Salesforce breaches itself

Sometimes companies get hacked. Sometimes they hack themselves. Self-harm seems to be the underlying cause of major service outage effecting users of cloud-based marketing platform Salesforce.com.

Company engineers were scrambling on Friday to protect user data and shut down service to major parts of its global user base, creating one of the biggest outages in its history.

At the heart of the outage was an update made to its software development systems that broke access permission settings, giving employees of organisations that use Salesforce access to all of their company’s files – many of them holding sensitive information about current and prospective customers, or proprietary information about potential business opportunities.

According to reports on Reddit, users got more than read access, they were given admin-level permissions that would have made it easy for a malicious employee to steal or tamper with a company’s data, or for others to overwrite it in error.

Salesforce customers in Europe and North America were the most impacted by the company self-breaching and closing down access to 100 cloud instances used to deliver its own service.

When tech becomes a utility

If your organisation isn’t already using it, Salesforce is a big-tech company like Amazon or Uber. Its cloud-based software is used around the world by salespeople, marketers and customer service teams, winning so many business customers that CEO Marc Benioff routinely claim’s it’s the fastest-growing software business in history.

For Salesforce and other companies whose systems have become synonymous with a job role or sector (for example, Sage in accounting), outages can have financial consequences for customers, like crediting end-customer accounts for costs caused by delays, or incurring other penalties related to missed deadlines.

As Salesforce said in its most recent annual report, ‘(Service) interruptions could cause customers to make warranty claims or end their subscriptions, negatively affecting revenue and our ability to attract new customers.’

But data breaches can have an even bigger cost. Software like Salesforce can hold sensitive detail about conversations and procurement processes that lead to multi-million pound sales deals, not to mention the personal details of users, clients, customers, and partners.

Acts of cyber self-harm

It’s easy to heap scorn on a major tech company for failing at technology. Salesforce will suffer the wrath of customers and investors for the self-induced breach so we won’t try and add fuel to the fire. If anything we’d offer some solace.

Experience tells us that the mistaken deployment of a bad piece of code, a malfunctioning appliance that crashes a network, or having the wrong server settings ahead of a major upgrade are things that happen routinely in tech – but are usually kept quiet or dealt with quickly, so don’t get a lot of attention.

In most cases the technology does exactly what it’s supposed to do, but human behavior adds unnecessary complexity, or human error leads to failures and breaches.

There’s no magic bullet for cyber risk

Technical resources alone can’t stop breaches from happening. Well-known brands like Facebook, WhatsApp, and Citrix have all seen their defences fall over recently. Even the biggest tech companies can fall victim to poor security processes or lack of security awareness by employees.

The ongoing success of phishing campaigns shows that hackers know how to look for hidden weaknesses and exploit them. Placing too much trust in the latest cyber tech to keep them out is bound to lead to disappointment.

Training and education can strengthen your technological defences by empowering staff with knowledge, making it more likely that they would notice if a system they used every day had somehow given them system privileges they didn’t need. IT would be notified immediately because a well-trained member of staff had spotted the potential for breach or damage due to data being overwritten.

People can make your defences stronger, or weaker. It’s a matter of augmenting IT investments with broader programme of training to make your workforce fully cyber aware.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.