News

Reducing SaaS Security Risks

Reducing SaaS Security Risks

One big difference between large business and small business is that small businesses are usually cloud native from the start. This is extremely beneficial to those small businesses since they probably wouldn't be able to do what they do if they had to build their own infrastructure.

SaaS (or software as a service) are applications hosted by other companies in the cloud. Your email is probably SaaS as well as your accounting software (QuickBooks, Freshbooks, etc.) and probably the software you use to manage your operations. Imagine if you had to run your own email, accounting, and resource planning servers. Could you have started your business with that workload? Probably not.

SaaS does not come without security risks, though. As we explain to most of our clients, migrating to the cloud just shifts your risks, it doesn't negate them. So how can you help protect your sensitive information in these SaaS apps where you don't have much control?

  • Make sure the vendor is reputable and security conscious. Review their web page for details on how their secure your data and any security assessments they have undertaken (e.g., SOC II, ISO 27001, etc.). If you are a healthcare company, look for their willingness to sign or provide a BAA.
  • Look for common security provisions in their offerings:
    • Multi-factor authentication using an app or hardware token (not just text messages)
    • Ability to tie into your identity and authentication system (Microsoft EntraID, Google, etc.)
    • Ability to view activity logs and transmit them to a central monitoring service
  • Choose the larger, more well-known names over the smaller just getting started ones. I know as a small business owner that we want to support other small businesses, but that could come at the expense of your own business. Go with the trusted big names if you can't dig deep into the smaller providers security.
  • Consider a third-party risk assessor to evaluate solutions to better inform your initial selection decision.

Those are just the start. You'll also need to be proactive with your staff on the use of SaaS tools:

  • Add vendor specific content to your regular security awareness training sessions.
  • Be mindful of your workforce needs to ensure the tools provided support them as much as possible. You don't want them using their own tools in the shadows because the ones you provide don't get the job done.

Risk is everywhere. Ensure you are considering all avenues of cyber risk when evaluating your cybersecurity program. Don't get stuck in the silo of only viewing the risk immediately in front of you.