SaaS Security: Common Mistakes that Lead to Data Breaches

Michael Koch is an entrepreneur and CEO who is an expert in SaaS. Visit Michael’s website for weekly SaaS updates.


As service providers, we are responsible for the sensitive data of all of our clients. Keeping that data secure is THE MOST important aspect of our service. If we cannot provide security to our partners, they have no reason to utilize our services. Time and time again I see companies taking shortcuts and cutting corners, and in the long run it ends up costing them the only thing keeping their business afloat: their customers. If you want to keep your customer’s data secure, stay away from the following practices that usually result in a data breach.

Poor Authentication Practices

There are a number of authentication practices you can follow, but in reality, if you’re not implementing multi-factor authentication (MFA), then you’re setting yourself up for failure. In my experience, two-factor authentication (2FA) is just not reliable enough to provide the type of security you and your clients are expecting. The beauty of MFA lies in the options you have available for authentication. Every client is going to be different, and they’re going to have varying factors that go into their authentication. By utilizing MFA, you will be able to customize each authentication process to the client, which will result in a more secure infrastructure overall.

Lack of Data Integrity

Since all of your clients are essentially in the same database, there needs to be a great deal segregation between client data to ensure anonymity and to prevent one of your clients from being able to see the data of another client that is supposed to be secure. Security is going to be the subject of many initial client questions, and the more prepared you are to handle these questions with facts and results, the closer you are to building a strong partnership. Your segmentation will need to be thorough enough to give each client their own space, but it should also not jeopardize the integrity of your entire structure.

Bad Apps

Whenever your client extends their web-based applications through your service, they could potentially expose your entire database to threats. Applications that have security issues or have flaws in their infrastructure inadvertently create risks for you by utilizing your service. The scope of these threats varies with each application, but in my opinion, opening yourself up to even the most minute threat is a bad practice that can result in more issues down the line. It’s vital to understand every application you are extending to circumvent these threats and provide a secure service for all of your clients. Ask for training on the application from your partner. It will show them you are actively working towards securing their data, and it will also lead to you having a better overall understanding of their business.

Poor Employee Training

So you built your SaaS company from the ground up, secured funding, started valuable partnerships, and are beginning to hire more employees. I know how difficult it is to grow and scale a company while keeping everyone on the same page, but it is something that CAN NOT be overlooked. There needs to be a thorough training program for every new hire you bring on board. These employees may have interviewed well, but you don’t know the level of knowledge each new hire has on cybersecurity. I pride myself on making sure every new hire is up to speed with security protocols within the company.

Replicating Accounts and Passwords

One thing that drives me crazy is a company that reuses account names and passwords across their platform. You might as well paint a red X on the data in these accounts to ensure it gets compromised. Diversifying account names and passwords is one of the easiest ways to create another layer of security, but for the sake of time, accounts and passwords are duplicated. Do yourself and your clients a favor by taking the extra minute to create unique accounts and passwords. Get in the practice of changing passwords every 30–90 days, depending on the importance of the data you are protecting.

In SaaS security, there are a million ways you can do something wrong, and only one way you can do it right. One large data breach could be the end of the company and most importantly the trust of your client. Take the extra time needed to ensure a safe and secure environment for your clients’ data.