Quick take: As corporate security breaches rise, Salesforce is working to protect customers by requiring multi-factor authentication beginning February 2022.
It's been a striking year for security breaches, and weak or reused passwords are often the weakest link attackers love to exploit.
Enabling multi-factor authentication (MFA) is one of the easiest, most effective actions businesses can take to secure their data against the majority of common cyberattacks. That's why, beginning February 1, 2022, Salesforce will require all customers to use MFA to access Salesforce products.
Though as any CIO can tell you, the competition for attention in enterprise security is fierce, and MFA doesn't always get prioritized. With the digital world becoming increasingly connected and complex, companies can no longer afford to leave MFA and other critical security strategies as an afterthought.
Work-from-home security challenges aren't new, but the volume of attacks has increased
Before COVID-19 lockdowns and quarantines, employees with laptop access were already taking those laptops home and doing evening or weekend work. Security risks could arise from compromised home networks, or from attackers using default or recycled passwords from compromised accounts to gain access to work systems.
Greg Poirier, Founder of Salesforce Partner CloudKettle and an expert in business security tech, explains the trend. 'That security issue is not new,' he said. 'What is new is that the volume of attacks and resources and efforts going into security attacks on at-home employees has increased significantly. What's happening is people are working way harder in the last year to exploit it. And that's what makes it more important.'
What is new is that the volume of attacks and resources and efforts going into security attacks on at-home employees has increased significantly.What's happening is people are working way harder in the last year to exploit it. And that's what makes it more important.
Greg Poirier, Founder of Salesforce Partner CloudKettle
Cyberattacks seek to exploit increasingly connected systems
In the last few years, companies of all sizes - and especially large enterprises - have increasingly connected multiple cloud-based solutions to get a unified view across the business. This shift has created a popular new attack vector for cybercriminals: data warehouses.
Companies have rapidly responded by increasing security protocols and best practices along every handoff (in part through tools like Mulesoft's API Manager and Salesforce Shield, which protect companies against common threats.)
Rigorous security reviews are becoming standard
In the security audits CloudKettle does for its customers, one area Poirier's team always looks into is data governance. Do they have a daily governance policy? How is it structured? Or - does it even exist? Up until this year, customers hadn't always thought about it.
'The regime around security reviews at the enterprise level is getting a lot better,' he said. 'It's become much more thoughtful. Sometimes that's more frustrating for employees because two years ago, they might have been able to easily add something like a browser plugin without any oversight, and they can't do that anymore.'
Poirier continued, 'Our clients are savvy enough now that they're having us help them with things like application whitelisting, changing authorization protocols, and having a really good vendor security vetting process.'
Multi-factor authentication addresses evolving threats
MFA adds an extra layer of security to the login process by requiring users to verify their identity with two or more pieces of evidence ('factors').
We're all familiar with what this looks like at an ATM: your physical card is the first form of authentication, and your PIN is the second. Put into practice in an office, this might look like an authenticator app installed on a mobile device which generates a code used during a system login.
As the security threats that Poirier highlighted grow increasingly common, MFA is one of the account security measures that can protect customers and businesses.
'What you need to do is put as many barriers in the way of a compromise occurring as humanly possible. And MFA is one of those speed bumps that you can roll out onto the road pretty easily and quickly,' said Poirier.
What you need to do is put as many barriers in the way of a compromise occurring as humanly possible. And MFA is one of those speed bumps that you can roll out onto the road pretty easily and quickly.
Greg Poirier, Founder of Salesforce Partner CloudKettle
Now, speed is the name of the game, and enablement materials can help get teams of thousands up and running quickly.
There are a few considerations Poirier says to keep in mind when preparing for an MFA rollout, especially for global and enterprise customers:
First, businesses should evaluate whether an app or hardware authenticator works for their team. Apps like Salesforce Authenticator and hardware authenticators like Yubikey are both common 'second factors,' and each come with a set of considerations for security.
Bake potential rollout costs into budgetary plans. If an organization does go the route of a physical key, there's going to be an initial upfront purchase with a vendor, and probably an ongoing annual cost.
Follow the sun. One additional consideration for global companies is the timing of security updates, to ensure employees - especially front line support - aren't locked out during business hours.
With cybersecurity threats growing more sophisticated, there are many emerging tools and best practices companies should consider to prevent data breaches.
And as businesses begin to move back to offices and workplaces, there is a new impetus to ensure that both people and data are safe. MFA is one of the simplest, most effective ways to prevent unauthorized account access and safeguard data. By prioritizing it now, any company can be ready for the future.
To learn more about Salesforce's commitment to security and the customer MFA requirement, click here.
salesforce.com Inc. published this content on 11 May 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 May 2021 16:37:02 UTC.