Let’s be clear – when Salesforce becomes your digital front door, your responsibility doesn’t end at deployment. That’s where it begins.
The Security Responsibility Is Yours (And Salesforce’s)
There’s a persistent myth: “Salesforce handles all the security stuff.” This isn’t the case.
Yes, Salesforce provides world-class infrastructure – the data centers, the failover systems, the platform fundamentals. But everything inside your org? The users, custom apps, and most importantly, your data? That’s entirely your responsibility.
If someone uploads malicious content or a team member accidentally nukes a critical dataset, Salesforce isn’t swooping in to save the day. You need your own safety nets.
That’s exactly why we created WithSecure Cloud Protection for Salesforce back in 2015. We couldn’t find a native solution to scan incoming files and URLs from Experience Cloud users, so we built one ourselves. Today, hundreds of organizations rely on it for real-time protection.
The Hidden Danger: Unstructured Data
One of the biggest blind spots is unstructured data – all those files, images, and links coming in through portals, forms, chat interfaces, and partner connections. These are malware superhighways.
Agentforce only amplifies this risk. It’s designed to respond quickly by drawing from multiple data sources. If that data isn’t properly scanned and secured, you’re essentially building a high-speed highway to your most sensitive information.
Our solution scans files and links in under a second, and that timing matters. Agentforce needs to respond in about 1.5 seconds to meet user expectations. If your security can’t keep pace, it becomes either a bottleneck or something teams will work around (which is even worse).
Backup Isn’t Enough (But It’s a Start)
Let’s talk about what actually happens when things go wrong. In my experience, data loss rarely comes from dramatic hacks. It’s usually something mundane: a cleanup job gone sideways, a picklist error, or a field mismatch that cascades across thousands of records.
When that happens, you need more than just a backup – you need precision recovery. You need to know exactly what changed, what needs fixing, and which data is valid.
And as your org grows? Performance starts to suffer. Reports crawl, dashboards lag, and users can’t find what they need. That’s where strategic archiving becomes crucial – keeping your Salesforce instance lean and responsive while preserving historical context that your AI tools need to function effectively.
AI Doesn’t Have a Conscience
Here’s something that keeps me up at night: AI models will happily process whatever data they’re given, including highly regulated or sensitive information. They don’t know any better.
It’s up to us to control what these models see and don’t see. That means implementing data masking, tokenization, and encryption before data even enters the AI pipeline. At WithSecure, we partner with companies like Odaseva to ensure sensitive information stays encrypted end-to-end, never exposed, not even during processing.
This way, you get the intelligence without the regulatory nightmares.
The Missing Link: Collaboration
Want to know a common vulnerability I encounter? It’s not technical – it’s organizational. Salesforce admins and cybersecurity teams simply aren’t talking to each other.
When they do collaborate, magic happens. Risk decreases. Deployment speed increases. Compliance becomes manageable rather than painful.
The best results come when these teams work as one unit – building policies together, selecting tools together, and responding to incidents with a unified approach. Security isn’t a solo act – it’s the ultimate team sport.
What You Should Do Today
If you’re expanding your Salesforce footprint or implementing Agentforce, here’s my practical advice:
Know what’s lurking in your org – If you’ve used Salesforce for years, there’s likely already malware sitting quietly in old files or attachments. A comprehensive scan can identify and remove these threats.
Reassess risk whenever anything changes – New user groups? New data types? New features? Each one brings potential vulnerabilities. Don’t wait for something to break.
Watch those chat interfaces – Agentforce increasingly operates across WhatsApp, Messenger, websites, and more. These are high-risk entry points where unstructured data flows fast and often unfiltered.
Test your recovery plan – Don’t just have backups; run simulations. Test restoration. Create response playbooks. When something goes wrong, you want muscle memory, not panic.
The Bottom Line
Agentforce is genuinely transformative. It enables faster, smarter, always-on service that customers increasingly expect. But it also significantly increases both the complexity and exposure of your Salesforce environment.
Here’s the good news: you don’t have to choose between innovation and security. With the right tools and partnerships, you can build a Salesforce experience that’s fast, intelligent, and secure by design.
And that’s how you unlock the real value of Agentforce – without risking everything else in the process.
I recently took part in a conversation about this very topic. Take a look below!