For most businesses, cloud-based services have become an integral part of their operations. While confidence in Software-as-a-Service (SaaS) and cloud service providers is as high as it has ever been, the data breach of Australian cloud HR vendor, PageUp, earlier this month is a strong reminder that vendors simply cannot afford to slip when it comes to security.
While no system however big or small is immune to attackers, the reality is that some SaaS providers do a better job than others in fortifying their defences. Start-ups can be particularly vulnerable as there is a temptation to forgo the security budget in favour of revenue generating features as Founders pursue growth to interest investors.
Put simply, businesses need to do their due diligence when shopping for a SaaS vendor, especially one which holds their employee data as the risk of not doing so put both their business and their employee’s privacy at risk.
Making sure you have a security checklist in place that extends beyond inspecting a vendor's Service Level Agreement (SLA) will help you make the right vendor decisions.
Many companies tend to view cloud companies with rose-coloured glasses and don't think to ask the hard questions that would otherwise be the norm for any vendor qualification process.
Where is their infrastructure located? What virus detection do they use and what version are they on? What is the product’s Password protocol? What's the history of outages? Where is their Development team located? Are they in-house or is development outsourced? How can I get my data out if I stop using the vendor's services? What format is that data in? Is the service extensible with its own APIs? How often does the vendor test for vulnerabilities? If so, how quickly are any identified vulnerabilities removed? What happens in the event that the data is leaked or lost? What processes does the vendor have to mitigate this risk?
It’s surprising the number of businesses that don't ask SaaS vendors if and how often their systems are subjected to penetration testing. This is basic “housekeeping”, when it comes to first level checks of a product’s cyber resilience.
These questions should have a dramatic weight in the overall criteria of selecting a suitable SaaS provider.
Also remember that ISO accreditation, whilst useful, isn't everything as technology and standards change at a rapid pace and the overhead of maintain the accreditation can sometimes overwhelm SME’s who would rather spend the budget directly on security.
Of course, even if a SaaS vendor passes your checks with flying colours, as an organisation you still need to know they have a contingency plan for when things go wrong. Ask your vendor when they did their last Disaster Recovery exercise and where the DR data is stored and their response can be very telling.
Blank looks or delayed emails are not a good sign.