The State of Security within Salesforce Orgs

How are organizations keeping their Salesforce secure?

We are collecting information on the status of security within Salesforce orgs. What are organizations doing (or not doing)? And how does that compare with typical behaviors?

This survey will be anonymous, but if you would like to see an early copy of the results (or if you're hoping to win a Trailblazer hoodie), please feel free to share your email address at the end of the survey.

There are 48 questions, and the survey should only take you about 10-15 minutes to complete. It would be useful to have your Salesforce org open while you're completing the survey.

Organization Demographics

Question Title

* 1. What Industry is your organization in?

If your industry is not listed, please add it here

Question Title

* 2. Where is your organization located?

United States

Canada

Other (please specify)

Question Title

* 3. What is the annual revenue of your organization?

Less than $1 Million

$1-$10 Million

$10-50 Million

$50-$100 Million

$100 Million +

Question Title

* 4. How many employees does your organization have?

Less than 50

51-200

201-500

501-1000

1001-10000

10000+

General Security

Question Title

* 5. What edition of Salesforce does your org use?

Professional

Enterprise

Unlimited

Unlimited+

Performance

Essentials

Starter

Pro Suite

Contact Manager

Group

Personal

Database.com

Question Title

* 6. Is your Salesforce org using Salesforce Lightning?

Yes

I don't know

Question Title

* 7. How many years has your organization been using Salesforce?

Question Title

* 8. What Salesforce Clouds does your organization currently leverage? (Select all that apply)

Sales Cloud

Service Cloud

Experience Cloud

Financial Services Cloud

Data Cloud

Marketing Cloud

Pardot (Marketing Cloud Account Engagement)

CRM Analytics

Commerce Cloud

Communications Cloud

Media Cloud

Health Cloud

Non-Profit Cloud

Government Cloud

Manufacturing Cloud

Net Zero Cloud

Energy & Utilities Cloud

Consumer Goods Cloud

Philanthropy Cloud

Other (please specify)

Question Title

* 9. What additional Salesforce features are you using? (CPQ, FSL, etc.) Select all that apply.

Salesforce CPQ

Salesforce Maps

Salesforce Field Service

Salesforce Knowledge

Salesforce Einstein

None of the above

Other (please specify)

Question Title

* 10. How many 'Salesforce' and 'Salesforce Platform' licenses are you allocated across all your Salesforce instance(s)? (In other words - how many internal users do you have?)

Question Title

* 11. Do you back up your Salesforce data?

Yes

I don't know

Question Title

* 12. If yes, what solution(s) do you use for data backup? (Select all that apply)

OwnBackup

GearSet

Salesforce Weekly Data Export

Salesforce's Data Backup and Restore

Spanning

Odaseva

AutoRabit

AvePoint

Veeam

Flosum

Other (please specify)

Question Title

* 13. What is the frequency that your org backs up your Salesforce Data?

Daily

Weekly

Monthly

Quarterly

Other (please specify)

Question Title

* 14. How many Salesforce Admins does your org have? (These would be users with any of the following permissions: Modify All Data, Customize Application, Weekly Export, or Manage Users)

1-5 Admins

6-10 Admins

11-20 Admins

20+ Admins

User Access & Permissions

Question Title

* 15. Is your Salesforce Org integrated with an SSO?

Yes

I don't know

Question Title

* 16. Is MFA enabled for all Salesforce Users in your org?

Yes

I don't know

Question Title

* 17. What are the record-sharing methods used in your org to expand or restrict record visibility? (Select all that apply)

Sharing Rules

Role Hierarchy

Manual Sharing

Apex Sharing

Opportunity Teams

Restriction Rules

Other (please specify)

Question Title

* 18. How often do you review and update user access and permissions based on changes in job roles or responsibilities?

Never

Daily

Weekly

Monthly

Quarterly

Other (please specify)

Question Title

* 19. Are there any active User accounts within your Salesforce org that belong to individuals who are no longer with your company?

Yes

I don't know

Question Title

* 20. Have IP restrictions been configured to control access to Salesforce from specific locations?

Yes

I don't know

Question Title

* 21. How often are the Sharing Settings per Object reviewed in your organization's Salesforce org?

Never

Daily

Weekly

Monthly

Quarterly

Other (please specify)

Data Encryption & Protection

Question Title

* 22. Is your org using encrypted fields to protect sensitive data stored in Salesforce?

Yes

I don't know

Question Title

* 23. Does your company have policies in place to ensure that sensitive data is not stored in plain text within Salesforce?

Yes

I don't know

Question Title

* 24. Does your company use Salesforce Shield or other encryption tools to enhance data security?

Yes

I don't know

Question Title

* 25. Does your organization have a data retention and deletion policy in place to manage the data lifecycle within Salesforce?

Yes

I don't know

Question Title

* 26. If the answer to the previous question is yes - is the process automated or manual?

Automated

Manual

Not applicable

Monitoring & Logging

Question Title

* 27. What measures does your organization have in place for monitoring user activities and access logs within Salesforce? (Select all that apply)

Automated Monitoring tools

Salesforce Shield

Manual monitoring of Field Audit History

Manual review of login history exports

If your org has measures in place which are not listed above, please share here

Question Title

* 28. Does your organization have alerts set up to alert Admins to any of the following activities? (Select all that apply)

Unusual Login Patterns

Report or other data exports

Changes in user permission

Mass data deletion or Modification

Unusual API Activity

User Password Lockouts

Unusual user login location

None of the above

Question Title

* 29. Does your organization regularly review and analyze Salesforce audit logs for any unusual patterns or unauthorized access attempts?

Yes

I don't know

Question Title

* 30. Has your organization implemented measures to detect and prevent unauthorized data exports from Salesforce?

Yes

I don't know

Question Title

* 31. How do you handle incident response and investigation within Salesforce in the event of a security breach? (Select all that apply)

Escalation and Reporting

Automated Alerts and Notifications

Forensic Analysis

Collaboration with Security Team

Post-Incident Review and Lessons Learned

No formal process

Integrations & Third-Party Apps

Question Title

* 32. What user license and settings does your organization use to integrate external applications with Salesforce? (select all that apply)

Salesforce Integration User License

Dedicated Integration User with Salesforce License

End User Accounts

Question Title

* 33. What integrations does your org have with other systems?

Question Title

* 34. How does your org ensure the security of data exchanged between Salesforce and these systems?

Question Title

* 35. When was that last time that your organization conducted security assessments of the third-party Salesforce apps and integrations used within your Salesforce environment?

This month

This quarter

This year

Within the last 3 years

Never

Question Title

* 36. Are there any deprecated or unsupported integrations that need to be updated or removed for security reasons?

Yes

I don't know

Question Title

* 37. Does your organization have policies in place for reviewing and approving new third-party apps before integrating them with Salesforce?

Yes

I don't know

Security Training & Awareness

Question Title

* 38. Does your organization provide security awareness training to Salesforce users to educate them about best practices and potential threats?

Yes

Question Title

* 39. Has your organization conducted phishing simulation exercises to assess the susceptibility of Salesforce users to social engineering attacks?

Yes

Question Title

* 40. Are there specific security policies and guidelines in your organization that Salesforce users are expected to adhere to?

Yes

Question Title

* 41. How does your organization communicate security updates and important notifications to Salesforce users?

Email Notifications

In-app Notifications

Training Sessions & Webinars

Home Page Announcements in Salesforce

Internal Communication Channels (Slack, Teams, etc.)

Other (please specify)

None of the above

Question Title

* 42. What is your organization's process for reporting security incidents or concerns related to Salesforce? (Select all that apply)

Dedicated Reporting hotline/email channel

Internal Ticketing System

Salesforce Support Portal

Direct Contact with Security Teams

Anonymous Reporting Mechanism

In-Salesforce Reporting Feature

No Formal Process

Other (please specify)

Security Governance & Compliance

Question Title

* 43. Who is responsible for overseeing security governance and compliance within your organization's Salesforce environment?

Chief Information Security Officer (CISO)

IT Security Team

Salesforce Administrator

Compliance Officer/Team

Cross-Functional Security Team/Committee

External Compliance Auditors

I don't know

Question Title

* 44. Have your organization established a security governance framework specific to Salesforce, outlining responsibilities and accountability?

Yes

I don't know

Question Title

* 45. How does your organization ensure that security controls and configurations within Salesforce align with your organization's overall security policies and standards? (Select all that apply.)

Regular Security Audits and Assessments

Automated Compliance Monitoring

Security Training and Awareness Programs

No formal process

Other (please specify)

Question Title

* 46. How often do you conduct regular reviews and assessments to ensure adherence to security governance guidelines within Salesforce?

Never

Daily

Weekly

Monthly

Quarterly

Other (please specify)