State of SaaS Security: Insights for Startups from Joseph Kirkpatrick

Posted on January 27, 2021 - by Joseph Kirkpatrick - in Building Your InfoSec Program

This article is part of Securicy’s new State of SaaS Security Series, which will have interviews from a diverse mix of security professionals, including CISOs, CTOs. Our goal here is to provide SaaS companies and their teams with actionable insights to improve their security programs and increase their chances of successfully selling their products to larger enterprises. 

The following is an interview we had recently had with Joseph Kirkpatrick, President of KirkpatrickPrice.

Why are SaaS startups – even smaller ones – targeted by hackers?

With a small number of employees that tend to be stretched thin, limited capital, and a lack of fine-tuned focus, it’s no surprise that startups are seen as easy targets for hackers. For SaaS startups, information security may be the last thing on employees’ minds as they’re looking to scale and bring in revenue for their investors. Even for security-conscious startups, like those that come to us at KirkpatrickPrice for infosec audits, timeline concerns and financial constraints are some of the most common problems we have to work around. 

When information security takes the backburner, it’s like a neon sign to hackers that an organization has vulnerabilities waiting to be exploited. Malicious individuals will take the easiest route to gain access to data, which means looking for access points and vulnerabilities that can be exploited through phishing, malware, and other common attacks that cast a wide net. Whether it’s because they don’t have the capital, aren’t prioritizing security, or believe they don’t own, store, or transmit anything of value to hackers, startups commonly have weak information security practices and can be big targets for hackers.

What are the most common questions large enterprises ask SaaS startups about their security programs? 

When I’m on the phone with entrepreneurs of startups and they’re looking to start an audit engagement, they’re often coming to KirkpatrickPrice because a potentially large client is requiring that the startup gain a certain compliance report. The most common questions I hear startups being asked in these conversations are:

“What information security compliance certifications do you have?”

“Where is our data stored? Who can access it? How can I know it’s safe and protected?”

“What are you doing, as an organization, to stay secure and protect our assets?”

The concern of every major enterprise will always be their data and assets before anything else. If they’re entrusting their most valuable information to your systems and process, they’ll want to see proof that your mitigating risk, doing your due diligence, and consistently working to remain secure. Have you completed an annual risk assessment? Do you have a backup and disaster recovery plan? Are you compliant with regulatory requirements and industry-accepted standards? These are questions you need to ask yourself if you’re a startup looking to work with large enterprises.

What are the most common mistakes SaaS startups make when it comes to security programs? 

I see it all the time – startups trying to check off boxes for information security compliance without looking at the bigger picture. If you’re completing information security tasks just to check off a list that says you’ve done it, you’re missing the opportunity to effectively test your security controls and find vulnerabilities in your information security program. The most common security pitfalls startups face are:

  • The failure to write and implement proper information security policies and procedures that cover topics such as acceptable use, monitoring and logging, risk assessment, incident response, and personnel security
  • A lack of physical security in the workplace and remote security for employees
  • The failure to establish effective business continuity and disaster recovery plans that have been tested and demonstrated to employees
  • A lack of proper security awareness training for all employees

Don’t wait until it’s too late to focus on information security best practices. I don’t want to see your startup make the headlines for a breach that could have been avoided with an established information security program.

What are 3-5 pieces of security advice for SaaS startups preparing to sell their product to larger enterprises? 

  1. Set a Good Security Foundation from the Start – There are two things you need to invest in security from the start: money and dedication. Don’t forget about information security when you’re established your annual budget. Instead, make it a priority and invest in your future from the start. You have to gain executive buy-in from the start by explaining the threats you face, showing evidence of the value of proper security configurations, and tying it back to the protection of your assets. Make sure your information security program is robust and follows industry-accepted guidelines established by organizations like NIST, ISO, or ISACA. 
  2. Invest in Employee Education – Your employees are one of the first lines of defense against any cyberattack, but if they don’t undergo regular security awareness training, they could be your biggest vulnerability. It’s disheartening to see the number of breaches that could have been avoided if an employee only had proper training on what a phishing attempt could look like or how to identify common malicious attacks. When you invest in employee education on your information security policies and procedures, you’re investing in your company’s future, and therefore, the security of the future enterprise you are preparing to sell to.
  3. Don’t Overlook the Importance of Documentation – When you are establishing a thorough information security program, don’t forget that proper documentation is vital. As you prepare to sell your product to a larger enterprise, make sure you’re monitoring, logging, tracking, and asset information is all documented and remains in a secure location. Your security practices are an asset in themselves and must be protected, especially if you’re planning on selling to an enterprise that will certainly ask to see all documentation of security implementations. Be prepared to provide proof of the policies and procedures you are regularly implementing across your organization at any time.

What cyber security trends should SaaS startups keep an eye on as we make our way into 2021? 

  • Cyberattacks and Remote Work – We can expect to continue to see a rise in cyberattacks, especially ransomware and phishing attacks, as remote work continues to play a factor in the security landscape. For the fast-paced, hyper-focused environment often found at SaaS startups, it’s important to remember the threat of attack is always present. Remote work only magnifies these threats as employees work on home networks and away from the established security protocols often implemented in an office setting.
  • Holes in Cloud Security – As more businesses rush to move their data storage to the cloud, we can predict an increase in cloud misconfigurations, misunderstood cloud security responsibilities, holes in cloud security, and unaddressed vulnerabilities. SaaS startups can have a mindset that I often hear from our clients at KirkpatrickPrice – that cloud security is the responsibility of their cloud provider. While a cloud provider is responsible for security of the cloud, you are responsible for security in the cloud. Protect your data accordingly.
  • MFA Multi-factor authentication will be more important than ever in 2021 as the first line of defense against cyberattacks. Startups need to understand the value of requiring MFA on all devices for all employees, in addition to their own applications. 
  • IoT and 5G – With the new elements of 5G being introduced in the world, SaaS startups can expect to see an increase in connectedness. IoT devices can be expected to have a surge, which can lead to a number of cyberattacks that will affect more than just one entity. I would urge security-conscious organizations to keep an eye on how the security landscape shifts as 5G enters the ring.

About the author

Joseph Kirkpatrick is the President of Kirkpatrick Price. Kirkpatrick Price is a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, and most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and penetration testing.