More and more, businesses are migrating their operations onto the cloud. Software as a Service (SaaS) is becoming standard across all industries, and for a variety of functions. However, moving any sort of data online comes with the risk of data breach.  

This is no small fear. In 2023, IBM found the average data breach cost $4.88 million USD – the highest that number has ever been.  

So how can your business make a proactive, safe decision when purchasing SaaS subscriptions? In this article, we take a look.  

When in doubt, ask. 

You’re likely working with a SaaS vendor or reseller who is an expert in their offerings. Ask them to explain the security and show proof. Some SaaS providers will even offer detailed security whitepapers or a more thorough security assessment upon request. If they can’t answer your questions, that’s a red flag.  

Likewise, client testimonials that speak to this area are never an unfair ask.  

Some questions to highlight. 

If you are talking to a vendor and don’t know what to ask, here are some questions to help guide the discussion: 

• What sort of data encryption protocols does the platform follow? 
• Is multi-factor authentication an option for user login? What about single sign-on? 
• Does the platform allow granular permissions based on user roles? 
• What is the vendor’s documented incident response process and how do they handle security breaches? 
• What is the platform’s backup frequency, retention policy, and recovery time objective (RTO) in case of an outage? 
• Do they have a vulnerability assessment for you to review? Do they conduct regular third-party penetration tests? 

Of course, depending on your industry and needs, there may be more to ask. But these questions are important when determining the strength of a platform’s security.  

Keep security certifications in mind.  

Industry standards mean that many SaaS applications should proudly disclose their security certifications. Some of the important ones to look out for include: 

• ISO/IEC 27001 – the world’s best-known standard for information security management systems (ISMS). It provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. Conformity with ISO/IEC 27001 means that a SaaS platform’s operations respect all the best practices and principles enshrined in this International Standard. 
• SOC 2 Type II – the System and Organizations Control (SOC) framework’s series of reports offer some of the best ways to demonstrate effective information security controls. A SOC 2 Type II report confirms that a SaaS platform has robust controls for data security, availability, processing integrity, confidentiality, and privacy. 
• PCI DSS – any platform that handles payment card data should be PCI compliant, just like your business has to be.  

Again, this isn’t an exhaustive list, of course. Industry-specific certifications also exist and should be taken seriously. 

In conclusion… 

It’s critical that you assess any SaaS platform’s security before purchasing a subscription. Your business’ financial health and reputation depend on it. Asking the vendor tough questions and ensuring the necessary security accreditations are met is a strong first step in determining which platforms are safe for your business.