
With everything shifting to the cloud, data security and risk mitigation are moving up the list of priorities for businesses big and small. Chances are, your organisation’s workflows involve online data storage in some way. Think about it: what if that data falls into the wrong hands?
If you’re wondering how you can better take control of your data security risks and pick a safe and secure SaaS platform for your business, you’ve come to the right place.
TL;DR
- SaaS data security is crucial for local SMEs with data security breaches on the rise.
- Intentional and comprehensive risk assessment can help businesses manage data security threats.
- Compliance with international regulations and industry standards help further lock down SaaS data security for SMEs.
What is SaaS data security?
Let’s break it down.
SaaS, short for Software as a Service, is software that is hosted on virtual machines in data centres instead of on local hardware. Users access this software through mobile, web or desktop applications. The organisation providing the software takes care of responsibilities like software updates as part of their services.
Since there are more data access points for SaaS compared to on local hardware, this leads to more opportunities for unauthorised access to digital information. So, SaaS data security refers to the practice of protecting digital information from unauthorised access, corruption or theft throughout its entire lifecycle.
For insights on how organisations can manage their data securely, including steps to protect sensitive payroll and employee information, check out Employment Hero’s steps to take to mitigate risk of payroll cyber attacks.
Why is SaaS data security crucial in the digital age?
In 2023, over 55% of security executives reported that they experienced a SaaS security incident in the past two years. More recently, there have been major data breaches involving heavyweights like LinkedIn, Snapchat, Venmo and Adobe.
When even major corporations are not spared from cybersecurity risks despite their access to resources, it’s clear that being proactive and vigilant is key to managing your organisation’s cloud security.
Choosing a SaaS provider with robust security measures is crucial.
Personal data is a valuable asset entrusted to SaaS providers, encompassing personal identification numbers (PINs), financial data, intellectual property and much more. In the wrong hands, compromised personal data can be bought and sold on the web, providing bad actors with sensitive information that should have remained confidential.
What common security threats do SaaS platforms face?
While there can be security threats on any device, certain threats occur more often with SaaS tools.
Data breaches rank at the top of the list, where data is exposed to unauthorised third parties. That’s when hackers break through information security systems and controls to access and misuse data.
Phishing attempts are also a common data security threat for SaaS providers, where bad actors target people with fraudulent communications to get sensitive personal information. A common tactic involves disguising emails as legitimate, when it actually diverts the information to another source. When in doubt, don’t click the link!
Next are insider threats, which are data or security breaches that come from within an organisation. These breaches can be caused by current and former employees, contractors, business partners or stakeholders – in essence, anybody who has had access to an organisation’s confidential data.
Last but not least is identity theft, where an impersonator uses someone else’s personal data and information for their own gain. The impersonator can then use the credentials to gain access to sensitive information. This kind of data security risk is most common with malware, like viruses, keyloggers and ransomware.
Data security questions you can ask SaaS providers
Before you entrust SaaS providers with your data, think about the type of data you’re handling and classify it to understand how much protection you’ll need.
Once you’ve figured out your data security requirements, ask these questions as part of your Vendor Security Assessment (VSA):
1. What compliance and certifications does your software have?
Depending on your location, your organisation’s data may be subject to data privacy regulations meant to protect individual privacy rights and personal data. Mandatory legislation applies in different contexts and regions, and non-compliance can result in penalties including fines, legal action and damage to company reputation.
Meanwhile, certain certifications can show that a SaaS provider is compliant with specific industry standards.
Here’s a nonexhaustive list of regulatory and industry specific standards to look out for:
Region/Provider |
Legislation/Certification |
International |
Data Privacy FrameworkISO/IEC 27001Payment Card Industry Data Security Standard (PCI DSS)System and Organization Controls (SOC) for CybersecuritySOC 2 – SOC for Service Organizations: Trust Services Criteria |
European Union (EU) |
General Data Protection Regulation (GDPR)Data Governance Act (DGA) |
Australia |
Privacy Act (1988) |
New Zealand |
Privacy Act (2020) |
United Kingdom (UK) |
Data Protection Act 2018 |
Singapore |
Personal Data Protection Act 2012 (PDPA) |
Malaysia |
Personal Data Protection Act 2010 (PDPA) |
Before you engage a new SaaS tool, get a rundown of their security protocols and standards. Integrating with a new system can be complex and risky, so knowing what you’re signing up for will make it easier to manage any data security gaps that might appear.
2. What are the data encryption standards on your platform?
Know your software’s data encryption standards to determine whether they can provide enough data protection. For example, are they using asymmetric encryption or symmetric encryption, and which methods are they using?
If your data is protected by traditional security mechanisms that cover data at rest and data in transit, check if they also offer extra protection with confidential computing through application-independent trusted execution environments (TEEs).
3. Do you have any access control and identity management processes in place?
Identity and access management (IAM) adds layers of security by ensuring the right people have the right levels of access to the data. IAM uses authentication mechanisms like usernames, passwords and fingerprint scanning to verify a user’s identity and grant them appropriate access to information.
Ask your SaaS provider for a breakdown on who has access to your data and whether it can be manipulated by any parties not within your organisation. This information can be found in an organisation’s data access policy, which will outline user roles, permissions, authentication procedures and access rights processes.
4. How often is data backed up?
Data backups protect your workflows from security threats like ransomware and hacking. They also reduce downtime and help with data recovery. Knowing how and when your data is being backed up lets you supplement data protection measures, especially when it comes to regulatory compliance.
Check the data backup procedures and frequency of the SaaS platform if you’re entrusting your data to them. Most providers follow a shared security responsibility model where they are responsible for application uptime and availability, but you are ultimately responsible for your own data protection.
5. How is API security maintained in your SaaS platform?
Application Programming Interfaces (APIs) link SaaS applications to other software, enabling integration, communication and data sharing across platforms.
APIs introduce extra risk to a platform. Hence your SaaS provider’s API security measures ensure data access is only granted to authorised users and applications, protecting your data from unauthorised access and exposure.
Why is user training necessary for maintaining SaaS data security?
Beyond key data security due diligence questions, you should also manage internal security risks to cover all your bases. Some of the most common security incidents come from end user behaviour flaws like phishing, scams, unsafe online interactions and device use errors.
While your SaaS platform can add layers of data security protection like single sign on (SSO), adaptive multi-factor authentication (adaptive MFA), time-based, one time password tools (TOTP) and more, implementing user training for SaaS security can help you and your employees better identify and avoid threats through changed behaviour and password hygiene.
Why is a security-first culture vital in organisations?
When you involve all stakeholders in building a security-first culture, you diffuse data security responsibility among team members. This leads to better ownership across functions, so everyone can play a part in being vigilant.
Bringing in the correct data security strategies, policies and tools and incorporating them into your organisation’s workflows will help you and your employees better protect your organisation. While your employees can try their hardest to comply with best practices, getting support from management means that they get access to the resources they need as well as the constant reminder to keep security top of mind.
One more thing: when management puts data security first in their day-to-day, they model the behaviour you’re trying to encourage across all levels of your organisation. Managers who lead by example inspire employees to do the same.
What can we learn from past SaaS security breaches?
Case study 1: Cloudflare
In February 2024, Cloudflare disclosed that its Atlassian systems experienced a nation-state attack after its identity and access management provider Okta suffered a breach in October. The attacker targeted its systems using the compromised Okta credentials from November 14th to 17th, accessing Cloudflare’s internal wiki on Atlassian Confluence and its bug database on Atlassian Jira.
Following the Okta breach, Cloudflare failed to rotate one service token and three service accounts that had been compromised, mistakenly believing that they were unused. Through these means, the attacker viewed 120 code repositories and used the Atlassian Bitbucket git archive feature to download 76 of them to the Atlassian server – Cloudflare decided to treat the compromised source code repositories as exfiltrated as a proactive security measure.
While the attacker attempted to access other systems on Cloudflare’s network, its presence was limited to the Atlassian suite, meaning that no customer data or systems were accessed. This successful protection of data beyond Cloudflare’s Atlassian suite was due to its zero trust architecture consisting of enforced access controls, firewall rules and use of hard security keys.
After the November nation-state attack, Cloudflare instituted comprehensive remediation efforts under the project “Code Red” to harden controls in its environment and prevent future intrusion.
The measures taken include analysing the compromised source code repositories to catch and fix any ways an attacker could use for a subsequent attack, rotating individual credentials, physically rotating test and staging systems, performing forensic triage on systems, as well as reimagining and rebooting every machine in its global network.
Case study 2: Mother of All Breaches (MOAB)
In late January 2024, Cybernews discovered a supermassive data leak consisting of billions of exposed records on an open instance. The dataset was leaked due to a firewall misconfiguration by a data breach search engine, Leak-Lookup.
While the problem has since been fixed and the leaked dataset contains mostly information from past data breaches, the number of new records (26 billion) compared to existing records (15 billion) suggests that the breach contains new information, including sensitive personal data.
Affected brands include Tencent, Weibo, MySpace, X (previously Twitter), Wattpad, LinkedIn, Adobe, MyFitnessPal, Canva, Dropbox and Telegram. Various government organisations in countries like the US, Brazil, Germany, Philippines and Turkey were also affected.
While most of the leaked data is older and security measures like antivirus software can help protect users from attacks like malware, users with personal or financial information exposed online can still have their data used for attacks like identity theft, phishing attacks, targeted cyberattacks and unauthorised account access.
As a SaaS platform end user, due diligence like using strong and unique passwords is the first line of defence against compromised authentication credentials. Users with personal or financial information exposed online can have their data used for attacks like identity theft, phishing attacks, targeted cyberattacks and unauthorised account access.
You should exercise due diligence in vetting SaaS platforms before using them – asking the right questions can help safeguard your personal information against the alarming rise in data breaches and cyberattacks.
Making the decision on a SaaS provider
As an SME with limited resources, finding the right SaaS provider for your needs can be tough when there are many different factors to consider.
How do you balance security, usability and performance when choosing a SaaS provider?
Before taking the leap and engaging a SaaS provider, identify the type of data you’re working with.
Certain types of data require stronger security measures, especially if it’s sensitive information like financial data or personal information. Your local data regulations will also apply – make sure that the SaaS provider you’re using is compliant with industry standards and regional data legislation.
Next, take stock of the people who will be using this SaaS tool: who are they, what do they need and how will this tool be used in their workflows? Understanding user devices, networks, locations and preferences will help you pick a SaaS provider that meets their expectations and requirements without compromising on security and privacy.
Finally, think about the performance you expect from the SaaS tool you’ve chosen.
While it’s tempting to go with something that will give you the most bang for your buck, you should also consider whether your organisation is expanding and whether the SaaS platform you selected can scale and grow with you.
If not, find out more about its data migration experience – you’ll want the shift to a new tool to be seamless and secure with minimal downtime so your workflows aren’t compromised.
Are high-level SaaS security features affordable for small businesses?
One cool benefit of SaaS solutions is that they can be more affordable than traditional on-premise software. High-level security features that would normally cost a bomb hurts your wallet less in a SaaS environment, since cloud-based software reduces the need for physical hardware and software, as well as IT personnel and infrastructure maintenance.
SaaS platforms often provide flexible features and payment plans to meet different business requirements, hence SMEs can subscribe to different tiers according to their current needs, leaving space in their budgets for future expansion. Some SaaS tools even have a modular subscription model that scales according to headcount and features, where you only pay for what you use.
Keep your data safe and secure with Employment Hero today
Looking for an HR and payroll software? As a business owner, your day-to-day is your top priority – you don’t want to be running into workflow interruptions and data security issues in your business operations.
Employment Hero is an all-in-one HR and payroll software that helps you manage your people seamlessly, and integrates employee self service and AI enhanced HR in one neat package. We’re GDPR compliant, PDPA compliant and ISO/IEC 27001:2013 certified.
All of our data is hosted on Amazon Web Services (AWS) EC2 virtual servers, which are located in the AWS Asia Pacific (Sydney) region. We carry out full backups daily and transaction logs every 15 minutes, as well as verify our backups and recover them at least monthly into our staging environment, which is used to test that the backups are correct. You can find out more here on our Security Portal.
Harness the power of our fully integrated, cost-effective platform today. If you’d like to learn more about how Employment Hero can help transform your organisation, speak to one of our business specialists.
Disclaimer: The information in this guide is current as at 30th May 2024, and has been prepared by Employment Hero Pty Ltd (ABN 11 160 047 709) and its related bodies corporate (Employment Hero). The views expressed in this guide are general information only, are provided in good faith to assist employers and their employees, and should not be relied on as professional advice. The Information is based on data supplied by third parties. While such data is believed to be accurate, it has not been independently verified and no warranties are given that it is complete, accurate, up to date or fit for the purpose for which it is required. Employment Hero does not accept responsibility for any inaccuracy in such data and is not liable for any loss or damages arising either directly or indirectly as a result of reliance on, use of or inability to use any information provided in this factsheet. You should undertake your own research and seek professional advice before making any decisions or relying on the information in this guide.