4 Reasons to Monitor Salesforce for Report Exports & Data Exfiltration

As the market-leading CRM solution, Salesforce is widely adopted and integral to the success of most organizations. Yet, it also represents a high-risk method of exfiltration around which many organizations do not have appropriate data governance. Here are 4 reasons why increasing visibility into Salesforce should be a prioritized effort.

1. Your Salesforce CRM is the source of your organization’s most sensitive data.

Salesforce stores current and prospective customer lists, sales performance forecasts, and pricing information. This data, if leaked, would result in reputational damage, lost revenue and even legal repercussions. In a 2021 survey by Code42 and Pulse Research, 39% of security leaders ranked customer lists as the top data type they were most concerned about falling into the wrong hands, closely followed by target account lists (37%).

2. A wide range of employees have access to it.

Depending on your company, this might include sales representatives, marketers, executives, customer support agents, accountants and more. These employees all have legitimate business reasons to create and export reports with company confidential information in order to perform their job duties, yet this opens data up to potential exposure.

3. Data can be downloaded from Salesforce into unmanaged devices, such as personal laptops and phones.

As a cloud solution, employees can log into Salesforce from their personal devices using their SSO credentials and download data. While the Salesforce mobile app enables in-app sharing without export, employees can simply log-in via mobile or laptop browsers to download reports.

Salesforce download permissions are all or nothing, which makes it difficult to control data loss. Employees need access to reporting to perform their jobs, but there’s risk data will be misused or mishandled. How can security teams be sure employees are not downloading this sensitive data onto their personal devices? Only 17% of security leaders are very confident in the visibility they have to this type of activity (Code42 and Pulse Research 2021).

4. Whether accidental or malicious, there are many reasons employees might export data from your Salesforce environment.

Let’s imagine just a few of the possible scenarios:

• An executive leaves your organization to start their own business and wants to take your customer list to get a heads start.
• A sales employee departs for one of your competitors, and they want to take customer and pricing information to offer lower deals to your customers as an incentive to switch their contracts.
• A support manager receives a critical ticket escalation on the weekend and must download a report with PII data to their personal computer to resolve the customer issue.

Do you have visibility into files downloaded from Salesforce to unmanaged devices? If you’re like half of security leaders, you’re either unsure of your visibility or know you don’t have any (Code42 and Pulse Research 2021).

Using Code42 Incydr™ to Detect Data Exfiltration from Salesforce

With Incydr, security teams can ensure Salesforce reports are only downloaded to monitored corporate devices. Incydr’s Salesforce Exfiltration Detector supports the Salesforce Sales Cloud and Service Cloud products. It allows you to protect confidential and regulated information by alerting you to reports downloaded to unmanaged devices, such as personal laptops or phones.

Because the integration is API-based, there’s no additional network layer technology for security teams to deploy and manage and it works regardless of network, making it perfect for organizations with distributed workforces.

When an employee exports a report from Salesforce, Incydr uses its Inferred Trust capability to determine whether that report was downloaded to a corporate device or to an unmonitored one, such as a personal laptop. If an exported report is downloaded to a device that is not monitored by Incydr, the activity is flagged for investigation.

Incydr does this all with an emphasis on signal – weeding out the noise, highlighting critical activity, and giving you the context you need to act with certainty. Incydr provides a wide range of response controls to ensure organizations can take a right-sized response to contain, resolve and educate when these events are detected.