Why B2B SaaS Companies Can't Afford to Go Cheap On Information Security
The scene opens: A dim glow from an EXIT sign is all that illuminates the office server room. You’d need to be intently listening to even register the sound of the dull thunk as the server room unlatches, a man dressed in all black sliding in quickly from behind the opened door. From his bag is unsheathed his most mighty weapon- a laptop personal computer. Fingers flying, countless perfectly executed sever commands whip down the screen, scrolling faster and faster in time with his racing keyclacks. All at once he stops, the glow of the code catching on the reflection of his dark sunglasses. He mutters two words:
“I’m in.”
If only it were that exciting.
Information security may not be as cinematic as movies from the early 2000’s would have you believe, but that doesn’t mean it isn’t important to get right. According to the University of North Georgia, since 2013 there have been 158,727 records stolen from breaches every hour. With more than 30,000 SaaS companies currently operating for about 14 billion SaaS customers, that leaves a lot of risk to consider for all this data that could potentially be stolen or nefariously misused.
Now, more than ever, it’s important that SaaS companies seriously consider their data security efforts for themselves and the customers they serve. But what does information security entail, specifically?
What does Information Security Mean?
In a perfect world a business owner could just take all the information that needs to be protected, slip it into a lockbox, throw it into a secure safe, and call it a day. Due to the constantly moving nature of modern digital business transactions, data needs to be constantly moving between various systems at all hours of the day. With each access point and the importance of speed for businesses to fully achieve for their customers, information needs to be easily passed around and read. Every window into the data creates another potential entry point for nefarious thieves and other unscrupulous parties.
This article wouldn’t be too useful if we just left all data vulnerabilities in a big heap, would it? Here’s a quick breakdown of some of the different kinds of ways information may be breached.
Ransomware – Malicious software can be designed to compromise a computer system and hold it hostage until remotely unlocked after payment has been received. The problem with this form of attack is that payment doesn’t carry a guarantee that the information won’t be held captive even after paying up the ransom.
Cracking Passwords – Through either human ingenuity or computer programs, it may be possible to crack a person’s password to protected systems. It’s very easy to find lists of the most commonly used passwords, or systems on how people come up with passwords which could inform the guessing. It’s also easily possible for ne’er-do-wells to put together a program that systematically tries every combination of letters and numbers and characters to force your password. If you’ve ever been locked out of a website for getting your password wrong too many times in a row, this is why.
Keylogging – Both physical and software engineered keyloggers are available which record every action taken by a computer. By use of these tools they can go through the notated steps of your day and get your password by essentially peeking over your shoulder and watching you type it.
Social Engineering – By exploiting bad data security measures and asking the right people to share some information, secure info can be passed to other parties without the respondents even realizing an issue has occurred. It might be a phony email or a phone call from “Tech Support” asking for your password. Whatever form it takes, giving information to non-trusted parties is a quick ticket to compromised data.
Physical Breakthroughs – Protecting data is important both inside and out of the systems the information travels through. Something as simple as a discarded sticky note with login information can be the vector to access for outside parties.
Do note that this is not an exhaustive list, even as this article is being written. New methods of exploiting vulnerabilities in and around digital systems are being invented every day. Being vigilant of these issues will greatly benefit both you and your customers.
You aren’t the only one looking out for your customers when it comes to protecting the confidentiality of the data you work with. Around the world, government and legal institutions require strict adherence to protecting the safety of customers. Take for example HIPAA, or the Health Insurance Portability and Accountability Act. In that case, the US government protects patient’s confidentiality from having their data shared, sold, or exposed.
For SaaS companies, some of the regulations you may encounter are:
GDPR – General Data Protection Regulation: An EU enforced protection for customer data protection when using digital services. Companies must identify what data is being collected and what it’s being used for. (If you remember websites starting to ask for consent to collect cookies when you use their website, compliance with this litigation is why.)
CCPA – the California Consumer Privacy Act of 2018: A US enforced protection for consumer control of their data collected by a company. This requires companies to identify and provide all collected personal information, along with opt out and deletion protocols upon request.
GBLA – the Gramm Leach Bliley Act: A US enforced protection for the non-public information of customers of financial institutions. Requiring protections for the security, confidentiality and integrity of customer records through administrative, technical, and physical safeguards.
Just like before, this list is far from exhaustive but can be a great place to start learning about what regulations your SaaS is subject to.
How Costly can a Data Breach be?
When determining the cost of a data breach, the main considerations are the amount of time the breach went unnoticed and if the company had an Incident Response plan in place.
IBM has found that data breaches that are identified and contained in less than 200 days saves a company $1.12 million compared to those that take longer to discover. From an outside perspective, this logically aligns with your expectations: A hole in a boat can’t do as much damage when it’s found sooner rather than later. And the same goes for your SaaS company.
On average, a company with an Incident Response plan is more fit to find and fix data breach vulnerabilities far more easily than a company without. This cost averages out to about $2.66 million cost difference between companies with a plan and one without. Being forward thinking about data breaches pays off handsomely.
While news of a newly revealed data breach may have you running to find a data breach calculator online to determine how much money a company will lose from tragedy, there are costs far beyond the exact dollar amount of damage done.
When a company hits the news with information about a recent data breach, this greatly affects how they’ll be doing business (if at all) in the coming weeks. As soon as a data breach is announced, years of goodwill with customers may be wiped away as they become too afraid to risk their data with that company. This affects not only unsure potential customers, but also existing customers and anyone within earshot of them. As the news travels, so does the drying up of customers as it goes. It pays to be wary of bad data habits of lax security not only from a financial perspective, but a reputational one as well.
What Can You Do to Prevent a Data Emergency?
With all this information about how information security can go wrong at a B2B SaaS company, you may be famished for information on how to prevent malicious breaches. Fear not, as there are plenty of solutions to this costly problem.
Some tried-and-tested methods of preventing bad actors from accessing sensitive data are both good employee training, and regular security audits.
Your employees and anyone who has access to sensitive digital records are the most important (and in some cases, only) line of defense which you have total control over their access and habits. Improving awareness of employees, providing them with drills on how to contain sensitive data, and what to watch out for are all good steps to preventing costly data breaches for yourself and the customers you serve.
Let’s say you’ve given some training material to your company workforce and want to be even more sure that the things you’ve put in place to prevent data theft will work? That’s where a security audit comes in.
As explained by the good folks over at Astra a security audit goes over the security readiness of your company. During an audit, a professional security team will do everything in their power to get sensitive data on your platform and then report on what weaknesses they discovered. After the discovery process, the audit team will work with you to plug up the holes, develop best practices, and ensure you understand your company’s level of risk when it comes to data security. This helps you to improve and protect you and your client’s data both now, and far into the future with regular security testing.
New Trends in SaaS Security
Let’s say you’ve made it all the way through this article and haven’t learned a single thing you didn’t already know. (If this is you, you’re a saint and I owe you a beer. Really. Email me so I can send you something.) Going over the basics and explanations of good practices is just fine for someone new to informational security, but what has been developed more recently? Let’s go over some recent trends and explore how they affect SaaS businesses:
Artificial intelligence for threat detection: AI developments in SaaS spaces have been absolutely everywhere, including security and threat assessment. Because learning systems are incredible at picking up on patterns a human may not even notice, leveraging AI to go over your systems and determine the risk it may pose is a new way to improve security outcomes. Check out this white paper by Darktrace to learn more.
Blockchain for secure data storage and sharing: While the blockchain may be primarily known for cryptocurrency and exchanges, the ability for it to allow secure data storage is an emerging solution for data confidentiality. The nature of blockchain to maintain ownership, hold onto long strings of data for the entirety of the blockchain, and access being determined by complicated hash access all lends blockchain solutions to being a good fit for data storage and sharing. You can read more about this in this research paper on Karger.
Zero-trust security models: With the rising costs of security breaches steadily ballooning over time, more robust security solutions have been gaining prominence in the tech landscape. One solution are Zero-Trust Security models, where users are assumed to be hostile and blocked from any access unless authenticated by contextual authentication. Imagine if you could only log in to check your bank account if you were sitting in a certain chair in your home, and were barred from logging in (even with the correct username and password) anywhere else in the world. That’s zero-trust security, put simply. Read more about it over on Zscaler.
In Closing
While ensuring data is protected can be expensive, not ensuring its protection is far more costly. Protecting you and your customers financially, legally, and from losing standing if a breach is announced is well worth the time and investment to enact good security policies.