Google, Adobe, Slack, Mailchimp. Many of today’s most successful businesses – on the web, and, actually, overall – are Software as a Service (Saas). It’s the default software distribution model for the cloud computing age – applications hosted on remote servers and delivered via the internet to users.
They have the advantage of being accessible anywhere with a web connection, usable across multiple devices and being easy to update. They also require less local storage space and customers can quickly scale their licences up or down according to their needs.
Because of this flexibility, scalability and cost-efficiency, IT teams are shifting their applications to the cloud wherever possible. In fact, the 2019 SaaS Trends Report found that spending on SaaS licenses increased by 87% last year, and that companies now spend more on SaaS products than they do on laptops.
But SaaS and cloud computing have one major issue – security. Concerns around security are the number one barrier to cloud adoption. And 92% of C-suite respondents to one survey said they felt customer data stored in the cloud was vulnerable to attack.
Why are SaaS companies at risk?
SaaS is and has been growing rapidly and, in the grand scheme of things, is a relatively new market. In some ways, this is an advantage. SaaS companies are able to iterate and improve products faster than traditional competitors. On the one hand, this is because they are smaller and more nimble. On the other, because newly-deployed features can be distributed to users in an instant via the cloud.
However, this immaturity can become a disadvantage when it comes to cybersecurity, in two ways. First, for SaaS businesses themselves. Second, for their customers.
The SaaS growth model often mirrors the startup growth model – disrupt an existing industry, scale up as quickly as possible then go public or be acquired. This focus on rapid growth means that SaaS businesses are often more interested in growing their user base than securing their users’ data. In fact, information security is often seen as an impediment to growth and innovation. This is particularly true in a SaaS and startup context, where timeliness and innovation are critical success factors. If you’ve created a product you think will change the world, the last thing you want to do is keep it under wraps for six months while you check the code is secure.
The SaaS model relies on scale. Plus, SaaS businesses collect and store customer data to improve their product, strengthen customer relationships and receive payment. Which means that SaaS companies store a lot of customer data, including Personally Identifiable Information and payment credentials, both of which are the holy grail for hackers.
“Hackers weigh up targets on a risk vs. reward basis.”
Hackers weigh up targets on a risk vs. reward basis. The lower the risk and the greater the reward, the more likely they are to probe an organisation’s defences. As discussed, SaaS companies are often relatively new to the market, can be built on insecure code and house a lot of customer data – all of which make them an attractive proposition to threat actors.
And as if this wasn’t enough, SaaS companies have another risk factor to contend with. Users.
Fundamental security issues such as identity and access management are yet to be ironed out in a SaaS context. End-users who rely on multiple cloud applications to do their job may end up with multiple sets of login credentials for different platforms. Or worse still, they may use the same login details for every platform. Both of these increase the risk of a breach occurring.
The ability of cloud services to be accessed on any device leaves SaaS users open to increased device risks. Being able to log in to a business-critical application on your home laptop is helpful if you need to check something over the weekend but disastrous if that laptop is full of malware. Similarly, cloud applications that can be accessed over any network can give users greater flexibility, but the cost of convenience is, almost always, reduced security.
User-related risk is problematic for SaaS companies. Platforms may choose to provide robust security measures such as two-factor authentication. But it’s up to users whether they use it. A SaaS platform can do their utmost to secure users’ data, but lax security on the part of their customers can result in a breach via the platform. And while the SaaS company may have done everything they could to prevent this, they may still suffer reputational damage as a result.
What should SaaS companies do?
As a minimum, SaaS businesses should operate according to established information security frameworks such as ISO 270001. The Open Web Application Security Project (OWASP) has also published a list of The Ten Most Critical Web Application Security Risks that all development teams who are building applications for SaaS delivery should mitigate against. These steps won’t ensure total security but they will establish acceptable standards of internal and customer-facing cybersecurity.
” If no one is singularly accountable for cybersecurity, it will become an after-thought.”
The steps above will require businesses to hire staff that are capable of defining and implementing robust information security policies. If no one is singularly accountable for cybersecurity, it will become an after-thought. This, for reasons already discussed, would leave the business open to risk, particularly as it grows. A poorly secured business with 250 users is hardly worth a hacker’s time. A poorly secured business with 25,000 users will be.
In-house security teams should work with customer-facing teams to produce and share information security guidelines. This will help users avoid causing a breach via the platform, but will also limit the platform’s liability if one occurs. SaaS companies should provide details of their own cybersecurity processes for current and potential users. This will reassure users that their data is safe in your cloud environment. The kinds of questions customers might ask are:
- Where is my data stored?
- What firewalls do you use?
- What is your data loss prevention strategy?
- How often do you scan for vulnerabilities?
- What’s your policy for detecting and preventing network intrusion?
If you’re a cybersecurity professional looking to move into the SaaS world, click here to browse our current vacancies. And if you’re a SaaS business who wants to hire top information security talent, feel free to get in touch.
