With digital transformation continuing to define the SaaS space, a number of SaaS companies have still yet to achieve foolproof security for their systems. Fifty-three percent of CISOs say that their security concerns have only grown since 2020, and with hackers stealing 75 records per second, these concerns are likely to persist.
Dealing with Risks
The SaaS space follows a growth model similar to that of startups: rapid company growth is connected to rapid user-base growth. The catch: SaaS companies often focus too much on scaling their customer base, rather than securing users’ data.
User-related risks also make up a big part of these cyber attacks. Identity and access management has long been a struggle for SaaS companies, as they constantly have to address issues like password fatigue, decreased visibility across networks, and less-secure remote work environments.
Threats to Cloud Computing
In 2020, the Cloud Security Alliance (CSA) released a report titled Top Threats to Cloud Computing: Egregious Eleven, where they listed the most significant cloud threats to organizations in 2019. Here are the top six:
- Data breaches. Data breaches continue to be the top cybersecurity threat, considering the extensive damage a company often has to repair afterwards. While user experience may be compromised, encryption is still an advisable way of safeguarding sensitive data.
- Misconfiguration and inadequate change control. Taking the second spot is a new item on the list: misconfiguration errors. Cloud platforms may have overly-complex features that make it challenging to properly configure their networks and products. And we know what happens when servers get misconfigured: data may inadvertently be leaked through the cloud. Case in point is the 2018 Exactis data breach, where data of 340 million records stored in their database were exposed online. It was all because of a misconfigured and unprotected database that was made available to users in open servers.
- Weak security infrastructure and strategies. Time is often prioritized over security during cloud migration. Consequently, some companies rely on security architecture and strategies that their systems weren’t built for. To address this, CSA advises companies to align their security architecture with business goals and objectives, and continuously monitor the framework even after the migration is completed.
- Poor IAM practices. Inadequate IAM measures both in systems and physical resources can lead to misused credentials and increased user-related risks. Check out our handy IAM guide to learn more about what a good IAM solution looks like, and which platforms you can use.
- Account hijacking. Phishing attempts are rampant now more than ever, and as attacks become more sophisticated and targeted, it’s a question of if, not when, attackers steal credentials. The solution for this ties back to having robust IAM policies in place — that way, you can manage account access and usage, and minimize the risk for identity theft or financial fraud.
- Threats from inside actors. Roughly 34% of businesses globally are affected by insider threats per year, with 66% considering insider attacks more likely to happen than external ones. Even without malicious intent, these breaches could accidentally happen, especially if employees or business partners aren’t careful with handling and storing their data or credentials. CSA recommends conducting regular security audits on cloud servers, and continuous employee training on data and system security.
Falling on spots 7 to 11 are: unprotected APIs; weak control plane; metastructure failures; issues in usage visibility; and overall misuse of cloud services.
What Can SaaS Companies Do?
One of the most critical things you can do is comply with international security standards such as ISO20071. This ensures that your cybersecurity policies are in line with established standards, both for internal and external users.
Moreover, cybersecurity is a responsibility that doesn’t only fall on the CISO’s shoulders — everyone that has touchpoints with customers is accountable for it. Security teams and customer-facing teams must be aligned with regard to security processes and guidelines for minimizing risk. Other risk mitigation measures may include: addressing software vulnerabilities by having a securely-patched SD-WAN system, restricting data access, acquiring cyber insurance, and investing in system-network integrations.
Read Next: Gearing Up For Secure Growth: Scaling Up Your Cyber Security Efforts
Photography by Taylor Vick via Unsplash