Educate Your Users to Help Protect Your Org

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the difference between a strong password policy and a weak one.
  • Name some ways to avoid getting stung by phishing emails.
  • Describe a minimalist approach to user permissions.

Talk to Your Users

Today’s target is the user. The first point of entry for any attack, whether it’s on a corporation, a government, or an individual account, is to target a user.

Educating your Salesforce users about secure behavior can go a long way toward securing your implementation.

Don’t underestimate the role of the individual user in keeping your data secure. Educate, educate, educate. Talk to your colleagues or other Salesforce admins about creative ways they have worked with their users to make them more aware and motivated to do their part to keep data secure.

Pay Attention to Passwords

Passwords are your first line of defense. Sometimes a password is the only thing between you and disaster.

Set password history, length, and complexity requirements along with other values, and specify what to do if users forget their password.

These simple best practices help reduce password threats, whether or not you’re using additional technologies like multi-factor authentication and single sign-on for extra protection.

Change passwords often

Require users to reset their passwords every 90 days or less.

Require unique passwords

Remind users never to reuse passwords on multiple accounts, in case one or more of the accounts is compromised. Hackers know that people reuse passwords and take a hacked password and try it on other sites. Password reuse is their low-hanging fruit.

Longer passwords are better

Require passwords to be 10 characters long or longer.

Make passwords harder to crack

Require a mix of letters and numbers in passwords. Even better, ask users to favor passwords with multiple words in them. A nonsense phrase is easier to remember than a string of random characters, and it can be even harder to crack.

Of course you’d never share a password, right?

Remind your users never to share a password, including their Salesforce password, with anyone, either online or in person. Not even Salesforce admins!

Don't Get Fooled By Phishing

Most attacks use malware (malicious software) to infect a computer with code designed to steal passwords or data or to disrupt an entire computer or network.

Fortunately, you don’t need to be a security expert to stop malware.

Look up the subject

Teach users not to click links or open attachments in suspicious emails. Phishing emails exploit normal human behavior to lure you into opening an email. Maybe they state that a package is being delivered to you or that your paycheck is ready. If you aren’t sure, Google the subject of the email and see if any other sources have reported it to be a phishing attempt.

Consider the source

Instruct users to think before they click links in emails. Always verify the sender’s address and hover over any links to validate them. For example, if the link says it’s from Salesforce, hover over the link to see if the URL ends in salesforce.com.

Check with Salesforce

If you’re not sure about whether an email is from Salesforce, forward it to your company’s security folks or to security@salesforce.com. Your company's security team works closely with the Salesforce Trust team to identify malicious emails. You can also check trust.salesforce.com for a listing of recent email threats that the Trust team is aware of.

Teach Your Users Well

Small changes in user behavior can have a major impact. When the Salesforce security team sends phishing emails to our own employees, we’ve learned that people who’ve taken our security training are only half as likely to click on phishing links, and almost twice as likely to report them, compared to employees who haven’t been trained. Repeat this training regularly. You can even use Login Flows to remind users of these principles or link them to training materials.

Dole Out Rights Sparingly

A key security practice is to provide users with the minimum access they need to do their job. (It's called the "principle of least privilege.")

For example, a business analyst doesn’t need to see billing information for customers. Limit the number of users with admin rights, and check periodically to make sure that the same individuals need to have admin permissions. Who needs what access can change over time.