Infected files will stay in the Salesforce environment eternally and may be opened and forwarded by internal users, or worse, forwarded to customers for signature, or third-party institutions like banks for processing.
The malicious content (viruses, ransomware, malware) stays within each attachment uploaded to Salesforce and is essentially waiting to be unleashed — potentially costing organizations millions of dollars in damages and fees. The issue is, when the files are opened or forwarded to another contact for signature, what happens next.
Network security professionals rely on network virus scanners/gateways to detect the threats, but there are dozens of circumstances when they fail due to delayed updates, remote employees not updating native software, lack of connection to the network via VPN, etc. Read 10 Reasons why Desktop Virus Scanning software applications don’t protect Salesforce Environments for more insight.
Then there’s the corporate liability issue. If an organization is sending infected files to other organizations for signature or routing, they are liable if the file is opened and the receiving end is attacked.
For example, Salesforce may be set up with a website page which the public accesses to submit complaints and attachments to support their claims. The form is filled out, the file is attached, and it is sent directly into the Salesforce environment – completely bypassing the network. The file is then forwarded to a financial institution for review/processing. When the financial institution opens the attachment, it may be infected and unleash whatever malicious code is included in the file. Hopefully, the virus scanning software/gateway installed on the financial institution’s network will catch it. Hopefully, the employee who opened the file will have an updated virus software on his/her computer. Hopefully.
Take this example and multiple it by 65,000 per month which is a real-time, functional example of a Federal organization following this process. Imagine the number of ways a hacker my bypass the system.
Network Security Confusion
Unfortunately, most network security professionals do not understand how Salesforce works — that it’s a data management system that may be opened to public users via communities, chatter and sites, as well email-to-case functionality where files are sent to support staff and completely bypass the network until they are opened. In order to open the file, the internal user or support staff will need to download the file to their computers which are connected to the network. Essentially, Salesforce behaves like a repository for the files, and it’s the corporation’s responsibility to do everything they can to protect the corporation and others, against malicious content.
Security team logic assumes the network virus scanner or gateways will detect the virus before it’s opened to block the threat. In a best-case scenario, this would be true, but over the years we have collected dozens of examples where the virus software was not updated with current threats, the employee wasn’t connected to the network via VPN, the virus scanner was off, the list goes on. Security teams must learn to treat Salesforce much differently as their logic is predicated on outdated assumptions that are costing organizations millions.
Financial impact statistics indicate the global cost of cybercrime is expected to reach $2 trillion (USD) by the end of 2019, triple the amount from 2015, and global ransomware damage costs are predicted to reach $11.5 Billion in 2019, $20 Billion (USD) by 2021. Recently, security negligence fines have been filed against the following organizations[i] including Uber -$148 million, Yahoo – $85 million, Tesco Bank – $21 million, Anthem – $16 million, Equifax and Facebook: $650,000, The University of Texas MD Anderson Cancer Center – $4.3 million, Fresenius Medical Care North America – $3.5 million, and countless others.
The real issue is whether an organization is comfortable knowing they are hosting hundreds, if not thousands, of infected files within their Salesforce environments which will be used to infect others repeatedly. This is particularly urgent for publicly-traded organizations, and those in the financial services sector which are held to Sarbanes-Oxley standards as they will not pass security audits without the connection of a third-party virus scanner to their Salesforce environments.
We encourage organizations to establish cross-functional security teams to address Salesforce cybersecurity due to the lack of understanding of current Salesforce setup (communities, chatter, sites), public access points, and internal virus scanning software/gateway management. Understanding both the current setup and future roadmap are key to ensure an organization is properly protected both inside and outside of Salesforce environments.