Salesforce Security Best Practices: Hardening Your Org in 2026

Salesforce security is no longer just an IT concern — it's a board-level priority. With CRM systems holding an organization's most sensitive data (customer records, financial transactions, contract terms, and strategic pipeline data), a security breach in Salesforce can be catastrophic. Yet our security assessments reveal that seventy percent of Salesforce organizations have at least one critical security misconfiguration, and thirty-five percent have high-risk vulnerabilities that could be exploited by a determined attacker. The challenge isn't that Salesforce lacks security features — it's one of the most configurable platforms in terms of security controls. The challenge is that most organizations don't implement these controls comprehensively, leaving gaps that attackers can exploit. This guide covers the essential security hardening practices that every Salesforce organization should implement, regardless of industry or size, along with the costs of advanced security tools like Salesforce Shield and Event Monitoring.

Authentication and Access Control Hardening

Multi-factor authentication (MFA) is the single most impactful security control you can implement, and as of 2024, Salesforce requires it for all direct UI logins. However, MFA enforcement has nuances that many organizations miss. Ensure MFA is enforced not just for standard user logins but also for API-authenticated sessions, connected app access, and single sign-on flows. Review your Login IP Ranges and Login Hours restrictions — these controls limit where and when users can authenticate, adding a defense layer against credential theft. Set Login IP Ranges for all profiles to restrict access to corporate networks and approved VPN ranges. Configure Login Hours to match business operating schedules, preventing off-hours access that could indicate compromised credentials. Session settings should be hardened: reduce session timeout to two hours for standard users (the default twelve hours is excessive), enable "Lock sessions to the IP address from which they originated" to prevent session hijacking, and disable "Lock sessions to the domain in which they were first used" only if you have specific cross-domain requirements. For privileged accounts (system administrators, integration users), implement additional controls: require re-authentication for sensitive operations, limit the number of concurrent sessions, and enable login forensics to track every authentication event.

Permission Model and Data Access Review

The principle of least privilege is foundational to Salesforce security, but implementing it requires disciplined permission management that most organizations neglect after initial setup. Start with a comprehensive permission audit: export all permission sets, permission set groups, and profile assignments across your org, and map each permission to the business justification for its existence. Common findings include View All Data or Modify All Data permissions granted to profiles beyond System Administrator (these should never exist on non-admin profiles), overly broad field-level security that exposes sensitive fields (Social Security numbers, salary data, financial account numbers) to users who don't need them, and sharing rules that grant organization-wide read access to objects that should be restricted. After the audit, implement a permission set-based security model: strip profiles down to minimum required access and layer additional permissions through purpose-specific permission sets. This approach provides granular control and makes it easy to audit who has access to what. For highly sensitive objects, implement record-level security using sharing rules, apex sharing, and criteria-based sharing to ensure users only see records they have a business need to access. Schedule quarterly permission reviews — user roles change, employees move between teams, and permissions that were appropriate six months ago may no longer be justified.

Salesforce Shield: Encryption, Monitoring, and Audit Trail

Salesforce Shield is a premium security add-on priced at approximately thirty percent of your total Salesforce subscription that provides three critical capabilities. Shield Platform Encryption encrypts data at rest using AES-256 encryption with customer-controlled keys, covering standard and custom fields, files, attachments, and search indexes. Unlike classic Salesforce encryption, Shield encryption preserves the ability to filter, sort, and report on encrypted fields — making it practical for production use without sacrificing functionality. Event Monitoring provides detailed logs of every user action in the platform — page views, report exports, API calls, login events, and data exports — enabling security teams to detect suspicious behavior patterns like bulk data exports, off-hours access, and unauthorized record access. Field Audit Trail extends the standard Salesforce audit history (which only retains twenty records per field for eighteen months) to retain up to ten years of field change history across one hundred twenty fields per object, meeting regulatory requirements for industries like financial services, healthcare, and government. The total Shield investment for a mid-market organization (two hundred users on Enterprise edition) is approximately $100,000 to $150,000 annually. Whether this investment is justified depends on your regulatory requirements, data sensitivity, and risk tolerance — organizations in regulated industries should consider Shield mandatory rather than optional.

Threat Detection and Incident Response

Proactive threat detection is the difference between catching a security incident early (limiting damage to a few accessed records) and discovering a breach weeks later (after thousands of records have been exfiltrated). Salesforce provides several native threat detection capabilities that should be enabled and monitored. Transaction Security Policies (available with Shield or as a standalone add-on) allow you to define real-time policies that trigger alerts or block actions when suspicious activity occurs — for example, blocking a user who attempts to export more than one thousand records from a single report, or alerting when an API user makes requests from an unfamiliar IP address. Einstein Threat Detection (included with Shield Event Monitoring) uses machine learning to identify anomalous behavior patterns — unusual login locations, atypical data access volumes, and suspicious API consumption patterns — and surfaces these as alerts in the Salesforce security dashboard. Beyond native tools, implement a security information and event management (SIEM) integration that feeds Salesforce Event Monitoring logs into your enterprise security operations center. This allows your security team to correlate Salesforce events with events from other systems, providing a comprehensive view of potential multi-vector attacks. For incident response, document a Salesforce-specific incident response playbook that covers credential compromise (immediate password reset and session termination), data exfiltration (identifying affected records and notifying impacted parties), and unauthorized access (tracing the attack vector and closing the vulnerability).

Cost-Effective Security: Prioritizing Without Shield

Not every organization can justify the Shield investment, but every organization can implement robust security practices at minimal cost. The eight-hour security hardening sprint covers the highest-impact configurations: enable and enforce MFA across all profiles, review and restrict Login IP Ranges for administrative profiles, reduce session timeout to four hours or less, audit and remove unnecessary View All Data and Modify All Data permissions, enable field-level security on all sensitive fields, review organization-wide defaults and restrict to Private for objects containing sensitive data, configure report and dashboard folder sharing to prevent unauthorized access to analytical outputs, and enable Login Forensics to track authentication events. These configurations cost nothing beyond admin time and address the vulnerabilities exploited in over eighty percent of Salesforce security incidents. For organizations that need encryption but can't afford Shield, consider implementing field-level encryption at the application layer using Apex Crypto class for the most sensitive fields — this provides encryption at rest for targeted data without the Shield license cost, though it does sacrifice some reporting and filtering capabilities on encrypted fields. The key principle is that security is not an all-or-nothing investment — even without premium tools, disciplined configuration and regular auditing dramatically reduce risk.