Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Protecting your SaaS deployment from stupid users

Employees need basic security awareness to reduce the risk of them doing stupid things

Article comments

As I've mentioned, my new company likes to use SaaS for many of its corporate applications. This tends to keep me up at night. The software-as-a-service market is still in its infancy when it comes to security and interoperability with other vendors' security implementations and technologies.

Trouble Ticket

At issue: It would be dangerous to assume that all users are fully cognizant of the risks associated with using SaaS applications.

Action plan: Set up a security awareness training program, and make sure all new employees are exposed to the material.

What worries me are applications that contain sensitive corporate information. I'm not too concerned about HR using a SaaS application with a discount brokerage firm, and applications that employees use to access their flexible spending plans or to book travel don't really bother me. But when our finance team uses the cloud to calculate and maintain our quarterly earnings, I get nervous. I feel the same way when our sales team uses a SaaS application to register sales deals, maintain customer contacts and conduct negotiations. And I get downright apoplectic thinking about an online application for determining whether a merger or acquisition makes sense.

I have to wonder whether the people who use such applications are knowledgeable about the risks they create for our sensitive data. The reason I worry so much is that I know from experience that most people do not have adequate knowledge about simple security precautions. They opt for convenience, checking off the box that promises to remember their username and password. They use random, unsecured computers to log into SaaS applications, even, as I've noted before, doing it from an Internet kiosk in Moscow. And as if to demonstrate that they don't see that as particularly risky, they will walk away from that kiosk with the computer still logged into their account, or they will download an important document and leave it on the computer.

Clearly, I have a duty to educate these people. They need to be aware that such actions can lead to things like a compromise of a SaaS application's administrative portal, with the potential for disastrous consequences. I do not want to crack down after someone has gotten into our network and done things like adding or removing accounts, manipulating data or even deleting data.


That's why I've decided to make my information security training and awareness program a priority. The main goal is simple: to change employees' behaviour. If I can drill basic security awareness into each employee, I will reduce the risk that arises from employees doing stupid things.

Raising Consciousness

Besides the things I mentioned above, the training will address common risks associated with mobile devices, social media, phishing scams, unpatched systems, Wi-Fi access and "shoulder surfing," as well as some more far-out topics. I might demonstrate for them how easy it is to install keystroke loggers and explain such seemingly esoteric risks as using a GPS-enabled phone to visit a social media site and post images that have location data embedded in them.

I also want infosec awareness guidelines to become part of the materials given to all new hires. And I'm doing ongoing education with things like an "infosec tip of the day" RSS feed, courtesy of the SANS Institute. I will fill in the gaps with some training visits to remote offices, brown-bag lunch sessions, posters and e-mail announcements of relevant security alerts.

A security-awareness training program has the potential to give you great results at a fairly low cost, but the best part might be that those visits to remote branches will get me out of the office. And we just opened a large branch in Australia!


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *