By the very nature of its design, Salesforce contains some of the most sensitive and critical data that an organisation stores. After all, it is one of the largest and most popular CRM platforms, containing not only vast amounts of customer data but also its customers’ critical information such as prospect lists, pricing and discounting information, sales pipelines, and other highly confidential and sensitive information.

And as the number of data breaches continues to skyrocket each year, as enterprises become increasingly digital and connected, more employees work remotely or on a hybrid basis, and our adversaries become more determined and sophisticated the more these systems are under attack.

To make matters worse, entities that fail to implement the appropriate cybersecurity controls and measures risk facing severe consequences, such as revenue loss, regulatory fines, legal fees, and an unquantifiable loss of customer confidence and brand trust.

This is why understanding the potentially catastrophic impact of a successful Salesforce breach, or actions by internal players, whether careless or malicious, is vital. With this in mind, TechCentral and Varonis hosted another well-attended roundtable event at the Jaguar Land Rover Experience Centre in Johannesburg last week.

Executives from select industries who all use Salesforce in their businesses were treated to a great breakfast, a 4×4 driving experience in top-of-the-range Land Rovers and, importantly, a series of collaborative and robust conversations about some of the common Salesforce security pitfalls that they, as leaders within their organisations, face.

Governance, risk, legal, audit – “The fun police”

Because Salesforce is a well-established software service provider, many entities rely on the platform and can easily forget that their data still needs to be properly managed and secured. And in today’s increasingly stringent environment, neither a business’s data nor its customers’ sensitive data can simply be “dumped” into a corporate data repository and assumed to be safe.

Governance, risk, compliance and legal all formed a major part of the discussion, as did their importance as supporting functions that are critical to business success, rather than mandatory tick-box exercises that need to be completed. This difference in perspective has led to business and IT engaging these risk support functions in the delivery of value as early as possible, and not as a process control sometime down the line or tacked on as an afterthought.

Today, the compliance function can be viewed as the guardrail needed to enable the business to ultimately reduce the risk of negative brand exposure, reputational loss and legal recourse.

The people in the room all appreciated the need for supporting risk functions and suggested that, as South Africans, we should embrace this mitigation of risk while taking measured and informed risks in order to ensure that business grows and thrives.

Shared responsibility — “Who, me? I just work here!”

The paradigm shift to thinking that data security is everyone’s responsibility and not just the people in the organisation tasked with cybersecurity came under the spotlight, too. Bad actors are always on the lookout for loose links in the security chain, and often target individuals – usually an employee or third-party partner to open the door to the corporate network.

They do this by employing a range of cunning social engineering techniques and phishing to fool the individual into giving up legitimate login credentials. Once inside, they can move laterally around the network, installing additional malicious tools, performing reconnaissance and exfiltrating information.

Exacerbating the problem of the human factor in cyberattacks is the fact that traditional security tools such as antivirus software have been shown to be ineffective against these techniques, which has led to security teams understanding that they need a more holistic approach to protect their data and people.

This is forcing business leaders to wake up to the fact that they need to incorporate a mix of security awareness training and security solutions led by robust policy enforcement, such as the enforcement of the principle of least privilege.

At the end of the day, all participants agreed that everyone in the business has a part to play in creating a human firewall or protective layer against cyberattacks.

Challenges – ‘We’re all in the same boat’

On the whole, those at the roundtable all shared similar experiences of trying to manage their data security in Salesforce. One challenge was sensitive data being overexposed due to complex permissions structures not being adequately set.

In addition, they experienced employees leaving with customer information that they have intentionally extracted and/or taken with them without necessarily knowing. Similarly, former contractors and external third parties sometimes preserve their access and permissions (without the company’s knowledge) and are accessing corporate data after project completion.

Another common issue was shadow copies containing product and real customer data being saved in different places for QA, DevOps, development and other purposes, and being out of sight of security controls. Finally, the sharing of profiles to expedite delivery, or in most cases circumvent “restrictive” policies, emerged as an issue.

In summary, the risks are there, and should not be underestimated. One of the greatest dances is ignoring the risks in the hope they all go away. Attendees were of a consensus that connecting with colleagues, peers and industry experts is key to staying ahead of the game.