Security has been one of the most prevailing through-lines of 2020 and 2021. Through taking donor information over the phone from our home offices, increased cyber-attacks, and high-profile breaches, we’ve seen increased scrutiny around the security of our constituent’s data. With most of our information living on the cloud, and with the personal information of your constituents on the line, you simply can’t afford to treat that data as anything less than a priority.
Stricter Regulations Around Data Privacy
Adding to the complexity of data security, many US states and countries are putting stricter regulations around how organizations can collect and use data. Adhering to these regulations should be considered a priority to both respect your constituent’s data and avoid serious fines:
General Data Protection Regulation (GDPR)
The GDPR is one of the largest data protection legislation that has been passed to date. It governs the collection, use, and transmission of any personally identifiable information collected on citizens of the European Union (EU), regardless of the location of the organization collecting the data. Included in this regulation are restrictions around consent, data breach notifications, and constituent’s rights over their data including the right to be informed, to access their data, of rectification, of erasure, to restrict processing, to data portability, and to object.
California Consumer Privacy Act (CCPA)
Similar to the GDPR, the CCPA enforces regulations around the data collected from California residents. Among other standards, the CCPA requires organizations to provide notice to constituents at or before they collect personal data, and allow constituents to opt-out, read, and delete their data from the business storage.
New York Stop Hacks and Improve Electronic Data Security Act (SHIELD)
The New York SHIELD Act comes in response to a 60% increase in data breaches in 2016. It broadens the definition of “private information,” expands the definition of a data breach, and imposes new data security requirements on organizations collecting information on New York residents.
The Role of Trust and Transparency at Salesforce
Customers need to be able to trust the company powering their Constituent Relationship Manager (CRM). These CRM systems hold data around fundraising, program participants, volunteers, students, alumni – the information that is critical to operating your nonprofit or educational institution. While Salesforce boasts trust and transparency at the center of all they do, they’ve also created a resource to help increase that transparency with their solutions. Salesforce Trust is a real-time, public website that shows information regarding incident reports and ongoing maintenance, in addition to making their commitment and documentation to security and compliance regulations known – and you don’t need to be a customer to access this information. This provides a detailed view of how data is kept secure, with no guesswork involved.
Establishing a Baseline of Data Protection with Salesforce
More than 1M companies worldwide have implemented Salesforce as their trusted CRM. Each of Salesforce’s many offerings are built and optimized with security in mind. Various security tools and safety measures are employed to protect each Salesforce product through cloud security, while also continuing the data security education of users through a real-time community hub. Supplementary resources, like the Power of Us Hub, connect and educate users so that they can better understand both their data and how Salesforce protects that data. Continued education and growth within the Salesforce ecosystem are not only encouraged but facilitated through the community hub.
The result of this environment is an expansive platform able to provide your organization with the data security needed to thrive. With the right security-centric mindset in place, executives and technology decision-makers can optimize native Salesforce settings to ensure the safety of their data. Where Salesforce excels is in the configurability of its security settings. Using advanced event monitoring, administrators can receive reports detailing individual actions taken in your system (login attempts, requests for access, page edits, etc.). These reports allow security or governance teams to review events within your Salesforce org and identify any unsafe or suspicious activity before they become a problem.
Control How Users Access Salesforce
It’s imperative to utilize a process for tracking Salesforce access requests and understand if access is business-necessary or not. Whether the access is temporary or permanent should also be tracked, and a system of revoking Salesforce access will assist in smooth, secure offboarding processes. Passwords and profiles grant another level of security and control. Be sure to review global and profile level password policies within your Salesforce org and implement user lockouts after too many invalid login attempts.
When it comes to Salesforce user profiles, always use custom profiles instead of the standard profiles. Creating custom profiles allows you to customize permissions based on the objects and system access that user needs to perform their duties. Login hours can be edited to restrict when users can log into the system, and login IP ranges can be edited to restrict access from only corporate IP addresses, requiring a VPN solution for remote users.
A Safety-Enforced Ecosystem
To that end, implementing a two-factor authentication process for your Salesforce users provides another simple, yet effective safety precaution for your org. Configure your system so that users must verify their identity by entering a second identification code when logging into Salesforce. Doing so safeguards system access and allows users to sign-in securely from varying locations. (Salesforce has announced that Multi-Factor Authentication will be required in 2022.) Similarly, you can set up your Salesforce org with Single Sign-On (SSO), so that employees can access Salesforce using their regular network credentials. Both of these security measures can be implemented simply and with minimal effort.
The Salesforce Platform can be optimized with several security precautions, including the Transport Layer Security (TLS) encryption tool. Data will be kept safe through encryption and the system will be more easily able to confirm user identities. At all times, Salesforce keeps their customers’ data safe and their customers aware of potential improvements through tools that expose potential system weaknesses and areas for improvement. The cloud security capabilities of Salesforce are extensive, with native intelligence, encryption capabilities, in-depth reporting, and swift prevention measures. As technology progresses, so too does the need for more advanced security measures to protect our systems. Salesforce is continuously evolving for the better and protecting its customers like no other solution available today.
Salesforce Security Checklist
Now that you’re up to speed on the foundation of Salesforce security, here is a short list of simple steps to maximize your security.
- Set up two-factor authentication or Single Sign-On to protect access to your Salesforce.
- Implement a process to both track requests for Salesforce access and revoke Salesforce access as needed.
- Review global and profile level password policies.
- Create custom profiles that provide minimum object and system access instead of using the standard profiles.
- Consider setting login hours and login IP range restrictions on your Salesforce system access.
When it comes to securing your systems and data, no effort should be wasted in making sure your Salesforce org is as safe as possible. Native securities found in every Salesforce org can be optimized through only a few extra precautions. Take the time to protect what you’ve built and find the peace of mind Salesforce security can grant your organization.
