Companies over the past several years have been shoring up their cybersecurity capabilities and increasing overall security budgets, but Software as a Service (SaaS) providers are often overlooked in these efforts.
No one wants to send out a letter stating that their customers data has been compromised but an informative letter about the next steps, protections in place, and application confidence can make the difference between retaining customers or losing market share. In January 2021 Mimecast, a security SaaS provider had to do just that as a sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services impacting approximately 10% of their customer base which in turn impacted Mimecasts’s stock price.
The global cybersecurity market is currently worth $173B in 2020, growing to $270B by 2026. Despite the increased spending, many companies remain unprepared for cyberattacks in 2021 which reinforces the need for adequate planning for cyberattacks.
Used by almost all companies and a fair number of individuals, the Software as a Service industry is currently a rapidly growing market with popular SaaS solutions that are not going away any time soon. Thanks to their ease and affordability, Gartner anticipates that SaaS solutions will generate revenue close to $117.7 billion in 2021, up $17 B from 2020. Recent Gartner survey data indicates that almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by COVID-19, forcing companies to pivot to remote work environments—with SaaS solutions among the easiest to adopt and roll out.
Migration to SaaS tools/platforms has, in some ways, reduced the security posture of some companies as business departments can bypass IT by purchasing a SaaS solution directly using a credit card and sending company data to the vendor. In other cases, companies rely on legal contracts to protect them from any vendor-related breaches. But without closely reading those contracts and conducting frequent security audits, companies may not realize different SaaS vendors have vastly different security postures, or they may not be as secure as your company. Additionally, if Cyber-criminals are unable to breach your company’s internal IT environment, they may be provided a pivot to your SaaS environment. Any company that uses a third-party SaaS solution with access to sensitive or confidential data could be risking a data-leak. Investigating the security of your third-party SaaS provider is extremely important. Most companies are not prepared for a third-party SaaS breach as (1) they may not know who all their SaaS vendors are or (2) they may not have a process for evaluating SaaS vendors.
So how can you reduce cybersecurity risks by using a SaaS vendor?
Identify your critical data: Identify and protect what data is most important to your organization and prioritize. Know what data is stored in a SaaS environment and assess revenue impact and regulatory concerns if said data was compromised.
Determine your SaaS security exposure: Conduct a detailed assessment of your current and potential exposure using SaaS solutions. How much can you trust these SaaS vendors, and what would you do to ensure that you minimize your risk? Evaluate all possible risks including physical theft or tampering, service interruptions, malware or ransomware attacks, data infiltration or exfiltration, and SaaS vulnerabilities. Keep a record of all third-party SaaS vendors updating the list at a minimum annually. Additionally, develop and implement a process to conduct an annual SaaS vendor risk assessment.
Determine SaaS vendor security proficiency: Ensure that SaaS vendors are meeting security standards and adhering to security policies, regulations, and procedures (i.e., PCI-DSS, SOC2, HIPAA ITAR). This includes IT solutions like antimalware, firewall technologies, DNS filtering, network access control, and code exception altering. Be able to monitor compliance frequently, and if it is within budget, I recommend calling a third-party audit on their security to truly ensure they are compliant.
Maintain incident response plans – Both parties need to have a plan to notify the other if their network, systems, or data have been compromised or a compromise is suspected. Recommend conducting annual wargaming exercises to ensure incident response plans are tested and updated as required.
Evaluate SaaS vendor business continuity plan: The SaaS vendor should implement intelligent business continuity systems to allow for an efficient and full recovery in the event of any kind of breach. Backup solutions must have the ability to reinstate systems to a point prior to the breach.
Companies can choose to develop a SaaS vendor risk assessment questionnaire and conduct the assessments themselves or hire an expert to conduct a holistic security assessment. Some commonly used questionnaires are the Standardized Information Gathering (SIG) questionnaire or CAIQ by Cloud Security Alliance or you can create your own leveraging major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series, and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA.
Remember, you are only as strong as your weakest link, and not knowing about the link only compounds that weakness with a higher risk for business interruption. One factor that benefits a business by helping to reduce the overall cost of a breach is the cybersecurity maturity of a business.
A mature corporate cybersecurity program significantly improves resiliency by having in place processes and technologies to discover a SaaS breach earlier in an attack cycle. When processes are in place, quicker decisions can be made to mitigate the attack and begin remediation.