Tips for safeguarding SaaS data in highly regulated industries


Understanding the current data protection landscape

Organisations will be unable to unlock the benefits of big data unless they prepare for the regulatory risks

Data has become a hugely valuable commodity to businesses, but as breaches become more common and privacy concerns more urgent, the regulatory risks have grown. 

A raft of new laws have been brought in to protect personal data, with around three-quarters of the global population set to be covered by such rules by 2025, according to Gartner. And rule breakers risk significant fines and reputational damage, especially if they operate in heavily regulated industries such as financial services, pharma or healthcare. 

With yet more legislation on the horizon, organisations will have to commit significant resources and investment to ensuring they remain compliant. So what risks are they likely to encounter, and how ready are they for what lies ahead?

Rachael Annear is a partner at law firm Freshfields Bruckhaus Deringer. She advises global companies on issues in data. Every organisation is “on its own journey” when it comes to compliance, and approaches vary widely, she says, although some do need to speed up. 

“In general, heavily regulated organisations tend to be very used to governance and accountability structures, but even they sometimes need to move faster to adapt to emerging data laws and the growing regulatory focus on data governance.”

Tailoring legislation

Data regulations will vary from company to company depending on size, sector and geography. But broadly speaking regulators globally have focused on two main areas when tightening up the rules: privacy and the protection of personal data, and digital advertising practices and the intersection between personal information and so-called ad tech.

While most countries have moved to bring in new laws, the EU has led the way with the General Data Protection Regulation (GDPR), which came into effect in 2018. The legislation establishes guidelines for the collection and processing of personal data so that it is fair, limited, accurate, secure and confidential. Firms must be able to demonstrate how they keep a check on these things. 

GDPR also imposes obligations on organisations wherever they are based, so long as they collect data in the EU – and the penalties can be huge. Recent examples have included a €1.2bn (£1bn) fine for Meta, €746m for Amazon and €345m for TikTok. 

Since then, Annear says the bloc has complemented GDPR with an increasing number of “sector-specific laws and laws with broad regulatory impacts on the handling of data”. These include the EU’s Digital Operational Resilience Act (DORA) in the financial services sector, and its Data Act, which applies to various businesses’ handling of both personal and non-personal data. 

“In terms of data protection regulation, the GDPR is often seen as a bit of a blueprint,” Annear says. “However, as privacy laws mature, we see examples of jurisdictions tailoring legislation to their own political, historical and cultural contexts.”

Geographic nuance

There is now a trend toward emulating GDPR around the world with the UK, many Middle Eastern countries, certain US states, Brazil, Canada, Australia and India all taking a similar path. 

That said, any company operating internationally must be aware of geographic nuances, says Nina Bryant, head of the UK information governance, privacy and security practice at FTI Consulting.

Some countries may tighten or slacken their requirements to increase their attractiveness as a global business hub

“Some countries may tighten or slacken their requirements to increase their attractiveness as a global business hub – a factor in some of the shifting laws in countries such as the UAE and Saudi Arabia. Others may weigh national interests against individual privacy protections, which is one of many factors in the US journey toward a possible federal privacy law.”

With new legislation on AI about to be passed in the EU, the regulatory scrutiny is bound to intensify, so organisations must have robust data protection strategies that cover not only data stored within their own domains, but also that held by third-party providers in the cloud, such as software as a service (SaaS) platforms. 

Complacency is not an option, and Annear stresses that each company will have to tailor its approach based on the data it is processing and the manner of processing. Firms must also keep an eye on the ever-evolving cyber risk landscape.  

“There is undoubtedly a correlation between the extent to which an organisation prepares for cyber-attacks and the harm – operational, financial, reputational and legal – caused by an incident,” she says. 

Crisis situations

Bryant says few companies are blind to regulatory risks, with the issue now taken much more seriously at board level. Yet while awareness and intention have improved, there are still gaps in execution. 

“We see many companies struggle with tackling, and thus effectively governing, the complexity of their data environments alongside a sometimes confusing patchwork of regulatory requirements. Moreover, data breaches continue to plague companies of all sizes, and in those crisis situations, many are unsure of how to effectively and correctly investigate the breach, identify what was lost and understand their notification requirements.” 

It is vital to ensure robust data protection processes are embedded across the whole organisation, she adds. This means leaders must buy into compliance and privacy as part of their company culture and values in order to establish trust with their clients or customers, setting the tone “from the top down”.

Rigorous assessment and governance of third-party providers is also critical as it remains a major area of risk exposure, and one that is likely to expand as organisations look to SaaS options for AI. 

“For any SaaS deployments and third-party partnerships wherein data is transferred and/or shared, organisations must make a regular practice of assessing and auditing their providers against all applicable data protection and privacy requirements,” says Bryant.

What are the biggest threats to SaaS data in 2024?

As firms store more of their data on cloud-based SaaS platforms, the risk of breaches increases

Software as a service (SaaS) platforms are critical for helping businesses manage everyday tasks. Common examples include file-sharing or email applications, customer relationship management tools, videoconferencing or messaging platforms, and cybersecurity solutions.

Yet as firms entrust more of their data to these third-party cloud-based vendors, the risks around protecting and managing that data have grown. There are risks to the platforms themselves and to accounts within the platforms, which many firms don’t realise are their responsibility to secure. So what data threats should SaaS users be looking out for in 2024? And how can they mitigate them?

01 External attacks on SaaS platforms

Direct attacks to platforms remain the most “newsworthy and public” risks faced by SaaS providers and their clients, says Charlie Winckless, a senior director analyst on Gartner’s Infrastructure Protection team. In this case, the SaaS provider itself is breached or otherwise compromised, and that impacts the client, as well as potentially the client’s customers. 

“A SaaS platform is a great target for an attacker,” Winckless says. “Breaching the provider is a force multiplier in the amount of data they can harvest, or the amount of customers they can impact.”

While the best SaaS providers are highly secure (though not immune to breaches or outages) smaller platforms may be significantly less robust, with many of them opaque about how they manage customer data. And while direct breaches are relatively rare, SaaS platforms can be subject to phishing, malware or DDoS attacks, leading to financial losses, data leakage and unauthorised access. 

The issue for SaaS customers is that they have little control over whether their provider will be breached, or the impact of that breach, so they should always pick vendors with good data protection records where they can. 

02 Human error

Around three-quarters of data breaches result from human error, often as a result of staff cutting corners to drive the business forward. In fact, some 74% of firms say they would violate company security policies to meet, or help team members meet, business objectives, according to Gartner research. 

“The human element is always a part of security – it’s mostly a people and a process problem,” says Winckless. 

Staff increasingly run SaaS apps on personal or unmanaged devices that can be easily compromised by account takeovers, password spraying and password stuffing. Gartner predicts that 75% of employees will acquire, modify or create technology outside the IT department’s visibility by 2027 – up from 41% in 2022.

Once an account is compromised, anything individual users can access may be compromised too. Firms must rigorously police staff use of third-party cloud-based apps, and good cloud governance policies are key. Two-step verification and other security processes should be deployed. 

“Your firm must standardise how it onboards, manages and offboards infrastructure as a service, platform as a service, and software as a service cloud workloads,” wrote IT consultancy Forrester in its recent Guide to Cloud Governance report.

“Sanction access to your cloud applications and platforms based on the sensitivity of data you’ve stored in them.”

03 Configuration issues

Security misconfigurations are another common cause of breaches, as most SaaS products have layers of configurations that users must modify according to their security and privacy policies. 

Often system administrators give out too many access permissions enabling unnecessary access to sensitive data, or multiple SaaS applications may be connected in a risky way that creates openings for opportunistic attackers. 

“Multiply configuration issues, excessive sharing, and interconnection by the SaaS footprint in a modern organisation and there’s the potential for this to be a huge issue – but one that doesn’t seem to be having a wide impact yet,” says Winckless. 

Forrester says that SaaS security management solutions can help with “configuration drift detection”, while also improving general data management and automating SaaS security governance. 

04 Climate and ESG issues

The amount of power required to run data centres is a growing concern, and the proliferation of SaaS platforms will only exacerbate the problem. 

The first risk here is in terms of environmental, social and governance  (ESG) commitments, as data hungry firms will find it increasingly hard to meet carbon reduction targets. 

“Many large data centres are struggling to meet green targets, but an organisation’s SaaS platform will be outside of their control when it comes to being energy efficient,” says Paul Holland, head of research at the Internet Security Forum.

Further down the line SaaS providers in certain geographies could struggle with the issue of data centre cooling, with infrastructure at risk of shutting down if it overheats. 

“SaaS providers could be leveraging large data centres, some of which are struggling with getting enough water to help cool their infrastructure, this could lead to outages down the line,” says Holland.

How confident are cybersecurity leaders in cloud security?

Organisations are moving more data to the cloud, but many leaders are still concerned about the company's ability to protect sensitive information

Commercial Feature

Ensuring business continuity in the event of a breach or outage

A precision backup and recovery plan is crucial to minimise the disruption of a data breach

Any company that has suffered a significant data breach will testify to the uncertainty and disruption it can cause. Not only may firms be left vulnerable to fraud, or incur penalties if they are later found to have breached data protection regulations,  but the downtime involved when recovering and restoring data can have a huge impact on business continuity. The reputational damage can also be severe.

As more and more company data is handled by third-party software-as-a-service (SaaS) platforms in the cloud, breaches have become more common, yet many firms are unprepared. 

The security of SaaS platforms themselves is rarely at fault – most of the major vendors have robust protections in place. The bigger problem is the lack of awareness among SaaS customers about how to protect their accounts and respond decisively with a strong backup and recovery plan.

Dangerous complacency

Often companies don’t realise that they share responsibility for data managed by third-party platforms, which can lead to a dangerous sense of complacency. 

According to research conducted by Forrester Consulting on behalf of Own Company, 62% of SaaS decision-makers and administrators are misinformed and ultimately unaware of their responsibility as it relates to backing up data and information. And only 39% recognise that regardless of the SaaS vendor of choice, their organisation as the SaaS customer is ultimately responsible for the backup and recovery of data.

“Breaches and downtime are inevitable with SaaS applications, but many firms wrongly assume their data is safe when they entrust it to third-party platforms,” says Eoghan Casey, who is vice president of cybersecurity strategy and product development at Own Company, a SaaS data protection provider. 

“This may mean they fail to take adequate precautions and breaches take much longer to resolve.”

Configuration issues, password sharing and the use of unmanaged or insecure personal devices can all create opportunities for canny attackers to penetrate a company’s IT infrastructure. And when a SaaS breach does happen, many customers assume the SaaS vendor will back their data up, but this is rarely the case. 

“Take document-sharing solutions such as Google Docs and Microsoft OneDrive,” says Casey. “They provide an exceptional service but don’t back up your data. That is your responsibility, not theirs.”

Stress testing

The answer is to have a good backup and recovery plan, which comprises the right tech, people and processes. Firms must also stress test worst-case scenarios to understand how they would respond if customer data was deleted or corrupted, and increasingly this is a regulatory requirement. 

A powerful backup solution should be implemented, although many firms are unaware that certain tools have limitations. 

“Many backup solutions back up onto the same cloud servers where customer SaaS data is stored,” says Casey. “But regulators increasingly want data to be backed up in separate locations to ensure it is truly secure.”

Own Company helps organisations around the world to secure their data and ensure business continuity in the event of a breach or outage. Its solution enables clients to understand data exposure risks and proactively strengthen their SaaS security posture. With continuous automated backups, proactive notifications of data loss or corruption, and user-friendly recovery tools, data can be seamlessly recovered in a separate location.

Additionally, the solution allows for quick seeding of quality data into any sandbox or sub-production environment for development, training or testing purposes. It also archives obsolete data from production environments to prevent overage costs, enhance performance and ensure compliance. 

Unlike its competitors, Own Company offers a bespoke approach that vastly speeds up the data recovery process. Rather than having to restore an entire data environment after a breach, Own Company’s system can parse through data records to isolate and fix gaps and inconsistencies, cutting recovery time by up to 71%.

Time machine

“Our continuous backup solution operates like a time machine, you can go back to any point you like and recover what you’ve lost,” Casey says. “Using blockchain, we also enable customers to verify their data after a breach if a regulator asks them to do so.”

The firm supports an array of clients from small businesses to blue chip companies, public sector agencies to government departments. It is also a verified member of the US Federal Risk and Authorization Management Program (FedRamp) – a federal government-wide compliance initiative that provides a standardised approach to security assessment, authorisation and continuous monitoring for cloud products and services.

“To truly secure your data you need a full understanding of the risks so you can adopt the right security posture,” concludes Casey. “You also need robust data protection processes embedded across the organisation, and buy-in from senior management who are key to implementation.”

A precision backup solution should underpin these efforts so firms are always prepared for the worst. 

“The more businesses rely on third-party platforms to boost productivity and streamline their operations, the greater the threat surface they will face. However, the faster they can recover from a breach the less damaging it will be.”

How effective data handling can fuel innovation

A good data management strategy not only keeps firms safe, but also unlocks creativity and innovation

It is no secret that data is transforming how businesses operate, providing them with vital insights into their customers and operations. Yet managing the mountains of data that firms create is rarely straightforward, and many find themselves struggling to reap the benefits of data-driven innovation despite the clear opportunities available to them. 

IT infrastructure issues can make it hard to access and leverage data properly. Organisations must also remain cybersecure and compliant in an increasingly complex regulatory landscape, or risk facing serious financial costs and business disruption. 

So how can firms get on top of their data governance issues and reap the full benefits of data-driven innovation?

A richer picture

SaaScada is a London-based fintech firm that provides banking technology to financial services companies. Data is a crucial growth driver for the highly regulated companies it works with, enabling them to understand more about their customers and adapt their services, says boss Nelson Wootton.

“Data gives banks a much richer picture of their customer – what their spending habits are, their income and outgoings, and how much they save versus spend. This can help to reveal the truth of how their customers live their lives, enabling them to tailor products and services to suit.”

You can have all the data in the world, but if you can’t access it and make it understandable, it’s worthless

Armed with these insights, firms can embrace a truly “evidence-based” decision-making process before committing significant investment to new ventures, Wootton adds. AI is taking this process to the next level, making it easier to identify potential new areas of revenue generation, model and mitigate risks, and improve customer safeguarding. 

Yet despite the benefits, Wootton says many firms miss out because they don’t have good oversight and control of their data landscape. “You can have all the data in the world, but if you can’t access it and make it understandable, it’s worthless.”  

Part of the problem is that large companies typically have large volumes of data spread across multiple divisions and servers around the world, meaning this data ends up locked in silos and scattered across channels, cloud apps and internal systems. 

The use of myriad software platforms from different vendors can also create integration issues that further slow data transfer.

A blessing and a curse

“The sheer volume of data organisations have at hand is both a blessing and a curse,” says Nina Bryant, head of the UK information governance, privacy and security practice at FTI Consulting. 

“While more data can often lead to more insights, ‘more’ is only better up to a point and increases organisational cost and risk. When an organisation has vast amounts of disparate data from many different sources and for dozens of different uses, it’s a challenge to classify and categorise… or to find, analyse and protect high-value data.”

This gap becomes more problematic as firms rush to adopt AI-powered systems that only work properly when fed high-quality data. Algorithms also need to access data in real time to make good real-time decisions, but that’s impossible when there are serious latency issues due to poor integration.

“Innovation with AI is impossible without the right data strategy and architecture in place,” says Chin Heng-Hong, who is vice president of product management at Couchbase, a firm that helps organisations simplify the development and deployment of applications. 

“Organisations require complete control over where their data is stored, who has access and how it is used. Without this, the safe and effective use of generative AI cannot be guaranteed, as organisations may be accidently sharing sensitive or biased information, resulting in financial and reputational damage.”

Setting a good foundation

A proper data governance strategy is key to tackling these issues, and that involves building the right teams to steward data, improving work practices across the company and streamlining technology platforms. Firms also need the right software support, including proper backup solutions and master data management (MDM) platforms to help consolidate, clean and harmonise data.  

Bryant says she often sees organisations become overwhelmed by the scope and scale of their data governance needs. Yet despite the challenges in setting a governance framework, it is well worth the work and resources, as this will set the foundation for what the organisation wants to accomplish with its data and what processes will achieve those objectives. 

“When organisations start with a culture of compliance and a culture of good data governance, they are in a much stronger position to maintain data programmes that effectively mitigate risk and fuel innovation through a smart and efficient use of data,” Bryant says. 

“When the data house is in order, regulatory risks are reduced, data can be more quickly and easily understood to reveal opportunities and data will be cleaner and more accessible to feed into analytics, AI and other tools that drive business growth.”

Daniel Thomas
Daniel Thomas Writer and editor, he has contributed to The Telegraph, Newsweek, Fund Strategy and EducationInvestor, among other publications.