11 Security Tips Every SaaS Startup Should Take to Heart
Are you currently developing any new software as a service (SaaS) or have an idea in the works? SaaS is a growing industry and for very good reason. The SaaS model of making software and all the updates for it available on a subscription basis rather than as a thing that you purchase once and are done (outside of any updates you choose to purchase, of course) has changed the way we purchase and use software. There are a lot of pros to the model — for developers and users — which is why so many people are jumping on the SaaS bandwagon. Yes, building a great SaaS solution can be lucrative, but it also comes with a lot of responsibility. Beyond delivering a smart, user-friendly solution, you need to make sure your SaaS solution is secure.
As the technology industry grows, so too does the hacking industry. Cybercrime is one of the biggest threats to technology consumers and businesses today. Building a SaaS business means dotting your i’s and crossing your t’s when it comes to security. You need to protect your clients and yourself.
Easier said than done right? If you want to keep the data breaches and cyber criminals at bay, use these 11 security tips every SaaS Startup should take to heart.
Be vigilant about passwords
As obvious as this seems, it’s easy for employees to let their guard down and/or get lazy when it comes to passwords. Use a password manager to hold your employees accountable and ensure they are using strong passwords.
Never email passwords. Use your password manager to encrypt passwords when sharing them.
Teach employees the “why” behind security best practices
Security should be part of your company culture. Just knowing the security best practices is not enough. Tell employees how security measures protect you. Train everyone about the dangers of security breaches and how cyber criminals access important information.
Employee security training should cover the following:
- Acceptable and unacceptable uses for company computers (downloads, websites, etc)
- How to identify phishing emails and scams
- The dangers of email attachments
- The dangers of using thumb drives
- Keeping laptops locked and password protected
- Not allowing anyone within arm’s length of your company laptop
Set employees up for success by installing antivirus and firewall software on all computers. You should also reduce the use of email by setting up a company slack account for internal communication and Dropbox or Google Drive for file sharing.
Encrypt everything! Encryption makes it harder for hackers to gain access to your information. First and foremost, everything that connects to your web server should be encrypted using secure sockets layer (SSL). This standard best practice definitely shouldn’t be skipped.
You should also encrypt:
- Sensitive data and information on laptops
- Sensitive emails
- Communication between your office and the Cloud using cloud-based VPN
Be sure to encrypt customer passwords using password hashing, a type of cryptology that makes your passwords unreadable. This way, if your database is compromised, the files will not be in a readable format.
Keep everything updated
Keep laptops, phones, software, apps, plugins, etc. updated. Software and system updates usually include important security updates that keep you from being vulnerable to cyber attacks. You should always be running on the most up-to-date versions of everything you use.
Purchase multiple domains
Having multiple domains is a best practice when it comes to SaaS security. We recommend purchasing three domains. Your main domain should be used for employee email and outbound marketing.
Boost the security of your domain’s email by using sender policy framework (SPF) and DomainKeys Identified Mail (DKIM). SPF and DKIM help prevent hackers from using your email to send out phishing scams. SPF only allows the IP addresses you define to send emails from your domain. DKIM adds a special signature to your email that allows the recipient’s server to verify that the email coming from your domain is from you. Using these two security mechanisms will help reduce the amount of phishing emails you receive and boost your email deliverability.
Your second domain should be used for the SaaS service itself. This domain should be hosted by a different host. Use a cloud-based DNS web service like Amazon Route 53.
Your third domain is to be used for internal and back office use. As an extra precaution, register this domain anonymously.
Be careful with permissions
From employees to contractors and freelancers, everyone should have their own credentials that can be revoked when necessary. Sharing logins (especially admin logins) is never a good idea. It’s hard to keep track of who’s logging in when, what’s being done, and who has access.
Make an onboarding and offboarding checklist for contractors, vendors, freelancers and employees that lists what credentials and access you’ve given, so each time you end a contract or stop working with someone, you have a checklist to ensure all ties to your system have been cut.
Two-factor authentication is a great way to strengthen your security. It requires two methods (factors) in order to verify identity. The first factor is knowledge based (username, password, PIN, security question). The second factor is a verification code sent to something you have (a smartphone, email address, key fob).
Let’s face it — hackers are getting pretty good at figuring out passwords. This adds another layer of security and makes it harder for cyber criminals to access your accounts. We recommend using two-factor authentication for everything.
Secure your code
Security doesn’t end with passwords and firewalls. You have to make sure your code is secure as well. Make security a priority within your development team by:
- Creating a security code review checklist
- Using a static security code analysis tool
- Maintaining a backlog of security concerns or issues that are tracked
Cyber criminals are not always miles away. They could be lurking at your office or the coffee shop you work from. Make sure your team is not creating opportunities for criminals to gain physical access to computers or data. This means making sure:
- No one is within an arm’s length of a computer that isn’t theirs
- Computers are locked when not in use
- Your office is locked and secure
- Your server room is locked at all times
Have a plan for data leaks
You need to have a plan in case a data leak happens. Everyone on the team needs to be briefed on your plan. Your people also need to know how important it is to notify you ASAP if and when a data leak happens.
Mistakes happen. Make it a policy that data leaks are not a fireable offense. Employees need to feel comfortable coming to you immediately when something happens.
Back up your data
All critical data needs to be backed up, so if something happens, you still have access to a backup. Backing up data should be an automatic and continuous process. Make sure you use a different cloud account or even cloud provider to avoid malicious intent or human error.
A data breach could cost your company millions of dollars and all or most of your customer base. It’s hard to recover from a blow that big, which is why taking the proper security precautions and following these 11 security tips every SaaS startup should take to heart are of utmost importance.