SaaS data security: How to pick a safe and secure SaaS platform

With everything shifting to the cloud, data security and risk mitigation are moving up the list of priorities for businesses big and small. Chances are, your organisation’s workflows involve online data storage in some way. Think about it: what if that data falls into the wrong hands?

Data breaches aren’t uncommon – in November 2020, Times Software was fined S$20,000 for failing to secure its customers’ data, and Payroll2U was fined S$4,000 in April 2024. Read on to find out more.

If you’re wondering how you can better take control of your data security risks and pick a safe and secure SaaS platform for your business, you’ve come to the right place.

TL;DR 

• SaaS data security is crucial for local SMEs with data security breaches on the rise.
• Intentional and comprehensive risk assessment can help businesses manage data security threats.
• GDPR and PDPA compliance help further lock down SaaS data security for SMEs.

What is SaaS data security?

Let’s break it down.

SaaS, short for Software as a Service, is software that is hosted on virtual machines in data centres instead of on local hardware. Users access this software through mobile, web or desktop applications. The organisation providing the software takes care of responsibilities like software updates as part of their services.

Since there are more data access points for SaaS compared to on local hardware, this leads to more opportunities for unauthorised access to digital information. So, SaaS data security refers to the practice of protecting digital information from unauthorised access, corruption or theft throughout its entire lifecycle.

Why is SaaS data security crucial in the digital age?

In 2023, over 55% of security executives reported that they experienced a SaaS security incident in the past two years. More recently, there have been major data breaches involving heavyweights like LinkedIn, Snapchat, Venmo and Adobe.

When even major corporations are not spared from cybersecurity risks despite their access to resources, it’s clear that being proactive and vigilant is key to managing your organisation’s cloud security.

Personal data is a valuable asset entrusted to SaaS providers, encompassing personal identification numbers (PINs), financial data, intellectual property and much more. In the wrong hands, compromised personal data can be bought and sold on the web, providing bad actors with sensitive information that should have remained confidential.

What common security threats do SaaS platforms face?

While there can be security threats on any device, certain threats occur more often with SaaS tools.

Data breaches rank at the top of the list, where data is exposed to unauthorised third parties. That’s when hackers break through information security systems and controls to access and misuse data.

Phishing attempts are also a common data security threat for SaaS providers, where bad actors target people with fraudulent communications to get sensitive personal information. A common tactic involves disguising emails as legitimate, when it actually diverts the information to another source. When in doubt, don’t click the link!

Next are insider threats, which are data or security breaches that come from within an organisation. These breaches can be caused by current and former employees, contractors, business partners or stakeholders – in essence, anybody who has had access to an organisation’s confidential data.

Last but not least is identity theft, where an impersonator uses someone else’s personal data and information for their own gain. The impersonator can then use the credentials to gain access to sensitive information. This kind of data security risk is most common with malware, like viruses, keyloggers and ransomware.

Data security questions you can ask SaaS providers

Before you entrust SaaS providers with your data, think about the type of data you’re handling and classify it to understand how much protection you’ll need.

Once you’ve figured out your data security requirements, ask these questions as part of your Vendor Security Assessment (VSA):

1. What compliance and certifications does your software have?

Depending on your location, your organisation’s data may be subject to data privacy regulations meant to protect individual privacy rights and personal data. Mandatory legislation applies in different contexts and regions, and non-compliance can result in penalties including fines, legal action and damage to company reputation.

Meanwhile, certain certifications can show that a SaaS provider is compliant with specific industry standards.

Here’s a nonexhaustive list of regulatory and industry specific standards to look out for:

Before you engage a new SaaS tool, get a rundown of their security protocols and standards. Integrating with a new system can be complex and risky, so knowing what you’re signing up for will make it easier to manage any data security gaps that might appear.

2. What are the data encryption standards on your platform?

Know your software’s data encryption standards to determine whether they can provide enough data protection. For example, are they using asymmetric encryption or symmetric encryption, and which methods are they using?

If your data is protected by traditional security mechanisms that cover data at rest and data in transit, check if they also offer extra protection with confidential computing through application-independent trusted execution environments (TEEs).

3. Do you have any access control and identity management processes in place?

Identity and access management (IAM) adds layers of security by ensuring the right people have the right levels of access to the data. IAM uses authentication mechanisms like usernames, passwords and fingerprint scanning to verify a user’s identity and grant them appropriate access to information.

Ask your SaaS provider for a breakdown on who has access to your data and whether it can be manipulated by any parties not within your organisation. This information can be found in an organisation’s data access policy, which will outline user roles, permissions, authentication procedures and access rights processes.

4. How often is data backed up?

Data backups protect your workflows from security threats like ransomware and hacking. They also reduce downtime and help with data recovery. Knowing how and when your data is being backed up lets you supplement data protection measures, especially when it comes to regulatory compliance.

Check the data backup procedures and frequency of the SaaS platform if you’re entrusting your data to them. Most providers follow a shared security responsibility model where they are responsible for application uptime and availability, but you are ultimately responsible for your own data protection.

5. How is API security maintained in your SaaS platform?

Application Programming Interfaces (APIs) link SaaS applications to other software, enabling integration, communication and data sharing across platforms.

APIs introduce extra risk to a platform. Hence your SaaS provider’s API security measures ensure data access is only granted to authorised users and applications, protecting your data from unauthorised access and exposure.

Why is user training necessary for maintaining SaaS data security?

Beyond key data security due diligence questions, you should also manage internal security risks to cover all your bases. Some of the most common security incidents come from end user behaviour flaws like phishing, scams, unsafe online interactions and device use errors.

While your SaaS platform can add layers of data security protection like single sign on (SSO), adaptive multi-factor authentication (adaptive MFA), time-based, one time password tools (TOTP) and more, implementing user training for SaaS security can help you and your employees better identify and avoid threats through changed behaviour and password hygiene.

Why is a security-first culture vital in organisations?

When you involve all stakeholders in building a security-first culture, you diffuse data security responsibility among team members. This leads to better ownership across functions, so everyone can play a part in being vigilant.

Bringing in the correct data security strategies, policies and tools and incorporating them into your organisation’s workflows will help you and your employees better protect your organisation. While your employees can try their hardest to comply with best practices, getting support from management means that they get access to the resources they need as well as the constant reminder to keep security top of mind.

One more thing: when management puts data security first in their day-to-day, they model the behaviour you’re trying to encourage across all levels of your organisation. Managers who lead by example inspire employees to do the same.

What can we learn from past SaaS security breaches?

Case study 1: Times Software

Between January and February 2018, three organisations — Dentons Rodyk & Davidson LLP, Red Hat Asia Pacific Pte Ltd and Liberty Speciality Markets Singapore Pte Ltd — discovered that the personal data of their current and former employees had been exposed, and could be found using Google Search.

These organisations had previously used Times Software directly or indirectly through TMF Singapore H Pte Ltd, a professional services company, for certain HR and payroll services. Sensitive employee personal data was compromised in the breach including full names, identification numbers, residential addresses, contact numbers, work designations, bank account information and income tax account numbers.

After a thorough investigation, the Personal Data Protection Commission (PDPC) found that Times Software suffered a hard disk failure in 2017 where it reset the fair share scheduling (FSS) operating system to default settings, disabling the password protection feature. Since the FSS was accessible over the internet, the employee data stored within was exposed to web crawlers, indexed by Google’s search engine and stored in its cache.

To resolve the situation, the organisations involved contacted search engines that had indexed the information to take down all links to the compromised employee data. They also implemented systems, policies and standard operating procedures on data handling to ensure this would not happen again.

Times Software was fined S$20,000 for its failure in preventing the unauthorised disclosure of personal data belonging to its clients, and for retaining personal data beyond what was necessary for legal or business purposes.

Case study 2: Payroll2U

In January 2023, Payroll2U received extortion emails from a threat actor following a ransomware attack on Payroll2U servers in December 2022. Following this attack, more than 81 gigabytes of data was posted on a ransomware leak site – this breach included personal data from 5,640 Payroll2U client employees, such as names, bank account numbers, salary information, NRIC numbers, addresses and email addresses.

Payroll2U launched an internal investigation and engaged an external forensics investigator to identify the magnitude of the breach and undertake remedial action. They found that the threat actor was a LockBit affiliate who gained access to five (5) servers on Payroll2U’s AWS environment, through a single compromised account using Remote Desktop Protocol (RDP).

The threat actor gained unauthorised access to the developer’s drive and the company’s shared drive which were both mapped to the compromised account, granting them access to the affected personal data. This unauthorised activity occurred from 29 December 2022 to 16 January 2023.

Following the discovery of the data breach, Payroll2U requested that the Personal Data Protection Commission (PDPC) handle the incident under the Expedited Breach Decision Procedure (EDP). They also took remedial action such as deactivating the compromised user account and implementing data security best practices such as multi-factor authentication, host-checking, documentation and regular reviews to prevent future incidents.

As a SaaS platform end user, due diligence like using strong and unique passwords is the first line of defence against compromised authentication credentials. Users with personal or financial information exposed online can have their data used for attacks like identity theft, phishing attacks, targeted cyberattacks and unauthorised account access.

You should exercise due diligence in vetting SaaS platforms before using them – asking the right questions can help safeguard your personal information against the alarming rise in data breaches and cyberattacks.

Making the decision on a SaaS provider

As an SME with limited resources, finding the right SaaS provider for your needs can be tough when there are many different factors to consider.

How do you balance security, usability and performance when choosing a SaaS provider?

Before taking the leap and engaging a SaaS provider, identify the type of data you’re working with.

Certain types of data require stronger security measures, especially if it’s sensitive information like financial data or personal information. Your local data regulations will also apply – make sure that the SaaS provider you’re using is compliant with industry standards and regional data legislation.

Next, take stock of the people who will be using this SaaS tool: who are they, what do they need and how will this tool be used in their workflows? Understanding user devices, networks, locations and preferences will help you pick a SaaS provider that meets their expectations and requirements without compromising on security and privacy.

Finally, think about the performance you expect from the SaaS tool you’ve chosen.

While it’s tempting to go with something that will give you the most bang for your buck, you should also consider whether your organisation is expanding and whether the SaaS platform you selected can scale and grow with you.

If not, find out more about its data migration experience – you’ll want the shift to a new tool to be seamless and secure with minimal downtime so your workflows aren’t compromised.

Are high-level SaaS security features affordable for small businesses?

One cool benefit of SaaS solutions is that they can be more affordable than traditional on-premise software. High-level security features that would normally cost a bomb hurts your wallet less in a SaaS environment, since cloud-based software reduces the need for physical hardware and software, as well as IT personnel and infrastructure maintenance.

SaaS platforms often provide flexible features and payment plans to meet different business requirements, hence SMEs can subscribe to different tiers according to their current needs, leaving space in their budgets for future expansion. Some SaaS tools even have a modular subscription model that scales according to headcount and features, where you only pay for what you use.

Keep your data safe and secure with Employment Hero today

Looking for an HR and payroll software? As a business owner, your day-to-day is your top priority – you don’t want to be running into workflow interruptions and data security issues in your business operations.

Employment Hero is an all-in-one HR and payroll software that helps you manage your people seamlessly, and integrates employee self service and AI enhanced HR in one neat package. We’re PDPA compliant, GDPR compliant and ISO/IEC 27001:2013 certified.

All of our data is hosted on Amazon Web Services (AWS) EC2 virtual servers, which are located in the AWS Asia Pacific (Sydney) region. We carry out full backups daily and transaction logs every 15 minutes, as well as verify our backups and recover them at least monthly into our staging environment, which is used to test that the backups are correct. You can find out more here on our Security Portal.

P.S. We’re a pre-approved vendor for the PSG grant! If you’re a small business owner in Singapore, find out if you’re eligible for the Productivity Solutions Grant (PSG) and how to apply for it here.

Harness the power of our fully integrated, cost-effective platform today. If you’d like to learn more about how Employment Hero can help transform your organisation, speak to one of our business specialists.

Disclaimer: The information in this guide is current as at 30th May 2024, and has been prepared by Employment Hero Pty Ltd (ABN 11 160 047 709) and its related bodies corporate (Employment Hero). The views expressed in this guide are general information only, are provided in good faith to assist employers and their employees, and should not be relied on as professional advice. The Information is based on data supplied by third parties. While such data is believed to be accurate, it has not been independently verified and no warranties are given that it is complete, accurate, up to date or fit for the purpose for which it is required. Employment Hero does not accept responsibility for any inaccuracy in such data and is not liable for any loss or damages arising either directly or indirectly as a result of reliance on, use of or inability to use any information provided in this factsheet. You should undertake your own research and seek professional advice before making any decisions or relying on the information in this guide.