Top SaaS Security Concerns for Startups
In today’s world where technology continues to innovate, and automation is a large key to success, the benefits of using multiple SaaS (Software as a Service) are phenomenal. From subscription focused ones, such as Profitwell, which works to reduce churn and shows Monthly Revenue Per User to team communication-based products such as Slack, which allow internal and external communication and automation to happen in synchronicity.
When deciding on SaaS platforms, a large question should be around their security, recovery policies, and cyber security. Data from LogicMonitor shows that 66% of IT professionals say that security is their greatest concern in adopting a cloud computing strategy.
SaaS Risk Profile: Startups
At the beginning of a startup’s life, implementing and using SaaS is often changed regularly as business needs and use cases change.
Therefore, the risk profile of using SaaS varies regularly, and this is part of the process.
Understanding the Potential Issues
Depending on the type of data you’ll be importing, down to specific software that will impact the risk understanding you’ll need to have, there are potential issues for businesses. For example, if your company is dealing with special categories of data, as set out by GDPR compliance, then you will need to consider different aspects of cyber security compared to a company that is simply using it to store holiday dates of employees.
The following points are key to help you understand this:
- What compliance and data security certifications do they hold? Comparing these between SaaS will help you to understand the different types of compliance and what you need to do to maintain that. It can be worth consulting with a cyber security specialist to understand what you need for the various types of data processing.
- Understand their service and support levels. If there was a data breach, how would your SaaS cope and what can they do to help?
- Are you able to set user level access or is the user access set differently? Enabling your team to access the system without the need of seeing data they haven’t got the requirements for is incredibly important. Can your SaaS provider offer this?
Mitigation and Prevention of Security Issues in SaaS
Once you have selected a cloud provider of choice, it’s important to create a cloud management strategy or similar. This will not only set out how to use the software securely but should discuss items such as how, and who, to alert of an issue and the security recovery process.
Another part of prevention with SaaS is user training and understanding. Gartner predicts that “through 2025, 99% of cloud failures will be the customers fault.” If the issue predominantly lies with end users, then education and training at the business end is where the focus should be.
Education should cover:
- Ownership and responsibility. As well as encouraging people to take ownership of certain parts of their data, a clear hierarchy of responsibility of data must be implemented so overseeing the issues can be compliant and audited regularly.
- Correct cloud usage. If the SaaS platforms includes storage of data, then best practice of data upload and correct file naming conventions must be included in order to comply with legal requirements and ensure the correctness of the data involved.
When the ICO questions you after you report a breach, the fourth question they ask you is “When did the person involved in the breach last receive any form of cyber security training?” Education as a form of prevention, and creating your human firewall is paramount to the success and security of your SaaS choice.
Vendor Selection and Risk Profiling
Vendor selection processes in SaaS are often lengthy and highly competitive. The decision of who will handle and assist in a variety of your business processes is not an easy choice.
It’s important to consider who will have access to your data and who controls your server-side items amongst other queries, which is often a barrier for people initially switching to one.
There are, however, measures you can take to overcome the initial barriers and begin your cloud migration.
Most SaaS will have a service status page, where you can see updates on availability as well as when a system last went down and more. A good example is the Google Cloud status page.
Something like this should be provided for a SaaS as it will help you to understand whether an issue is down to human error or to the service itself. While this is not directly an impact to cyber security, when things go wrong it’s important to be able to quickly assess and remedy the issue.
If your first choice SaaS is about to be bought by a large provider, it is worth asking questions about how this could impact you.
For example, if they currently have EU data centres but will be moving to US based ones, how could this impact your provision to your clients, and your data compliance?
Data Retention and Data Deletion Policies
Data protection now requires you to state and offer the ability to wipe a customer from your records, and any third parties that you have stored their data on. If this is not available, this could cause problems further down the line for you.
It’s therefore important to select a vendor that can provide this, or even integrate it with your own data retention and deletion policies.
Learn their Product Update Life cycle
Some SaaS companies, especially those in the early days, may rush product updates to suffice customers needs or to quick fix issues.
While this necessarily isn’t a bad thing, it’s also important to understand their patch releases and security releases alongside this. If for every update they release, they have to release three patch updates, then this should raise red flags for you.
SaaS products are incredible for streamlining your process, automating issues and creating scalable businesses that can adapt. With a few questions and investigations, you can understand which is right for you, your data, and your security concerns.