{"id":15114,"date":"2019-08-05T00:00:00","date_gmt":"2019-08-04T23:00:00","guid":{"rendered":"https:\/\/identifi-global.eu.applyflow.com\/key-cybersecurity-threats-in-the-saas-industry\/"},"modified":"2022-12-09T06:15:33","modified_gmt":"2022-12-09T06:15:33","slug":"key-cybersecurity-threats-in-the-saas-industry","status":"publish","type":"post","link":"https:\/\/www.identifiglobal.com\/news\/key-cybersecurity-threats-in-the-saas-industry\/","title":{"rendered":"Key cybersecurity threats in the SaaS industry"},"content":{"rendered":"

\n\t\"\"<\/p>\n

\n\tGoogle, Adobe, Slack, Mailchimp. Many of today\u2019s most successful businesses – on the web, and, actually, overall – are Software as a Service (Saas). It\u2019s the default software distribution model for the cloud computing age – applications hosted on remote servers and delivered via the internet to users.<\/p>\n

\n\tThey have the advantage of being accessible anywhere with a web connection, usable across multiple devices and being easy to update. They also require less local storage space and customers can quickly scale their licences up or down according to their needs.<\/p>\n

\n\tBecause of this flexibility, scalability and cost-efficiency, IT teams are shifting their applications to the cloud wherever possible. In fact, the 2019 SaaS Trends Report found that spending on SaaS licenses increased by 87% last year, and that companies now spend more on SaaS products than they do on laptops. <\/div>\n
\n\t <\/div>\n
\n\tBut SaaS and cloud computing have one major issue – security. Concerns around security are the number one barrier to cloud adoption. And 92% of C-suite respondents to one survey said they felt customer data stored in the cloud was vulnerable to attack. <\/div>\n
\n\t <\/div>\n

\n\tWhy are SaaS companies at risk?<\/h2>\n
\n\tSaaS is and has been growing rapidly and, in the grand scheme of things, is a relatively new market. In some ways, this is an advantage. SaaS companies are able to iterate and improve products faster than traditional competitors. On the one hand, this is because they are smaller and more nimble. On the other, because newly-deployed features can be distributed to users in an instant via the cloud. <\/div>\n
\n\t <\/div>\n
\n\tHowever, this immaturity can become a disadvantage when it comes to cybersecurity, in two ways. First, for SaaS businesses themselves. Second, for their customers.<\/div>\n
\n\t <\/div>\n
\n\tThe SaaS growth model often mirrors the startup growth model – disrupt an existing industry, scale up as quickly as possible then go public or be acquired. This focus on rapid growth means that SaaS businesses are often more interested in growing their user base than securing their users\u2019 data. In fact, information security is often seen as an impediment to growth and innovation. This is particularly true in a SaaS and startup context, where timeliness and innovation are critical success factors. If you\u2019ve created a product you think will change the world, the last thing you want to do is keep it under wraps for six months while you check the code is secure. <\/div>\n
\n\t <\/div>\n
\n\tThe SaaS model relies on scale. Plus, SaaS businesses collect and store customer data to improve their product, strengthen customer relationships and receive payment. Which means that SaaS companies store a lot of customer data, including Personally Identifiable Information and payment credentials, both of which are the holy grail for hackers. <\/div>\n
\n\t <\/div>\n

\n\t“Hackers weigh up targets on a risk vs. reward basis.”<\/strong><\/h4>\n
\n\t <\/div>\n
\n\tHackers weigh up targets on a risk vs. reward basis. The lower the risk and the greater the reward, the more likely they are to probe an organisation\u2019s defences. As discussed, SaaS companies are often relatively new to the market, can be built on insecure code and house a lot of customer data – all of which make them an attractive proposition to threat actors. <\/div>\n
\n\t <\/div>\n
\n\tAnd as if this wasn\u2019t enough, SaaS companies have another risk factor to contend with. Users. <\/div>\n
\n\t <\/div>\n
\n\tFundamental security issues such as identity and access management are yet to be ironed out in a SaaS context. End-users who rely on multiple cloud applications to do their job may end up with multiple sets of login credentials for different platforms. Or worse still, they may use the same login details for every platform. Both of these increase the risk of a breach occurring. <\/div>\n
\n\t <\/div>\n
\n\tThe ability of cloud services to be accessed on any device leaves SaaS users open to increased device risks. Being able to log in to a business-critical application on your home laptop is helpful if you need to check something over the weekend but disastrous if that laptop is full of malware. Similarly, cloud applications that can be accessed over any network can give users greater flexibility, but the cost of convenience is, almost always, reduced security. <\/div>\n
\n\t <\/div>\n
\n\tUser-related risk is problematic for SaaS companies. Platforms may choose to provide robust security measures such as two-factor authentication. But it\u2019s up to users whether they use it. A SaaS platform can do their utmost to secure users\u2019 data, but lax security on the part of their customers can result in a breach via the platform. And while the SaaS company may have done everything they could to prevent this, they may still suffer reputational damage as a result.<\/div>\n
\n\t <\/div>\n

\n\tWhat should SaaS companies do?<\/h2>\n
\n\tAs a minimum, SaaS businesses should operate according to established information security frameworks such as ISO 270001. The Open Web Application Security Project (OWASP) has also published a list of The Ten Most Critical Web Application Security Risks that all development teams who are building applications for SaaS delivery should mitigate against. These steps won\u2019t ensure total security but they will establish acceptable standards of internal and customer-facing cybersecurity. <\/div>\n
\n\t <\/div>\n

\n\t” If no one is singularly accountable for cybersecurity, it will become an after-thought.”<\/strong><\/h4>\n
\n\t <\/div>\n
\n\tThe steps above will require businesses to hire staff that are capable of defining and implementing robust information security policies. If no one is singularly accountable for cybersecurity, it will become an after-thought. This, for reasons already discussed, would leave the business open to risk, particularly as it grows. A poorly secured business with 250 users is hardly worth a hacker\u2019s time. A poorly secured business with 25,000 users will be.<\/div>\n
\n\t <\/div>\n
\n\tIn-house security teams should work with customer-facing teams to produce and share information security guidelines. This will help users avoid causing a breach via the platform, but will also limit the platform\u2019s liability if one occurs. SaaS companies should provide details of their own cybersecurity processes for current and potential users. This will reassure users that their data is safe in your cloud environment. The kinds of questions customers might ask are:<\/div>\n
\n\t <\/div>\n