5 Misconceptions SaaS Companies Have About Security

Posted on February 17, 2021 - by Darren Gallop - in Building Your InfoSec Program

5-Misconceptions-SaaS-Companies-Have-About-Security

As a SaaS company, you may be focusing on the wrong thing when it comes to your clients.

SaaS companies wanting to sell to enterprise clients have a number of things to focus on to win the contract, like the quality of their product, the solutions they can provide, and the relationship management that’s involved in being a B2B provider.

Unfortunately, security isn’t often one of the things SaaS companies prioritize. Too often companies are overconfident in what they have in place — which is often very little — or they overestimate their ability to handle data breaches. SaaS companies may also think they have their security covered because they use third-party apps with security protocols. Waiting until a data breach to finally get serious about security is too late, as it can cost customer privacy, lost business, and lost trust.

SaaS companies unfortunately have a number of misconceptions around how they need to think about security, which can cause system vulnerabilities and lost contracts. Here are five of the most common, and how you can remedy them.

#1: Cybersecurity is a technology issue

SaaS companies incorrectly think that cybersecurity is just a tech issue, which means it can be compartmentalized and given to the IT team. Or the misconception is that security just affects network systems, and nothing else.

Reality: Cybersecurity is the responsibility of every team member, from the founder who sets the tone for being security-minded, to the teams that implement the policies, to the new employee choosing a password. It’s the tools, tasks, and routine activities each team member does every day to protect the company.

#2: Our application is built on a cloud service, so we’re secure

The common thinking here is that since everything is in the cloud, and since the cloud service has its own security, a SaaS company thinks it’s safe if they rely on the service. Then they don’t have to worry about implementing their own set of protocols and standards.

Reality: You need to take ownership of your security, and can’t rely on someone else’s policies to cover your own. Your team is responsible for your data, so you need to be responsible for how you use your cloud service, who has access, and how you set up your policies around cloud usage.

#3: We can get by with the bare minimum for security

SaaS companies think if they have the basics set in terms of security, they’re ultimately OK. Or they may think that they can always add things on later as they need them.

Reality: A hacker will find a way to get in, especially if you’re security is at the bare minimum. Or a regulator will flag you for not being compliant. Be proactive in putting standards in place and adhering to data regulations before anyone comes asking about them

#4: We can focus on security later

It’s natural to get excited about building the company, gaining new clients, and pulling in revenue. But too often SaaS companies focus their time and resources on growing everything except security, which they put off until later.

Reality: Putting security off until later means your company is vulnerable now. The time to start thinking about security is when you start building the company so that you can incorporate security into the culture and policies from the very beginning.

#5: We don’t need a pen test

Companies may think that because they do audits or vulnerability scans regularly, they’re protected against a breach. But they’re not testing them in the right way — like a hacker.

Reality: A penetration test, or pen test, simulates a hack to your system, which can reveal blind spots and vulnerabilities you might be missing. A pen test also allows you to stress test your systems to see if they will hold up against a breach.

Tackle Misconceptions with a Better Approach

If your company’s been buying into some of these misconceptions, then it’s time to fix those beliefs. There are always things you can do to strengthen your company’s security approach, including implementing the following:

Security meetings: Start with a meeting to reposition the culture of your company to have a focus on security. As mentioned above, security isn’t just a tech issue or an issue for a specific team. Security should be a focus for everyone. Get key team leaders together to assess what your systems are, what risks you’re facing, and what plans you need to put in place going forward.

Frameworks and regulations: Next, make sure you’re compliant with all frameworks and regulations, including any industry-specific or regional standards. As mentioned above, don’t wait until the regulators flag you for non-compliance. Be proactive in implementing the standards you need, and be sure to also include any standards your clients use so that you’re on the same level as their security.

Review your strategy: Make sure your company has created a thorough set of policies and procedures. Make sure each department knows their role and their policies in regards to customer data. And makes sure there is a clear direction for what to do in the case of an incident. If the policies and procedures aren’t already documented somewhere, make that a priority.

Inventory your assets: Take an inventory of your hardware and software assets to know what you have, and what you need to upgrade. Think about what hardware needs to be updated, but who has access to it. Is there any hardware that’s been forgotten about that could be an entry point for hackers? Is your software up to date, or does any of it need to be uninstalled?

Ask for advice: As you build your company’s security program, don’t rely on what you know, and don’t try to figure it all out yourself. Again, it’s not just a tech issue to pass off on someone else, but a whole company issue. Talk to colleagues and vendors for advice, and seek out security experts to help you sort out your approach. Don’t be afraid to outsource security tasks to trained experts as well.

While misconceptions can be changed through awareness and education, breaches and hacks can’t be taken back. Get honest with where you stand and what you’ve been believing at your company, and take steps today to start focusing on the right things when it comes to protecting yourself and your clients.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free

About the author

Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.