In the not-so-distant past, flexible working and collaboration tools were often seen as a nice to have, as opposed to a necessity for business continuity. Such businesses will have thought twice about this notion now. Fast forward a few months, and as a result of the ’the new normal’ around remote work, business leaders are reliant on such SaaS tools to maintaining employee productivity. When the pivot to quickly transition to work from home began, IT teams had little time for the typical due diligence that would usually be applied to considering or purchasing these resources. This is the reality of the world we currently live in. Still, we are all in the same boat for the foreseeable future.
The impact of our current normal varies greatly depending on the sector, the nature of a person's role and the size of a company. Yet, how a business had to react is heavily influenced by how the organisation operated before the current crisis. Some organisations promoted flexible working prior to Covid-19 restrictions and were highly mobile already; all they needed to do was enable the remaining staff that were office-based. Other businesses had to change the way they work entirely, sometimes having to ask employees to go out and purchase laptops due to limited company resources and challenges with the global device supply chain.
No matter what the situation was before our current reality, the new business world we live in has led to an unplanned spike in SaaS usage, causing concern among IT decision-makers. The concern is justified, but there is a way to manage and prevent any risks associated with the surge in SaaS. If we break down the challenges, we can see common themes and solutions.
Your IT teams’ job is to maintain order of your technology ecosystem and to ensure the right resources are available to empower workers to do their jobs while keeping the business running. In the current climate, companies and their employees are focused on working the best they can – with the right tools, or not. As a result, many IT teams face a variety of potentially risky scenarios:
- Departments are purchasing software and expecting IT teams to pay the bill. This, of course, happens even at the best of times, but leaders are now under more pressure than ever to enable their teams.
- Employees are subscribing to SaaS application without IT approval or knowledge. Not only is the spend uncontrolled but any sensitive data held in these apps is untracked and could lead to a potential security breach.
- Employees are signing up to free trials without considering security and with little consideration for how they will get the data out of the application once the complimentary trial period is over.
- Compliance has fallen to the bottom of the list, either because these concerns aren’t completely understood or because employees are out of their routine.
Embracing a new way of working
The surging use of SaaS is becoming both a hardware and software issue. Now that of the initial impact and change is hopefully subsiding; it is time to establish a new foundation for IT. This means IT teams must:
- Identify and account for any new devices employees have purchased to work from home
- Work with employees to make sure all devices, old and new, are updated with the latest software versions
- Identify any new software and SaaS apps that employees are using, and conduct due diligence to investigate costs and security
- Build and issue an approved list of SaaS tools and applications for employees’ use to ensure compliance
Once IT teams have a grasp on the new landscape, they must dig deeper into the SaaS applications in use. As the teams discover new vendors in the corporate estate, the following checklist of questions can be used to understand the potential risks associated with the software:
- Who owns the data that is entered into the application?
- How is data segregated and protected?
- Who has access to this data?
- How is identity verified?
- What backup and restore process exists and when was it last tested?
- What happens if there is a data breach?
- What happens when the contract ends?
Potential SaaS vulnerabilities
While SaaS applications are easy to purchase and use from day one – it can be challenging to stop using such applications. Once the new SaaS applications used by employees are identified, IT teams must investigate and mitigate any potential exposures.
Not all exposures are harmful. If we take Zoom, for example, users can use the video conference tool for up to 40 minutes per call for free. However, if the use of Zoom becomes ingrained in company culture, chances are pretty good that the business will consider buying it a year from now. However, Zoom has recently experienced some very public issues with security and privacy, and despite the fact the company has been very active in trying to address these problems quickly, UK Government organisations have been advised to block the use of the app for now.
Furthermore, if we look at Box or Dropbox or even Microsoft Teams – it’s a hassle to get any data back out of these platforms. This isn’t something users consider upfront. Exiting these kinds of SaaS agreements can be tricky, so IT leaders should read the T&Cs carefully.
Free versions of SaaS applications also have potential data sovereignty issues. While GDPR has a specific clause that requires a right to request data deletion, some vendors may clearly state that data deletion is only for the paid subscriptions. This could set businesses up for painful compliance issues down the road.
While businesses are facing disruption like never before, we can find comfort in the reality that all businesses face similar circumstances. However, no matter the business, the sector or the client base, all business leaders are laser-focused on maintaining business functions and keeping afloat to get their organisations through these circumstances the best they can. While short term goals are the current focus, companies must keep an eye on the long term too. However, taking stock of daily changes and planning for the future can be somewhat of a juggling act right now. SaaS applications have been a great tool to help employees be as productive as they can from anywhere, but IT teams must keep track of what tools are being used, both new and old, while remembering there’s no such thing as a free lunch. Visibility and centralised governance are IT’s best weapon to keep SaaS sprawl from getting out of hand.
Mark Lillywhite, Senior Solutions Consultant, Snow Software