Patrick Shaw’s Weblog

Salesforce Security Update

Salesforce has recently provided additional security features that you should know about for two reasons:

• Their already excellent security just got better
• You might need to update the manner in which you login, especially if you are away from your office.

Here’s the scoop:

Salesforce already has a terrific security setup. In fact - it’s at least as secure as typical VPN (virtual private network) connection. That means that when you login to Salesforce, your information is encrypted, so that others can’t see or manipulate it. Still - anytime you are using a tool that exists outside of the physical location of your own desktop or server, you have a different set of security requirements to consider.

For instance - if you wish to login to Salesforce from a public place such as the library or the local coffee shop, and you are using a wireless connection - someone may try to “sniff” the wireless information that moves from your machine over the air. And - if you have an easy to guess password, or have shared it with others - that’s a risk, too. Salesforce isn’t alone in this regard - Hotmail, Google, eTapestry and any other software that is provided to you over the internet has the same exposure.

To strengthen their system, Salesforce is implementing an additional layer of security. They will analyze the internet address that you generally use to login to Salesforce (usually your office, or perhaps your house if you frequently work from home) and they’ll add that to a “safe” list in your Salesforce account. For many users - you won’t notice a change!

However, if you login from a new place - Salesforce will want to confirm your identity to make sure that it is really you. You’ll only have to do this once from each new location. When you try to login, you’ll see an error message which will include a “Send Activation” link. When you click on that, you’ll receive an email with a new link - and you can copy and paste that into your web browser and login as usual. Of course, this assumes that you can access your email remotely; if you can’t, you may want read about how to request a “security token” that you can take with you from the office, allowing you to log in remotely.

Salesforce has also made it easy for you to add to the list of safe places - this is especially handy for those who frequently work from home, or for any agency that has an internet address that changes regularly.

Finally - if your Salesforce account is automatically sending information to your website - you’ll need to address that, too. NPower Seattle can help in a pair of different ways - and we’ll make sure that your website and database continue to “talk” to each other. Remember - your website is really a Salesforce user, too!

There are a few additional technical details and lots of information available from Salesforce. Here’s a quick list:

• Note about new security feature
• Webinar about how to login
• Information for Salesforce Administrators (near the bottom of the page).

Ah - an open ended question that has a series of nuanced answers - so here we go!

• Yes. You can review their security and privacy statements to see what they are saying.
• Yes . . . but. A nice article from E-Week about Salesforce security, as well as how to evaluate similar tools.
• Yes . . . And Salesforce does some self reporting - you can read what their alerts say about phishing.
• Yes . . . but the broader community has some suggestions for next steps, while they welcome Salesforce to the big time target pool, just like eBay and PayPal and a few others. Read what zdnet has to say.
• Not as secure as the server you have under lock and key that isn’t available over the internet!

So What Now?

1. Salesforce, Convio, eTapestry, SharePoint, your email client and any other hosted solution means you have a security risk. You can alleviate that risk by changing your passwords regularly, by using strong passwords, by limiting access based on the IP address of the computer/originating network, and by making sure that your user name and password aren’t on a sticky note on your computer monitor!
2. And don’t forget to asess your risk level frequently. Remember: a risk and the likelihood of that risk being exploited can be different - and can change over time!

Surveys are ubiquitous - in magazines, newspapers, online, on Facebook and via email. And survey tools are affordable, too. As many nonprofits move more and more towards qualitative analysis - having a good resource for designing and wording your survey is crucial - and here’s a great start. Arthur Prokosch at Third Sector New England has written a terrific article - you should read and take to heart!

Not on Facebook. That’s right - their terms of service indicate that those pictures, those blog postings and pretty much all else can be used without your consent. My colleague Jon Stahl has a great post about this - and I’d bet that most of us don’t take the time to read those lengthy terms of service guidelines when they pop up on our screen.

I don’t know about the other social networking services - but if you regularly post important content, pictures, and so on - even if you are using a Creative Commons license - you ought to check to see if your service provider trumps your ownership rights.

We’ve been helping nonprofits implement Salesforce for more than a year now - and I continue to be thrilled at the power of the tool and how it can help nonprofits better reach their goals.

I’m also continually learning how the power of Salesforce also represents a fundamental shift for many agencies - from having a tool that was useful for reporting, to a tool that gets used everyday to further your goals.

Here’s where we’re finding that Salesforce can be very different than other tools already in play:

Every contact in your database represents an opportunity for deeper participation, whether that means volunteering, donating, or participating in events. Better still - once a contact has actually participated - your agency should immediately consider them a new opportunity for a deeper relationship.

I know that when I was raising money for a living, our tools didn’t let us do that. Oh, I knew how much we’d earned from our Holiday appeal letter - but the tools we were using didn’t let me look at EACH INDIVIDUAL GIVER and consider how likely it was that they would support our mission again this year. Salesforce lets you do that.

Even better - it creates an accurate pipeline report, based on the criteria you decide. For instance - if I gave last year, but haven’t been asked this year - well - it’ s not very likely you’ll get a gift from me. But if you’ve sent me snail mail, an email, invited me to coffee or an event and so on - then you can reasonably expect that I’m engaged - so the likelihood of getting that gift from me goes up accordingly.

What this really means is that you can have a plan for every person you expect to support you - and you track that in Salesforce. Salesforce won’t do the hard work, mind you - you still have to make that call, send that letter, create that individual plan. And it won’t do the data entry either - you’ll have to make a note that you me with me and asked for a gift, too!

When I was fundraising for a living - I dreamed about a tool that would let me do this - and Salesforce just might be the tool that lets you head in this active direction. It isn’t perfect, and it isn’t right for all - but it is working for many.

If you’ve ever had to (or wanted to!) manage a project - technology or otherwise - you’ve probably had to figure out if you needed a Project tool, a Task planning tool, a Bug or Issue tracking tool and so on.

Well - our friends at Idealware have written a nice synopsis which can help - it’s a short read, with great information, and links to a lot of tools that might help!

The team at Microsoft sends out an occasional set of tips from their Office Live team - and this one is great  -5 website mistakes to avoid. I heartily agree with all of them. You should read the article in it’s entirety (4 minutes or less, promise) but here are the key takeaways:

• Avoid confusing site structure (the three click rule).
• Avoid a huge menu - you’ll make it too hard for your visitors. (This is harder than it sounds - the simplest looking sites often require the most planning).
• Avoid jargon. Gulp - this can be hard in our business, where every nonprofit can be turned into an acronym, and technology terms abound - but - they’re right - avoid those jargon words!
• Deliver on what you promise. This is really about key messaging, and making your call to action clear. Can your visitors find your address and phone number and email address quickly? If not - you may have lost a potential donor, client, stakeholder!
• Create that call to action. A targeted message is important. Do you want them to register for a class? Read your annual report? Attend an auction? If you want them to do all THREE - well - that might be challenging. Start by figuring out exactly what you want them to do, and drive home that message.

These tips might sound like common sense, and may sound easy to implement. But if you have a complicated service delivery, or multiple audiences - you’ll have to work hard to avoid these mistakes!