Saleforce security best practice for financial services

Banks and financial institutions are increasingly turning to Salesforce to improve communications with  customers and partners. In an industry in which customer experience is a key differentiator, the platform allows sales and marketing teams to easily create forms and microsites that push promotions offering loans, mortgages, insurance, investments, and other financial products. 

Salesforce is an extremely flexible and extensible tool. It can automatically connect with different departments, partners and third parties, gathering data from separate systems to help employees be more efficient, while also improving the services they can provide customers.

Unfortunately, the ease of use, flexibility, connectivity, and automation features of Salesforce are also giving cyber criminals a new window of opportunity to attack. Like most SaaS services, Salesforce uses a shared responsibility model for security. Salesforce is responsible for securing its products and services. Meanwhile, the financial institution must take ownership of the documents, files and links that enter its platform from customers, prospects, and partners.

It’s not surprising that the finance sector has consistently been targeted by cyber criminals. The past few years have seen a massive spike in ransomware attacks. A recent report suggests global financial services organizations have lost more than $32bn in downtime in the past five years due to ransomware breaches. That statistic is only likely to increase if you are not aware of the risks a constant flow of unmonitored documents entering your system poses to your business continuity and data security.

Salesforce is a platform that is evolving quickly. This creates an urgent need for employee education on the risks that come with implementations, particularly allowing external parties to upload content to your platform, as well as a breakdown of silos between your IT and Salesforce teams.

Salesforce elements are generally created by individual users who may not specialize in security. This means that forms, websites, and shared storage spaces are often created without basic access controls, such as usernames and passwords, without any involvement from IT security teams.

The platform’s built-in security capabilities do not extend to those processes end users take for granted in other applications, such as email junk filters that scan for malicious links and malware.

Additionally, email systems are typically created, managed, and updated by the IT department, which is fully aware of potential threats and vulnerabilities. IT takes security into account when making any decision about where messages and attachments are stored, and who can access them. The same can’t always be said for Salesforce implementations.

A real-world example might be a consumer applying for a loan or insurance claim using their bank’s website. The online form may be created using Salesforce. The customer fills out a form that contains personal information and then uploads confidential documents such as bank statements, identification papers, photographs, and other related documentation.

This data is stored in a location where Salesforce administrators—not IT—are responsible for providing security. Cyber criminals could imitate a loan applicant and send malicious files or URLs via that online form. When the unsuspecting bank staff open the file or link, they risk opening a door to data theft or to a ransomware attack.

This means that as bank staff go about their jobs and start processing these applications, unless the content is being scanned during upload and download, the company has no idea if the incoming data is legitimate or contains malware.

To make matters worse, because financial organizations have an ecosystem of partners and customers, this type of breach can lead to other threats, complex investigations and clean-up processes, and ultimately, lost trust.

The solution to this problem is to find a tested, easy-to-use security tool that can monitor your Salesforce platform and scan all files and links for malware. BEC Financial Technologies (case study) works with some of the largest banks in Denmark to deliver secure IT services. It surveyed different providers of IT security solutions to protect its customers’ Salesforce platforms, and in February 2021, it selected WithSecure™ Cloud Protection for Salesforce.

Tonny Rabjerg, program director at BEC said: “We chose WithSecure™ because they are a serious supplier that meets all our compliance requirements. In addition, they were recommended by Salesforce because their software can be implemented easily and quickly. It's almost a plug-and-play solution.”

WithSecure Cloud Protection for Salesforce auto-detects and blocks harmful content across all Salesforce clouds and features. It stops advanced threats such as malware, ransomware, and phishing threats from entering your ecosystem and prevents the infection of partners and customers, securing the business, and protecting its reputation in minutes.