Educate Your Users to Help Protect Your Org
Educating your Salesforce users about secure behavior can go a long way toward securing your implementation.
Don’t underestimate the role of the individual user in keeping your data secure. Educate, educate, educate. Talk to your colleagues or other Salesforce admins about creative ways they have worked with their users to make them more aware and motivated to do their part to keep data secure.
Set password history, length, and complexity requirements along with other values, and specify what to do if users forget their password.
These simple best practices help reduce password threats, whether or not you’re using additional technologies like two-factor authentication and single sign-on for extra protection.
Change passwords often
Require unique passwords
Longer passwords are better
Make passwords harder to crack
Of course you’d never share a password, right?
Fortunately, you don’t need to be a security expert to stop malware.
Look up the subject
Teach users not to click links or open attachments in suspicious emails. Phishing emails exploit normal human behavior to lure you into opening an email. Maybe they state that a package is being delivered to you or that your paycheck is ready. If you aren’t sure, Google the subject of the email and see if any other sources have reported it to be a phishing attempt.
Consider the source
Instruct users to think before they click links in emails. Always verify the sender’s address and hover over any links to validate them. For example, if the link says it’s from Salesforce, hover over the link to see if the URL ends in salesforce.com.
Check with Salesforce
If you’re not sure about whether an email is from Salesforce, forward it to your company’s security folks or to email@example.com. Your company's security team works closely with the Salesforce Trust team to identify malicious emails. You can also check trust.salesforce.com for a listing of recent email threats that the Trust team is aware of.
Teach Your Users Well
Small changes in user behavior can have a major impact. When the Salesforce security team sends phishing emails to our own employees, we’ve learned that people who’ve taken our security training are only half as likely to click on phishing links, and almost twice as likely to report them, compared to employees who haven’t been trained. Repeat this training regularly. You can even use Login Flows to remind users of these principles or link them to training materials.
For example, a business analyst doesn’t need to see billing information for customers. Limit the number of users with admin rights, and check periodically to make sure that the same individuals need to have admin permissions. Who needs what access can change over time.