The hidden risks of Salesforce—and how to address them

Your data, your problem: Your responsibility for securing Salesforce

To understand this risk, you need to understand how Salesforce security works and what all users need to take responsibility for. Salesforce has solid infrastructure security in place, but not all security areas are the cloud vendor’s responsibility, and are therefore not covered by the platform’s built-in capabilities. And care is needed: during 2023, WithSecure detected over a 700% increase in malicious files and URLs on Salesforce through monitoring.

A shared responsibility for security

Like most SaaS vendors, Salesforce uses the shared responsibility model for securing its platform. The principle is simple: the responsibility for securing Salesforce is shared between the vendor and the user. Salesforce is responsible for the security of the cloud service infrastructure, which includes the servers, compute, storage, and networks.

Your part of the bargain is to take ownership of securing the activity that takes place in the cloud. When your Salesforce is protected, so too is your business’s ability to maintain speed and to innovate. That means securing the files, links, text, and other content collected by Salesforce-generated forms and websites. This content is typically created and submitted by your customers or your partners.

Too many enterprise customer-facing teams assume that this content is scanned for harmful files and that their activity and data is secure, but this is not the case. In reality, Salesforce users are increasingly falling prey to cyber criminals who are using implementations of the platform to piggyback malicious files and links into corporate networks. If you don’t think you have a Salesforce security problem, then you do have a problem.

Traditional security methods fall short

The security industry has long provided solutions for traditional forms of cyber threat. Email and network monitoring software is ubiquitous in the enterprise tech stack. Endpoint solutions have evolved to deal with the nature of modern employment, with many users adopting a hybrid approach of remote and office-based working. So far, so good.

But Salesforce environments fall outside the protection of these solutions. The result is that criminals can upload phishing links and malware into customer-facing websites, forms, chats, support emails, and partner and community portals created by Salesforce in order to compromise a network. Because these are not scanned by the traditional solutions, malicious files and links can be opened by unsuspecting teams and put customer and other sensitive or commercial data at risk. In addition, Salesforce teams risk operational disruption in the event of a breach.

The results can be data loss, operational disruption, loss of sales revenue due to suspended campaign activity, fines for failing to meet industry compliance standards, loss of trust, and reputational damage. Customers naturally place a high value on the privacy of their data. Once that’s lost, trust is hard to rebuild.

Securing Salesforce in seconds

Taking action is easier than you think. Salesforce allows business users to easily engage with prospects and customers and experiment with new ideas. Engaging with the technical or security team around securing your Salesforce environment at an early stage, fostering good lines of communication, and developing safe security practices now will save pain and cost in the future.

Don’t let one malicious file disrupt your business. WithSecure™ Cloud Protection for Salesforce stops advanced cyber threats. You can run your digital business undisrupted—free from malware and phishing links. Get constant clarity of your content security status and see what is happening in real time. The bespoke solution is designed with Salesforce and can be deployed in minutes, providing instant protection and security visibility.

If you want to learn more about WithSecure™ Cloud Protection for Salesforce, reach out for a conversation—we’d love to talk with you about your current Salesforce risks and how we can help you manage them.