B2B SaaS companies used to think of “freemium” as only being relevant to attract new startup or SME customers. However, in recent years even large enterprises have started using free trial offers to reduce product evaluation costs.
But these lower barriers to adoption are also serving to divert buyers’ minds from the cybersecurity issues at play. Think about it, when did you last consider the cybersecurity risks that these a B2B SaaS product may pose to your IP, your data and your business?
Why should you care about cybersecurity risks in someone else’s B2B SaaS application?
It’s easy to get caught up in simply trying to achieve your business goals as quickly as possible, without stopping to consider what might actually be at risk for your company.
Given that most of our business applications are connected, particularly with directly coded integrations using APIs or even through external services like Zapier, you should be aware that a security breach in one service could open up your crown jewels to the internet’s underbelly.
Unless you are a developer or technically-inclined and have access to your company’s systems architecture, you can’t possibly be expected to understand how all your company’s CRM, ERP and digital systems are connected. But you should make it your responsibility to ensure that any external services you use do not increase the risk of a security breach or even corporate espionage.
While no SaaS business wants their application to be hacked, you might be surprised to learn that very few SaaS businesses take all the necessary steps to protect their users.
Worryingly, Trustwave found as far back as 2016 that “fewer than one in four organisations consider themselves to be “very proactive” in the context of security testing.”
The 2018 Global Study on Application Security found that 65% of surveyed companies would wait until customers were affected by a security breach before increasing application security spend. When you combine this with the finding in the same report that only 25% of IT and security teams believe that their organisation spends enough on application security, does it seem logical that it is incumbent upon you to ask more cybersecurity questions of your B2B SaaS vendors?
So what should I do before accepting a free trial of a marketing SaaS?
It is not uncommon to be excited at discovering a new product that you think might save you an inordinate amount of time or help you finally achieve those seemingly unreachable targets that your boss sets for you.
But you should remember that time is your friend. And knowing the right questions to ask of the SaaS provider is your secret weapon:
Question 1: Does the SaaS company have publicly published security policies?
Publicly published security controls may not give you hard data about the efficacy of the security policies, but they represent a level of maturity. Such policies signal that that SaaS company is taking proactive steps to protect your data, their IP and ultimately the think that their relationship with you and their other customers is valuable enough to protect.
All popular cloud services that you probably use, think Dropbox, Slack, AWS, Gmail, etc, have such pages that spell out their security practices. Look them up to get a sense of how the best in the business implement their application security controls.
Question 2: Does the B2B SaaS vendor have any information security accreditations?
If you’re familiar with ISO standards then you’ll be happy to know that there is an ISO accreditation that for information security: ISO27001. You should look for this or something similar, like SOC2 or HIPAA for health-related applications, when you’re evaluating your next marketing SaaS vendor.
These accreditations are not an ironclad guarantee that the accredited vendor’s SaaS product is ACTUALLY free of security vulnerabilities. But such accreditations do signal that they have the policies and processes in place and if their teams actually follow those processes then their applications should be pretty secure.
Question 3: When did the vendor last conduct a penetration test on their application and infrastructure?
Interestingly a HP Enterprise study found that 72% of web applications have at least one security vulnerability that allow hackers to gain access to things only admins should be able to see. The only way to be sure that the application you want to use isn’t riddled by such security holes is to look at the vendor’s penetration testing report.
Most smart SaaS companies regularly use reputed, specialist web application penetration testing services to find security vulnerabilities in their applications before they ship a new versions. And if you ask them for the latest version of such a report, they will be more than happy to provide it to you – if you’re a serious buyer, of course.
When was the last time you posed this question to your B2B SaaS vendors?
Is this a foolproof way to guarantee that a B2B SaaS app I want to evaluate is secure?
Unfortunately, no. There is no “foolproof” or “ironclad” way to ensure that a SaaS vendor has mitigated all cybersecurity risks. There are so many avenues that could result in a application security breach and this makes it impossible for SaaS companies to guarantee you that they will never be breached.
But there are proven ways to ensure that your current and prospective B2B SaaS vendors have minimised the likelihood of a serious cybersecurity breach.
Ask these questions before you accept your next free trial or sign an agreement to buy a SaaS solution and satisfy yourself that your company’s sensitive information doesn’t fall in the hands of the type of people who shouldn’t have it.
About the Author
Ayush is a Co-Founder of Audacix. World-class SaaS teams use Audacix’s automated software testing and penetration testing services to avoid “oh s**t Monday’s”! If you want to test your cloud software in less time, for less money, while ensuring that it is free of security vulnerabilities, talk to Ayush now.
It’s the beginning of the new Australian financial year and a raft of tax changes have arrived as of the first of the…
The goal for most Australian websites (besides e-commerce and some not-for-profit ones) is to generate business leads.…
Single Touch Payroll (STP) is a new regulation that has been announced by the Australian Taxation Office (ATO) as a new…
The Australian Software Guide features a hand curated list of the best Australian built software products.