How SaaS sellers should think about the risks introduced with the rapid adoption of SaaS applications
Over the last few years, SaaS apps have become an integral part of the way businesses are run.
This reliance on apps looks here to stay with research by BetterCloud showing that the average company now uses 80 SaaS apps .
While great for productivity and collaboration – more apps means more security risks to businesses and their customers. This increased risk means that IT professionals and Executives are having to think SaaS security much more carefully. So much so that security is now second only to cost in the most important factors for IT specialists when buying SaaS apps .
For SaaS sellers, battling an even more competitive landscape, it means that putting robust security is more important than ever.
Why is that and what can you do to level up security in your SaaS business?
Why SaaS sellers should be making security priority #1
Security issues can happen in a number of ways. Sometimes it’s a malicious attack in an attempt to get at your data, other times someone clicks on a link in a phishing email or leaves their laptop on a train.
However an incident occurs, a breach in security can impact your business’ operations and revenue in a number of ways.
- Brand reputation - Security issues can be detrimental to your brand. The damage caused to your reputation can mean that customers and prospects lose trust in your business and turn to your competition. The effect of this on your business is increased customer acquisition costs (you’ll have to work harder to win customers) and churn (losing existing customers). Social media, the press, forums, review sites and word of mouth make it almost impossible for your brand to get away unscathed - and even after the incident, these comments will remain on these sites and available for future prospects to see.
- Penalties and fines - Security issues will likely see your business incur direct costs in the form of penalties and fines from regulators. Taking the General Data Protection Regulation (GDPR) as an example - any infringements can see businesses hit with fines of up to €20m or 4% of annual global turnover (whichever is greater).
- Complex business operations - More apps means more complex business operations. Without a robust security infrastructure in place, you risk time from your Engineering, InfoSec and IT teams being taken up with operational work rather than execution of other core projects and objectives.
4 steps to increasing security in your business
Here are some of the steps you can take to protect your own business and reassure your customers that you have robust security measures in place.
1. Vet your suppliers thoroughly
When you think about risk - it’s important to think of it from the perspective of your business as well as your customers. You’re a SaaS buyer too. When considering which 3rd party suppliers to use, check that the service offered has security by design throughout. This includes:
- Evaluating the implementation process.
- Understanding what data the supplier will have access to, how they will access it, and how it will be stored.
- What security controls will you be relying on from the supplier and how can you make sure they have appropriate controls in place.
2. Use a Defense in Depth (DiD) approach
A DiD approach ensures that your information security covers more bases to effectively mitigate risk. This approach builds layers of controls throughout the environment and supports the information security elements that ensure confidentiality, integrity and availability of data.
Examples of this include:
- Network segmentation - architectural approach to splitting up a network into subsections, allowing the network administrators to control data flow between segments, improving visibility through monitoring of communication between segments and reducing the risk of faults or issues impacting the entire network.
- Role based access to apps - access to apps and data is assigned only to those who need it to successfully perform their role. The role is given the least access required to fulfil the task and access is reviewed periodically.
3. Secure who has access to your product
Protect your customers and your business by making sure you know exactly who has access to each system or piece of software you use and what that user behavior should be. This way, you are making it easier for your administrators and security teams to know what good looks like and work to identify anomalies.
Providing a baseline for how a system should behave and the workflows it must support give your administrators confidence that the controls they are implementing are effective without impacting the intended functionality.
Here, you can start with some simple measures like unique user accounts. You can ensure passwords are complex and that user accounts support role based permissions. Enabling multi-factor authentication (MFA) adds another layer of security to your login process that stops unauthorized users from logging in as well as greatly reducing the chance of attacks, such as credential stuffing, from being successful.
At Paddle, we understand that we’re one of many softwares used by our sellers and so offer 2FA to all users accessing the platform. Here’s a bit more about how it works .
4. Comply with local security regulations
We’ve already mentioned GDPR but there are a number of other security regulations you need to comply with.
One of the most notable in the security space is Service Organisation Control (SOC 2). Developed by the American Institute of Certified Public Accountants ( AICPA ) for software companies processing customer data, SOC 2 is a framework that helps service organizations put security processes and controls in place to safeguard customer data and privacy.
Equally, when you are buying access to software that processes your data, it would be useful to check whether they are SOC 2 compliant.
It’s a certifiable standard that can only be officially achieved following an audit by an independent CPA. Completing SOC 2 Type 1 and 2 shows that your business has a real commitment to security and infrastructure in place that supports the highest security standards.
At Paddle, we’re committed to protecting seller data from unauthorized access and ensuring its integrity and confidentiality and have successfully completed a Service Organization Control (SOC) 2 Type 1 audit. We will be commencing with Type 2 engagement early in 2022. Click here to find out more.