By Marcus Södervall, Head of Security at Stravito
If it seems there is always a fresh story in the news about some company, school or organization suffering a devastating digital attack or breach — it’s because it’s true. As the bulk of business communications has become digitized, information has increasingly become a target for hackers and bad actors who can exploit security vulnerabilities and cripple institutions’ operations or reputations. To succeed in this environment, enterprise businesses must be proactive in their information security efforts and remain vigilant against new threats and perpetrators’ evolving tactics.
At the same time, the growth of SaaS solutions has given organizations access to a variety of powerful tools without having to develop them internally. This can greatly increase efficiencies and capabilities while reducing costs. But, it can also introduce additional opportunities for digital security failures.
Who Do You Trust?
Retaining the trust of existing and potential customers is paramount for any business that handles private or sensitive information. Consequently, SaaS providers often obtain industry security accreditation or otherwise demonstrate compliance with standards to assuage customers’ concerns. Even then, new business discussions can involve hundreds of specific queries from diligent customers meant to ensure that every possible digital vulnerability is accounted for.
Enterprise customers expect premium service and attention, which makes open, honest communications a key component of a successful relationship. The potential harms from a security incident should incentivize service providers to enact stringent measures and relay those capabilities to partners to maintain trust and eliminate worries. Insurances such as data backups or automated lockouts for suspicious activity are often necessary to provide customers with even greater peace of mind.
Dealing With Threats
Major incidents at global firms including banks, government agencies and hospitals have shown that security requires human and technological elements that follow strict procedures to identify potential incursions or attempts to gain system access. Threats can arise from minute imperfections in coding or through phishing attacks that capture employees’ logins and passwords. This is where a group of security professionals known as white-hat hackers comes into play.
These security-minded ethical programming experts play the role of investigator, searching through mountains of code to locate any entry points and alert the owners so they can patch the hole. Many SaaS providers and larger businesses regularly perform these duties, but also host ‘bug bounty’ programs that invite private white-hats to run penetration tests. And, if a vulnerability is identified, the hackers receive a financial reward in return. Bug Bounties and similar programs are among the fastest and most efficient ways to reinforce the strength of existing code.
Information Security is Not a Secret
In the winter of 2021-2022, the security-minded staff at ISMG (Information Security Media Group) surveyed more than 180 industry leaders across Europe and North America to gauge their companies’ current security levels, top security concerns, and how they expect budgets or programs to affect security efforts in the near future.
Nearly all respondents (97 percent) expect to maintain or increase current cybersecurity funding for 2023, with specific focuses on data loss prevention, data classification and encryption. That’s not surprising, given that 43 percent cited the threat of ransomware as their greatest concern, followed by 29 percent who see phishing as the bigger issue. While 64 percent of the experts see cybercriminal groups as the leading actors, it’s important to note that 18 percent of respondents see their own employees or partners as the biggest threat, through either intentional or unintentional actions.
Strikingly, 20 percent of respondents claimed to have suffered either a direct breach of their systems (12 percent) or an indirect breach via a third-party partner (8 percent). With third-party incidents affecting one out of 12 enterprises, it’s clearly a significant problem, but is perhaps elevated due to the 11 percent that said their companies do not have a defined information security policy.
You Say You’re Secure? Prove It.
As mentioned above, security conversations with new partners or customers can be arduous and highly specific. SaaS providers like Stravito have invested in best practices that go above and beyond industry standards to simplify these initial conversations and streamline the onboarding process. Through a combination of automation, a secure software development lifecycle and stress tests to identify potential vulnerabilities, SaaS providers can present a sufficient understanding and control of information security.
Automation involves machine-based execution of actions including threat detection, threat remediation and alerts to human operators, each with clear benefits. In a secure software development lifecycle, organizations integrate security testing into every part of the process from initial planning and design to coding, and finally to release and software maintenance. In the past, some companies relegated security concerns to the end of the development cycle, but new digital realities are quickly turning secure development into a necessity. Equally important is an organization’s ability to promptly respond to and solve security problems, whether patching a hole or excising an intruder.
Staying Safe in an Unsafe World
The larger an enterprise is, the more it has to lose. For SaaS providers and their customers, it is imperative to review and consistently improve security procedures and protections using a variety of modern tools that can keep bad actors out of secure systems and protect both the integrity of internal data and the safety of sensitive personal information.
The survey by ISMG closed by asking about future plans, and the responses are not surprising: 69 percent are increasing cybersecurity budgets and 76 percent expect their organizations to increase the use of public or private cloud deployments in the next two years. As these trends continue, businesses of all kinds will be expected to show their security bonafides to partners and clients who share data of any kind. The ones that don’t will be more likely to lose out on contracts, partnerships and customers as long as there is a competitor providing better protection and peace of mind.