Trust starts with transparency. That’s why Salesforce displays real-time information on system performance and security on the trust site at http://trust.salesforce.com. This site provides live data on system performance, alerts for current and recent phishing and malware attempts, and tips on best security practices for your organization.
The Security tab on the trust site includes valuable information that can help you to safeguard your company's data. In particular, be on the alert for phishing and malware.
- Phishing is a social engineering technique that attempts to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishers often direct users to enter details at a fake website whose URL and look-and-feel are almost identical to the legitimate one. As the Salesforce community grows, it has become an increasingly appealing target for phishers. You will never get an email or a phone call from a Salesforce employee asking you to reveal a password, so you should refuse to reveal it to anyone. You can report any suspicious activities by clicking the Report a Suspicious Email link under the Trust tab at http://trust.salesforce.com.
- Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general term used to cover a variety of forms of hostile, intrusive, or annoying software, and it includes computer viruses and spyware.
What Salesforce is Doing About Phishing and Malware
Customer security is the foundation of customer success, so Salesforce will continue to implement the best possible practices and technologies in this area. Recent and ongoing actions include:
- Actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected.
- Collaborating with leading security vendors and experts on specific threats.
- Executing swift strategies to remove or disable fraudulent sites (often within an hour of detection).
- Reinforcing security education and tightening access policies within Salesforce.
- Evaluating and developing new technologies both for our customers and for deployment within our infrastructure.
What Salesforce Recommends You Do
Salesforce is committed to setting the standards in software-as-a-service as an effective partner in customer security. So, in addition to internal efforts, Salesforce strongly recommends that customers implement the following changes to enhance security:
- Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN. For more information, see Restrict Where and When Users Can Log In to Salesforce.
- Set session security restrictions to make spoofing more difficult. For more information, see Modify Session Security Settings.
- Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts.
- Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection.
- Designate a security contact within your organization so that Salesforce can more effectively communicate with you. Contact your Salesforce representative with this information.
- Consider using two-factor authentication techniques, such as RSA tokens, to restrict access to your network. For more information, see Two-Factor Authentication.
- Use Transaction Security to monitor events and take appropriate actions. For more information, see Transaction Security Policies.
Salesforce has a Security Incident Response Team to respond to any security issues. To report a security incident or vulnerability to Salesforce, please contact firstname.lastname@example.org. Describe the issue in detail, and the team will respond promptly.