The cyber threat landscape is constantly evolving, and ransomware poses an increasing risk to businesses and their critical data. A 2022 report by Sophos found that 66% of organizations experienced a ransomware attack in 2021, an increase from 37% in 2020.
As businesses embrace hybrid working following the pandemic, data is being stored across numerous systems and services both on-premises and in the cloud, but measures for protecting that data aren’t keeping up. Research by backup and recovery provider Veeam found that there is an ‘availability gap’ caused by businesses’ reliance on Software-as-a-Service (SaaS) and cloud applications, with 90% of organizations reporting a gap between how fast they’re currently able to recover data and how fast they need to recover data.
Veeam also found that 52% of organizations plan to house their entire workloads on cloud services by 2023, but only 10% of businesses were actively backing up their Microsoft 365 data. When over half of businesses are working towards becoming fully cloud-based but just a tenth are backing up a major cloud service, it’s clear there is a lack of understanding regarding the security of data on SaaS platforms. Our increasing reliance on SaaS apps is leading to data being left unsecured and vulnerable – and malicious actors know this.
Ransomware attacks on SaaS platforms
When Salesforce data platform Odaseva looked specifically at ransomware attacks on SaaS platforms, they found that the target of such attacks indeed was the data on these services, not the platforms themselves. Odaseva also found that data lost in ransomware attacks on SaaS platforms is less likely to be restored than data lost from on-premises software: 81% of businesses who’d experienced an on-premises attack were able to restore all their lost data, while only 50% of attacks on SaaS applications resulted in the complete restoration of data.
The consequences of a ransomware attack for businesses can be catastrophic. As well as losing sensitive data and therefore putting clients or customers at risk, there can be serious financial repercussions. Even if you choose not to pay the ransom, you will lose income from downtime – the report by Sophos placed the average recovery time following a significant ransomware attack at one month. And of course, there’s the reputational harm to consider too; being seen to be careless with data is immensely damaging for a business, and could even cause them to cease operating entirely.
The Shared Responsibility Model
The key to safeguarding the data you store on SaaS apps is understanding how the Shared Responsibility Model (SRM) works. The SRM stipulates that the SaaS provider is responsible for the availability of its infrastructure and uptime, while users are responsible for the content and data they manage via the platform. This means that protection of your data – e.g. ensuring it is backed up and can be restored quickly in the event of an incident or cyber-attack – is up to you. The SaaS provider is not liable if you lose any of the data you store on its platform, and will not be able to help you restore what you’ve lost.
How to protect your SaaS data
It’s important to remember that the main causes of data loss, for both on-premises and cloud services, are accidental deletion and human error. But with the risk of ransomware attacks on the rise and malicious actors becoming increasingly aware of how much data is currently unprotected, businesses need a comprehensive protection strategy for their SaaS data.
- Complete a data audit. Review all the SaaS and cloud applications used by your organization – not just the major providers such as Microsoft 365, Google Workspace and Salesforce, but less universally-used tools like Asana, Trello, GitHub and GitLab as well. Particularly with the smaller apps, it’s important to check whether they have changed ownership since you started using them, as this may have impacted security. If your review shows up any causes for concern regarding the security of any apps in current usage, stop using them immediately, remove your data and look for an alternative service. When completing your SaaS audit, you’ll need to create an environment where your employees can communicate honestly with you about the tools they’re using and what they need in order to work efficiently. This may involve a discussion about ‘shadow SaaS’ – online tools that staff start using independently without approval from your IT team.
- Educate your employees. One of the best things you can do to protect all data, not just data stored on SaaS apps, is to provide IT security training for your staff. Educate employees on how to spot phishing emails and what to do in the event of a suspected ransomware attack or other type of cyber threat. This training should also address shadow SaaS, and you should encourage your teams to request the tools they want to use, rather than simply starting to use them without approval.
- Enhance all existing SaaS security. A SaaS Security Posture Management (SSPM) tool will automate the protection of SaaS applications like Microsoft 365, Slack and Salesforce. SSPM identifies things like misconfigurations, unused user accounts, unnecessary user permissions and other cloud security risks.
- Implement ‘least privilege’ access and multifactor authentication (MFA) across all apps. Users should only have the minimum access necessary for them to complete their work. While it’s not infallible, MFA does make apps far more secure than they would be without it, as it requires users to provide two different types of information to verify their identity.
- Put external backup in place. The Sophos study found that in the event of a ransomware attack, it was backups that were the key to restoring data, not paying the ransom – so implementing external backup for your SaaS apps is crucial. What’s more, most cyber insurance providers now require organizations to meet certain backup standards, so check your policy carefully to ensure you get the right backup for both on-premises and cloud data. Another factor that will inform your data security strategy is whether you plan to implement ISO 9001 (Quality) and ISO 27001 (Information Security Management Systems).
Choose a provider than backs up your SaaS app data and encrypts it both during transfer and at rest with the highest-grade protection. An external SaaS backup provider also has the advantage of creating an ‘air gap’, so if you are affected by a ransomware attack, your backup – and subsequently, your data – is safe. Quite simply, external backup for your cloud and SaaS tools is not optional, it’s essential.
