As organizations increasingly operate in the cloud, securing cloud data has become more top of mind. Securing software as a service (SaaS) data is particularly pressing when you consider that the average organization uses more than 370 individual SaaS applications. But with so much data across so many platforms, knowing where to start isn't easy. To help with this, we partnered with Raconteur and Salesforce to collect practical strategies and insights from more than a dozen data security leaders and experts across various industries.
Below is a summary of what we learned, which can be viewed in full here.
The Attack Surface for SaaS Data is Expanding
PwC's 2024 Global Digital Trust Insights Survey discovered that the proportion of businesses experiencing data breaches costing over $1 million grew from 27% to 36% in just one year. Despite this increase, only 44% of companies have a comprehensive data backup strategy.
A cyberattack often prompts organizations to review their data security policies. Many assume the cloud provider secures their data, but this simply isn't true. While the provider secures the platform, customers must secure their data within it. In the report, Del Heppenstall, Head of UK Cyber at KPMG UK, emphasizes the importance of scenario planning and cyber risk quantification (CRQ) in understanding the potential impacts and costs of cyber threats.
"CRQ enables the analysis and critical thinking necessary to understand the true likelihood of something bad happening and the business impact if it does," says Del. "A critical part of the approach to CRQ involves thinking through potential cyber scenarios, such as ransomware or a data breach, and estimating the most likely and worst-case impact should they occur."
Identifying SaaS Data Risks
As critical data increasingly resides in SaaS systems, 81% of organizations view cloud applications as more crucial than ever. Unfortunately, cyberattackers view these applications just as favorably. You need to be able to identify the biggest risks and vulnerabilities to your data. Three key strategies to identify data risks include:
Understanding Business Impacts
Determining how risk might impact the business must be a priority. In the report, Waseem Ali, Former Chief Analytics Officer at Lloyd's of London, stresses assessing how risks might affect the business in terms of financial, reputational, or customer acquisition impacts.
Identifying Vulnerabilities
Data often leaks when there is a lack of knowledge of how much an organization has, where it is stored, and how sensitive it is. Richard Seiersen, co-author of "How to Measure Anything in Cybersecurity Risk," advises mapping out data vulnerabilities to understand potential losses at different business levels.
Performing Security Risk Assessments
It is impossible to eliminate data security risks completely but a security risk assessment can reveal vulnerabilities. Lauren Wills-Dixon, a data protection expert at law firm Gordons, says in the report that organizations should also run a data protection impact assessment (DPIA). This internal document identifies how data is processed and whether it is being used in the intended way so the risk to personal data is minimized.
Protecting Your Data Requires More Than Just a Backup
Despite taking measures to mitigate risks, most organizations will face data loss incidents. Research by Own Company reveals that 60% of businesses have experienced a data loss in the past two years, and one-third have experienced more than one. Only two-thirds could restore all the data lost. Effective backup procedures are crucial, but recovery processes are even more critical.
Andrew Hart, Own Company's VP of Services, points out that SaaS data does not exist in isolation. With an integrated system, there can be different impacts on data recovery and loss because data is being fed in and going out of the enterprise all the time. "You need to know if the data loss was isolated to the customer software such as Salesforce or if it has permeated elsewhere," says Andrew. "Also, if you are putting data back into Salesforce, what impact does this have downstream in an integrated system? Backup is the easy part; it is in the recovery process where investment needs to be made."
Leveraging Data as a Competitive Advantage
Once secured, data offers a significant competitive edge. Barry Coatesworth of Guidehouse emphasizes the importance of data quality, accuracy, and reliability in building effective strategies and maintaining stakeholder trust.
"It offers insights previously beyond our reach," he says. "But the evolving landscape of data privacy and governance will continue to challenge us to be ever more vigilant and innovative in managing and protecting data." Coatesworth adds that a vigorous data strategy also means fostering a culture where data is managed ethically and legally to build trust. This means aligning with regulations such as GDPR and the CCPA (California Consumer Privacy Act).
AI and machine learning can also activate analytics and deliver business insights from historical data, turning data into actionable intelligence for sales teams and other departments. Despite this, many organizations still find it difficult to get data to a point where they can learn from it. Companies will see results if they invest in the right people, skills, tools, and support to delve into the data and reveal actionable business insights confidently.
Turning Strategy into Action
Securing SaaS data in 2024 requires a multifaceted approach. This involves understanding the shared responsibility model, fostering a strong cybersecurity culture, leveraging advanced technologies, and staying vigilant against evolving threats. Organizations can better protect their data by adopting these strategies and ensuring long-term success in the digital age.
Explore the full report here for a more in-depth view of these insights.
