The Salesforce Security Checklist Guide for Salesforce Admins: 10 Critical Steps to Prevent and Contain Data Breaches

“I just got out of an emergency board meeting about these Salesforce data breaches hitting the news. The CEO wants to know what we’re doing to prevent this from happening to us. I told them our Salesforce team would have answers by end of week. That’s you.”

Sound like a recent call from your IT Director? You’re not alone. The financial devastation from cyberattacks is escalating rapidly across industries. Jaguar Land Rover recently confirmed a cyberattack that forced production shutdowns for nearly three weeks, costing up to £50 million (~$67M) per week and threatening tens of thousands of jobs across their supplier ecosystem. Meanwhile, Marks & Spencer faces upward of $400 million in costs from their recent breach. These aren’t isolated incidents—they represent a dangerous new reality where cyberattacks can paralyze entire business operations within hours.

Across Salesforce environments specifically, IT leadership is scrambling to understand platform-specific security risks after seeing major organizations like Coca-Cola, Qantas, Disney, and Chanel fall victim to preventable attacks. The urgency is real: Salesforce phishing attacks have increased by 109% since the start of 2024, with organizations facing average breach costs of $9 million—often escalating to $100 long-term when factoring in customer churn, regulatory fines, and reputation recovery costs. 

But what can you do as a Salesforce admin to better contain and prevent data breaches in your Salesforce environment? Let’s get into it. 

10 Critical Security Measures to Implement Immediately

1. Audit All Connected Apps

Connected apps have become the primary attack vector for Salesforce data breaches, with security experts identifying them as the source of most recent major incidents. The threat has escalated dramatically, with the UNC6040 hacking group now using sophisticated voice phishing calls to trick employees into installing fake Salesforce Data Loader apps. Approximately 700 Salesforce customers are currently affected by ongoing data breaches stemming from this attack vector, with new victims being discovered regularly as hackers steal sensitive information and extort companies. These malicious apps exploit the OAuth authorization process, tricking users into granting broad access permissions that can then be used to systematically extract sensitive information. When attackers successfully deploy malicious connected apps, they gain persistent access to your Salesforce environment that can continue even after password resets. Unlike traditional password-based attacks, OAuth tokens remain valid until explicitly revoked, meaning attackers can maintain long-term access to extract data gradually to avoid detection.

Steps You Need to Do:

Review Connected Apps in Two Critical Locations:

• Navigate to Setup → Connected Apps OAuth Usage tab to see all apps that users have authorized
• Go to Setup → Connected Apps to review globally installed applications
• Understand that once approved from OAuth Usage, you need to “install” apps to make them globally available without requiring users to have the “Approve Uninstalled Connected Apps” permission

Complete Your Connected Apps Audit:

• Audit all connected apps currently installed in your org across both locations
• Look at what apps are installed and what kind of permissions you’re giving out
• Review OAuth connections for all users to identify apps that shouldn’t have been authorized in the past
• Remove any connected apps that aren’t actively used or lack clear business justification
• Contact Salesforce Support to enable API Access Control for whitelisting approved apps
• Verify implementation by looking at your connected app screen to see what kind of connected apps have been attached to your org and reviewing the connected app usage screen in Salesforce to monitor ongoing app access

Important Security Note: From September 2025, users need a new permission to connect to uninstalled connected apps. This means users will need either “Approve Uninstalled Connected Apps” permission (if API Access Control is not enabled) or “Use Any API Client” permission (if API Access Control is enabled). Grant these permissions sparingly and with caution, as they represent significant security access.

2. Implement IP-Based Security Restrictions

Most Salesforce organizations operate with a critical security gap in their IP restriction configuration that leaves them vulnerable to remote attacks. Research shows that 86% of breaches involve stolen credentials, and with China-nexus cyber activity surging 150% overall in 2024, geographic-based attacks are becoming increasingly common per Crowdstrike. By default, Salesforce only enforces IP security during the initial login process, but not for subsequent API calls or ongoing session activities.

IP-based security serves as a critical geographic fence that can prevent international cybercriminal organizations from accessing your data even when they successfully steal user credentials. Recent Salesforce breaches have often originated from foreign IP addresses, and proper IP enforcement could have blocked these attacks entirely.

Steps You Need to Do:

• Enable IP restrictions for all users and connected apps
• In Session Settings, enable IP security for every request to ensure enforcement throughout the session
• We recommend checking the box that enforces IP security after every single request, not just initial login
• Consider restricting IP addresses from foreign countries if your users are located in specific geographic regions
• Establish emergency access procedures for legitimate users who may need access from unexpected locations

3. Address Over-Permissioned Users

Research conducted by Elements.cloud reveals a widespread and dangerous pattern across Salesforce organizations: an average of 20 non-administrative users possess View All Data permissions in each org. This aligns with broader industry data showing that 83% of cloud security breaches are caused by access-related vulnerabilities per recent IDC findings, particularly in critical sectors like media, healthcare, and utilities. Even more concerning, 97% of organizations maintain standing privileged accounts, with 28% reporting rarely used accounts and 69% noting never-used accounts, creating unnecessary attack surfaces.Over-permissioned users create a multiplier effect for data breach impact because attackers inherit whatever access the compromised user possesses. 

Steps You Need to Do:

• Look at the user access report to see what kind of access users have
• Remove View All Data and Modify All Data from users who don’t need it
• Apply principle of least privilege consistently across all user accounts
• Look at your privileges in Salesforce and what kind of permissions you’re giving out
• Establish regular review cycles to ensure permissions remain appropriate as roles change
• Verify changes by using the user access report where you can click on any user to see what kind of access they have

4. Secure Guest User Configuration

Guest user misconfigurations represent one of the most dangerous and underestimated vulnerabilities in Salesforce environments because they provide completely unauthenticated access to organizational data. This vulnerability is part of a broader pattern where Gartner predicts that through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users. Unlike other security vulnerabilities that require attackers to first compromise user accounts, guest user exposures allow anyone on the internet to access sensitive information without any credentials whatsoever.

Guest user vulnerabilities have been directly responsible for major data breaches where over 5,000 records were stolen without any authentication required. The danger extends beyond the immediate data exposure because guest user access often reveals organizational structure, customer information, and business processes that attackers can use to craft more sophisticated spear-phishing campaigns against internal users.

Steps You Need to Do:

• Run your guest user access report immediately to identify current data exposure
• Review what data your guest user has access to and eliminate any sensitive information access
• Ensure guest users cannot access customer information, financial data, or internal business records
• Look at guest user settings in your digital experience sites and verify appropriate restrictions
• Review all sharing rules and public groups that might inadvertently grant guest user access
• Confirm security by running the guest user access report to see what data your guest user has access to

5. Multi-Factor Authentication & Growing Risks 

Multi-factor authentication gaps create the primary pathway for credential-based attacks that have become the dominant method for Salesforce data breaches. The statistics are alarming: 86% of breaches involve stolen credentials, yet 25% of business email compromise attacks in Q1 2024 specifically targeted organizations that did not have multi-factor authentication enabled. However, as cyber attack vectors mature, traditional MFA methods face increasing threats through MFA fatigue attacks, SIM swapping, and social engineering tactics designed to bypass authentication protections.

Recent major Salesforce breaches could have been prevented with proper multi-factor authentication implementation, but the effectiveness depends on choosing secure methods and comprehensive user education about evolving social engineering tactics. There are several verification methods you can employ including third-party authenticator apps (Google Authenticator, Microsoft Authenticator, Authy), security keys (YubiKey, Google Titan Security Key), and built-in authenticators (Windows Hello, Touch ID, Face ID). As security protocols and technology are rapidly changing due to maturing threats, please consult with your internal security team or book a security assessment with us. 

Steps You Need to Do:

• Enable multi-factor authentication everywhere for all users, prioritizing administrative accounts
• In Session Settings, ensure Multi-Factor Authentication is in the High Assurance category
• Understand that password resets alone don’t revoke OAuth tokens, so token management is critical
• Train users to recognize vishing attacks where attackers request MFA codes over phone calls
• Implement policies that IT support will never request authentication codes through phone communications
• Consider security keys or authenticator apps over SMS-based methods where possible to reduce SIM swapping risks

6. Implement Salesforce Shield for Monitoring

Most Salesforce organizations operate without adequate visibility into user activities, API usage patterns, and potential security incidents occurring within their environments. This monitoring gap is particularly dangerous given that the average breakout time for attackers has dropped to just 48 minutes in 2024, down from 62 minutes in 2023, with the fastest observed breakout time being just 51 seconds per Crowdstrike’s 2025 security report. A survey of nearly 300 companies using Salesforce revealed that the majority cannot confirm the absence of security incidents within the past year, highlighting a critical visibility gap.

Proper monitoring through Shield could have detected and prevented several recent major breaches by identifying suspicious API activity before significant data loss occurred. When attackers gain access to Salesforce environments, they typically exhibit detectable patterns such as accessing records from foreign IP addresses, performing bulk data queries outside normal business hours, or viewing unusually large numbers of records in short time periods.

Steps You Need to Do:

• Consider implementing Shield for comprehensive event monitoring and API activity tracking
• Monitor for API anomalies and IP addresses originating from unexpected countries
• Look for suspicious API activity that could indicate automated data extraction
• Monitor record access patterns to identify users viewing unusually large amounts of data
• Establish baseline metrics for normal user behavior to identify deviations

7. Review Setup Access Log and Manual Monitoring

Many organizations rely exclusively on automated security tools without implementing regular manual review processes that can catch sophisticated attacks designed to evade automated detection. Setup access logs contain critical information about configuration changes, user privilege modifications, and system alterations that could indicate compromise, but these logs often go unreviewed for months or years. With 74% of all breaches including human involvement through various vectors per Verizon Business, manual review processes can identify subtle indicators of compromise that automated systems miss.

Manual monitoring serves as a critical backup detection method for sophisticated attackers who specifically design their activities to avoid triggering automated alerts. Advanced persistent threats often involve gradual privilege escalation and subtle configuration changes over extended periods, creating a pattern that only becomes apparent through manual analysis.

Steps You Need to Do:

• Routinely review your setup access log for unauthorized or suspicious configuration changes
• Conduct regular manual reviews of all active users in Salesforce to identify anomalous behavior patterns
• Monitor for changes that shouldn’t have occurred or that lack proper business justification
• We recommend not discounting manual review as an essential component of your security program
• Establish regular schedules for human analysis of security logs and user activity patterns

8. Implement Data Backup

Many Salesforce organizations lack comprehensive data backup strategies, leaving them completely vulnerable to ransomware attacks, malicious data deletion, or corruption incidents that could destroy years of business-critical information. The threat landscape has become increasingly severe, with overall recovery costs from ransomware attacks (excluding ransom payments) surging to $450 million in 2024 representing a 50% increase from 2023. The assumption that Salesforce’s infrastructure protects against all data loss scenarios is dangerous because it doesn’t account for user-initiated deletion, malicious insider threats, or attacks that specifically target data destruction rather than theft.

Data backup serves as the ultimate recovery mechanism for ransomware attacks and provides crucial forensic capabilities for investigating security incidents. When attackers deploy ransomware or attempt to cover their tracks by deleting evidence, comprehensive backups ensure business continuity and preserve the data needed for forensic analysis.

Steps You Need to Do:

• Implement daily data backup immediately if you don’t currently have comprehensive backup coverage
• We recommend using backup systems that can identify what data was changed since the last backup
• Establish procedures for using backup change logs as a monitoring tool for detecting unauthorized modifications
• Test backup restoration procedures regularly to ensure they function properly during emergency situations
• Integrate backup analysis into your incident response procedures for forensic investigation capabilities

9. Train Users and Test Security Awareness

Human factors represent the most exploitable vulnerability in organizational security, with Stanford University research revealing that 88% of data breach incidents are caused by employees’ mistakes. Most recent Salesforce breaches succeeded because administrators and privileged users fell victim to sophisticated social engineering attacks specifically designed to exploit their elevated access levels. When administrators are compromised, attackers inherit comprehensive system access that can enable complete organizational data theft, system configuration manipulation, and the ability to cover their tracks by modifying security settings.

Steps You Need to Do:

• Train all users to detect phishing, social engineering, and voice phishing attacks with Salesforce-specific examples
• Test users with realistic simulated attacks, including fake support calls requesting authentication information
• We recommend including administrators in specialized training since they are high-value targets for attackers
• Test users in Salesforce-specific scenarios such as connected app authorization requests and OAuth security
• Establish verification protocols requiring users to confirm unusual IT requests through separate communication channels
• Attend our Salesforce Security Office Hours for expert advice from Salesforce security professionals, including a Certified Technical Architect 

10. Run Security Health Check

Salesforce provides a built-in Security Health Check tool that identifies common configuration vulnerabilities and security misconfigurations, yet many organizations never use this basic assessment capability or run it infrequently without addressing identified issues. This is particularly concerning given that Gartner predicts more than 99% of cloud breaches through 2025 will have a root cause of preventable misconfigurations or mistakes by end users.

Security Health Check identifies fundamental configuration vulnerabilities that attackers specifically target when attempting to exploit Salesforce environments. Many of the misconfigurations detected by Health Check directly enable the attack vectors used in recent major breaches, such as overly permissive sharing settings, weak password policies, or inadequate session security controls.

Steps You Need to Do:

• Run Security Health Check in Salesforce immediately to establish a baseline security assessment
• Address all issues identified by the Health Check, prioritizing high-risk findings
• We recommend running Health Check regularly to monitor your security positioning over time
• Use the Health Check score as a metric for demonstrating security improvement to leadership
• Implement a process for reviewing and remediating new findings as they appear
• Confirm improvements by noting that the Security Health Check will provide a score and specific recommendations for improvement

Bonus Security Measure: Address the File Upload Vulnerability

Salesforce does not provide virus scanning capabilities for uploaded files, and static resources creating a critical and often unknown security gap that exposes organizations to malware, ransomware, and advanced persistent threats. This vulnerability exists across all file upload mechanisms including digital experience sites, email-to-case functionality, and internal file sharing.

Malicious files uploaded through Salesforce can serve as delivery mechanisms for ransomware that could encrypt your entire organizational data set, costing millions in recovery efforts and business disruption. A single infected file uploaded by an external user could compromise multiple employee devices, leading to credential theft, network lateral movement, and broader organizational compromise that extends far beyond Salesforce into your core business systems.

Steps You Need to Do:

• Understand that Salesforce provides no native virus scanning capabilities for any uploaded files
• Consider implementing EzProtect’s real-time virus and phishing scanning solution to automatically scan all files entering your environment
• Train users about the risks of downloading files from Salesforce without proper scanning protection
• Establish organizational policies requiring virus scanning before users download files from Salesforce
• Download our Salesforce security resource and understand why generic security solutions will not protect you from modern attacks 

Your Mission, Should You Choose to Accept It

We get it and there’s a lot of information to consume right now as a Salesforce Admin. But know this – with cybercrime costs projected to reach $10.5 trillion annually by 2025 and only 21% of executives allocating cyber budget to their organization’s top risks per PWC, the time for reactive security measures has passed.

Your preparation today determines whether a future incident becomes a minor security event or a company-threatening catastrophe. We recommend taking immediate action on these measures because early intervention at the beginning of an attack can save your company significant financial losses and reputational damage. 

Ready to close your Salesforce security gaps? Contact our Salesforce security experts for a comprehensive security assessment that identifies vulnerabilities generic security tools miss. All assessments are completely confidential and conducted by certified Salesforce security experts.