Guide for the Board and management to get on top of organisational SaaS risks
Getting on top of risks with Office 365, G Suite, and many other SaaS apps across your business begins with data insights. Do you have the data to begin?
WHY BOTHER: A significant shift at modern workplaces
Every modern workplace is powered by software-as-a-service (SaaS): Office 365, G Suite, Salesforce, and many others. It has been forecast that businesses globally will spend $76 billion on SaaS in 2021. Unlike the past where IT centrally managed software for the organisation, it’s now business teams that procure and manage their own SaaS solutions.
That’s resulted in a significant culture shift in terms of technology risk management. It gives business teams more responsibilities than they are ready to handle and cuts IT short of the visibility they need in order to run a safe IT operation. This means, at the organisational level, there is little cross-oversight of risks associated with SaaS usage. When changes happen in silos, there is no easy way to track and assess how they impact the overall risk profile of your business in terms of security and compliance. Onboarding, offboarding errors, admin access drifts, excessive data sharing, wasteful spending are just some of the problems.
This is where the Board and management must come in to facilitate conversations between teams to align technology risk management practices with organisational objectives because it will lead to change in the way people do things. Without the buy-in from the top, the people who can deliver information security and compliance for your business will not be empowered to do what’s needed.
WHERE TO BEGIN
For the Board and management, it begins with obtaining independent and contextualised data to know what’s at risk across your SaaS footprint. What does it look like?
1. Know
Know what SaaS risks to take account of and your baseline compared to best practices.
First and foremost, you need to know which SaaS applications matter, i.e. those that host business critical and customer sensitive data. The usual suspects are CRM solutions Salesforce, Pipedrive, Dynamics 365, accounting suites Xero, Quickbooks, engineering tools Atlassian, GitHub, team collaboration solutions Slack, Teams. Don’t forget your productivity suite Office 365, G Suite, Dropbox, Box because users email, save and share all sorts of sensitive data using these applications.
We recommend a security assessment through 5 lenses:
Privileged Access: do we keep track of changes in our admins?
Authentication: are we meeting compliance when it comes to enforcing MFA?
User Access: are we using what we pay for? How secure is our onboarding / offboarding?
Business Email: are we subjected to business email compromise?
Data Sharing: are we at risk of data leakages?
2. Act
With the above data insights, the Board and management can empower the IT/technology team to take the necessary steps to improve the security posture across the SaaS footprint. The data insights enable informed conversations between the IT/technology and business teams to make required changes to meet organisational goals.
3. Track
Security is not static. Organisations grow and so does SaaS usage, introducing new risks to your business. The Board and management should obtain continuous oversight of risks and ability to track changes and progress of work over time.
WHAT’S NEXT
Previously to KNOW risks required costly, resource-intensive manual audit of SaaS platforms. Most businesses don’t have the resources and know-how to do this.
The Board and management can now use the Detexian Reporting Platform to generate your SaaS Assurance Report in minutes to contextualise what's at risk and take mitigating actions.
With Detexian, your IT team has ongoing oversight of changes and progress to stay on top of SaaS applications.
Detexian is a platform that reports and tracks the GOOD, the BAD, the UGLY in SaaS security risks.