Guest post by Ayush Trivedi.
The “freemium” model for software marketing—giving away a limited version of an online software product in order to entice users into paying for a scaled-up or full-featured version—started gaining traction back in early 2013 and really took off over the next 18 months.
It became the favored approach for SaaS platforms targeting marketing and sales professionals that were trying to attract new startup or small-to-midsized business (SMB) customers. Today, even large enterprises are willing to use “free trial” offers from new SaaS marketing technology (martech) providers in an effort to secure a winning edge on the cheap.
But while freemium offers are great for slashing the cost of evaluating a new marketing platform, have you considered the cybersecurity risks these free trial offers pose to your IP, your data, and your business? Here are three key questions to ask your SaaS provider about cybersecurity.
Why should you care about cybersecurity risks in someone else’s SaaS?
It’s easy to get caught up in simply trying to achieve your marketing objectives (and conserving your martech budget dollars) without stopping to consider what might actually be at risk for your organisation.
Given that most of our systems are connected, either with directly coded integrations using APIs or through external services like Zapier, a security breach in any one service could open up your crown jewels to the dark web.
Almost no one outside of IT understands exactly how all their company’s CRM, ERP, project management, email, and other digital systems are connected. But it is definitely your responsibility to take reasonable steps to ensure that any external services you use do not increase the risk of a security breach or corporate espionage.
Since (obviously) no business wants to be hacked, you might be surprised to learn that very few SaaS vendors take all the necessary steps to protect their users. Worryingly, Trustwave found as far back as 2016 that “fewer than one in four organisations consider themselves to be “very proactive” in the context of security testing.”
In today’s interconnected-applications world, these stats from Norton should have you concerned:
- The global average cost of recovering from a cybersecurity breach is US$3.86 million, which is money that would otherwise have been invested in growth projects.
- On average, it takes 196 days to find a security breach, which is an alarming amount of time hackers have to rummage around in your network, applications, and databases.
So what should I do before accepting a free trial of a SaaS marketing application?
It is not uncommon to be excited at discovering a new product that you think might save you an inordinate amount of time or help you finally achieve those seemingly unreachable targets that your boss sets for you.
But you should remember that time is your friend. And knowing the right questions to ask of the SaaS provider is your secret weapon:
Question 1: Does the SaaS vendor have publicly published security policies?
Publicly published security controls may not give you hard data about the efficacy of the security policies in place, but they represent a level of maturity. Such policies signal that that SaaS developer is taking proactive steps like deploying data security software to protect your data and their IP, and ultimately they believe their relationship with you and other customers is valuable enough to protect.
All popular cloud services that you probably use—think Dropbox, Slack, AWS, Gmail, etc,—have such pages that spell out their security practices. Look them up.
Question 2: Does the SaaS provider have any information security accreditations?
Have you ever seen companies trumpeting their ISO9001 or ISO4008 or ISOxyz accreditation? Well, there is an ISO accreditation like that for information security: ISO27001. You should look for it or something similar like SOC2 when evaluating your next marketing SaaS vendor.
These accreditations are not an ironclad guarantee that the accredited vendor’s SaaS product is ACTUALLY free of security vulnerabilities. But such accreditations do signal that the company has the corresponding policies and processes in place, and if their teams actually follow those processes then their applications should be pretty secure.
Question 3: When did the vendor last conduct a penetration test on their application and infrastructure?
Interestingly, an HP Enterprise study found that 72% of web applications have at least one security vulnerability that allows hackers to gain access to things only admins should be able to see. The only way to be sure that the application you want to use isn’t riddled with such security holes is to look at the vendor’s penetration testing report.
Most smart SaaS companies regularly use reputable web application penetration testing services to find and patch security vulnerabilities before they ship a new version of their app. And if you ask them for the latest version of such a report, they will (hopefully) be more than happy to provide it to you—if you’re a serious buyer, of course.
Is this a foolproof way to guarantee that a marketing app I want to evaluate is secure?
Unfortunately, no. There is no “foolproof” or “ironclad” way to ensure that a SaaS vendor has mitigated all cybersecurity risks. But there are proven ways to ensure that your prospective SaaS vendor has minimized the likelihood of a serious cybersecurity breach.
Ask these questions before you accept your next free trial and satisfy yourself that your company’s sensitive information is highly unlikely to fall in the hands of the type of people who shouldn’t have it.
Ayush Trivedi is the Co-Founder of Audacix. World-class SaaS and digital software teams use Audacix’s automated software testing solutions and penetration testing services to avoid “oh s**t Monday’s”! If you want to test more of your software in less time, by spending less money, while ensuring that you ship it without security vulnerabilities, talk to Ayush’s team now.