder or with Apex code.
It is available in Enterprise, Unlimited, and Developer editions, and requires Salesforce Shield or the Salesforce Event Monitoring add-on. With it, you can:
- Monitor live transactions across the org.
- Flag suspicious activity, such as logins from unknown IP addresses.
- Watch large data exports and report downloads.
Conclusion
Obviously, this isn't an exhaustive list, but this should be a good starting point to keep your Salesforce secure. Implement these practices to give yourself a competitive edge against hackers.
