Last Updated on October 7, 2023 by asifa
In years gone the “freemium” model was the favored one of marketing SaaS platforms that were trying to attract new startup or SME customers. Now even enterprises are willing to use “free trial” offers from new marketing SaaS providers to secure a winning edge on the cheap.
While freemium offers are great for slashing the cost of evaluating a new marketing platform, have you considered the cybersecurity risks this free trial offers pose to your IP, data, and business?
Table of Contents
Why should you care about cybersecurity risks in someone else’s SaaS?
It’s easy to get caught up in simply trying to achieve your marketing objectives without considering what might actually be at risk for your organization.
Given that most of our systems are connected, either with directly coded integrations using APIs or through external services like Zapier, you can be sure that a security breach in one service could open up your crown jewels to the internet’s underbelly.
As a marketer, you can’t possibly be expected to understand how all your company’s CRM, ERP and digital systems are connected. But it is definitely your responsibility to ensure that any external services you use do not increase the risk of a security breach or corporate espionage.
People who have been blamed for making decisions that lead to cybersecurity breaches will tell you that that whole experience feels like you’re getting a root canal without any pain relief.
While no business wants to be hacked, you might be surprised to learn that very few SaaS businesses take all the necessary steps to protect their users. Worryingly, Trustwave found as far back as 2016 that “fewer than one in four organizations consider themselves to be “very proactive” in the context of security testing.”
In our interconnected-applications world, these stats from Norton should have you concerned:
- The global average cost of recovering from a cybersecurity breach is US$3.86, which is money that would otherwise have been invested in growth projects.
- On average, it takes 196 days to find a security breach, which is an alarming amount of time for hackers to rummage around in your network, applications, and databases.
So what should I do before accepting a free trial of a marketing SaaS?
It is not uncommon to be excited at discovering a new product that you think might save you an inordinate amount of time or help you finally achieve those seemingly unreachable targets your boss sets for you.
But it would be best if you remembered that time is your friend. And knowing the right questions to ask of the SaaS provider is your secret weapon:
Question 1: Does the marketing SaaS vendor have a publicly published security policy?
Publicly published security controls may not give you hard data about the efficacy of the security policies, but they represent a level of maturity. Such policies signal that a SaaS company is taking proactive steps to protect your data, and their IP and ultimately thinks that their relationship with you and their other customers is valuable enough to protect.
All popular cloud services that you probably use think Dropbox, Slack, AWS, Gmail, etc., have such pages that spell out their security practices. Look them up.
Question 2: Does the marketing SaaS vendor have any information security accreditations?
Have you ever seen companies claiming to be ISO9001 or ISO4008, or ISOxyz accredited? Well, there is an ISO accreditation that for information security: ISO27001, and you should look for it or something similar to SOC2 when you’re evaluating your next marketing SaaS vendor.
These accreditations do not guarantee that the accredited vendor’s SaaS product is ACTUALLY free of security vulnerabilities. But such accreditations do signal that they have the policies and processes in place, and if their teams actually follow those processes, then their applications should be pretty secure.
Question 3: When did the vendor last conduct a penetration test on their application and infrastructure?
Interestingly an HP Enterprise study found that 72% of web applications have at least one security vulnerability that allows hackers to gain access to things only admins should be able to see. The only way to ensure the application you want to use isn’t riddled with such security holes is to look at the vendor’s penetration testing report.
Most smart SaaS companies regularly use reputed web application penetration testing services to find and patch security vulnerabilities before they ship a new version of their app. And if you ask them for the latest version of such a report, they will be more than happy to provide it to you – if you’re a serious buyer.
Is this a foolproof way to guarantee a secure marketing app I want to evaluate?
Unfortunately, no. There is no “foolproof” or “ironclad” way to ensure that a SaaS vendor has mitigated all cybersecurity risks. But there are proven ways to ensure that your prospective SaaS vendor has minimized the likelihood of a serious cybersecurity breach.
If you really want some external validation of the level of protection that a SaaS service provider has, you could try running a free scan of their HTTP security headers. HTTP security headers are the front line of web applications’ defense against hackers.
A free vulnerability scanning tool like Cyber Chief will give you a quick indication of how seriously your prospective MarTech vendor takes their app security.
Ask these questions before you accept your subsequent free trial and satisfy yourself that your company’s sensitive information doesn’t fall into the hands of the type of people who shouldn’t have it.
As businesses rely more on digital marketing, they must also consider the cybersecurity risks associated with the use of marketing SaaS products. Before investing in any marketing software-as-a-service (SaaS) product, assessing its cybersecurity posture is critical to ensure that your data is secure.
- How is data encrypted and stored? It’s essential to understand how your data is encrypted and stored. Look for marketing SaaS products that utilize strong encryption standards, such as AES-256, and store data in secure, compliant data centers. Also, ask about their data backup, recovery processes, and disaster recovery plan.
- What are the authentication and access controls? Access controls are critical for securing your data. Ensure that the marketing SaaS product has strong password policies, multi-factor authentication, and granular access controls that restrict access to only those who need it. Ask about their authentication protocols and how they monitor for unauthorized access.
- How is the product updated and patched? Software vulnerabilities can leave your data exposed to cyber threats. Ensure the marketing SaaS product receives regular security updates and patches to address potential vulnerabilities. Additionally, ask about their vulnerability management processes and how quickly they respond to security incidents.
Ayush is the Co-Founder of Audacix. World-class SaaS and digital software teams use Audacix’s SAP automated software testing tools and penetration testing services to avoid “oh s**t Mondays”!
At the Tech In Asia conference, he recently spoke about “low hanging fruit” AppSec initiatives that help software teams elevate their application security resilience.
If you want to ship your SaaS with zero security holes and fewer bugs, talk to Ayush’s team now.