When a cyberattack occurs, Choice Cybersecurity CEO Steve Rutkovitz says, “It’s like a wildfire.” Systems shut down, impacting the company and its customers, investigators and attorneys begin to sort out causes and liability, and expenses mount. “People know they need cyber insurance, but no one really knows how much to get,” he comments. And if the business or organization is in a highly regulated industry like healthcare, it must comply with data breach reporting and face possible fines. “It all usually comes back to the person storing the data,” he says. “The SaaS provider will be sued.”
Moreover, because ISVs with SaaS solutions are storing their clients’ data, they are cyberattack targets themselves. A vulnerability could give criminals access to sensitive data from multiple businesses that they can sell on the dark web.
Security and Compliance Go Hand in Hand
Rutkovitz says ISVs are playing a cat-and-mouse game with cybercriminals that requires continually staying on top of the latest types of attacks. The most efficient way to manage it is with a solution that searches for and quickly reveals vulnerabilities. “For example, RobinHood ransomware looks for a certain vulnerability and then exploits it. You have to look for vulnerabilities and keep up with new exploits as they come out,” he says.
Although addressing vulnerabilities and risks is a well-known part of an ISV’s business, the specific regulatory compliance requirements their customers are subject to may not be as familiar. Regulations like Canada’s Personal Information and Electronic Documents Act, the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act require that companies storing consumer data take prescribed measures to protect it. He points out that all 50 states in the U.S. have personally identifiable information (PII) laws, “and things are ratcheting up.” He says, for example, new consumer data protection laws recently went into effect in Vermont and North Carolina.
“ISVs need to keep up with PII laws, and they need to understand their clients better now than in the past,” Rutkovitz comments.
Take Steps toward Compliance
Rutkovitz says the first step toward complying with a specific regulation is a risk assessment and gap analysis that focus on the security and compliance framework that your clients need. Rutkovitz says depending on the industry you serve, you need to select the right framework. For example, if you’re working with healthcare, you need to focus on HIPAA, for government agencies, NIST SP-800 171, if your client is expanding to Europe or stores data from EU residents, GDPR. It is possible for your clients to have to comply with multiple regulatory standards or best practices. Because it’s hard to address multiple frameworks at one time, Rutkovitz suggests focusing on one at a time.
He also advises scanning data to understand the types of sensitive information your client may be storing, such as dates of birth, credit card numbers, or other PII. “What you hear from the client may be different than what you find,” he comments. “They may say they don’t need to comply with GDPR, but then you find 5,000 European addresses.”
Rutkovitz says it’s smart for ISVs to take a proactive approach, understanding the types of data they’re storing and creating a strategic plan to follow in the event of a cyberattack. “You need to think it out up front, so everyone knows what to do and how to go into action,” he says.
Show Potential Clients Your Defenses are Sound
Rutkovitz says your clients governed by specific regulations may want proof of compliance and the security measures you have in place before they will do business with you. “There are 800 compliances in the world right now,” he says. “You need to provide what your clients need — and still make a profit.”
Businesses often ask ISVs for a Service Organization Control 2 (SOC 2) audit report, which covers system-level controls focused on data protection. Rutkovitz says his company helps ISVs through the maze of gathering the information they need from the data center or other partners to provide proof of compliance — and accomplishing it in the most cost-effective way. “Sometimes you need a sherpa to help guide you through it.”
Stand Firm on Security
Another important step that ISVs can take is requiring that users follow best security practices. “SaaS vendors include security features, but a lot of users don’t set them up — they aren’t using all the tools that they could,” he comments. Require hardened passwords and two-factor authentication — and don’t let users turn them off. “You can put all the technology in the world in place, but you’re still dealing with human behavior,” he says. Including security with training can educate users on the importance of following best practices — and not looking for shortcuts.
Rutkovitz says data retention is another area that some ISVs need to take more seriously. He says when Choice Cybersecurity asks companies about data retention, they often say their policy is to keep it for seven years, but then admit they never delete anything. “That makes the attack surface enormous. You need a policy that after a certain period, data is archived or deleted,” he says.
Rutkovitz also points out that although ISVs have a great deal of in-house tech talent, they often don’t have team members skilled in compliance, but that can be just as important to your business’ success.