The cyber threat landscape is ubiquitous and changing more than ever. From 2016 to 2017, the number of breaches nearly doubled. While these threats make it challenging for businesses to secure HR data, storing data in the cloud can help mitigate some of this risk. Contrary to what you may think, it’s secure and more efficient to store data with a SaaS provider. SaaS solutions allow you more functionality, advanced technology and faster updates than on-premise or home grown solutions. However, because they are online they do pose some risk. Providers acknowledge this and most continuously improve their security metrics and heavily invest in keeping your data safe—their business model depends on it.
However, buyers have a responsibility to conduct their due diligence and ensure a cloud solution meets their company’s security requirements. This is part of a practice called third-party security risk management, a growing topic in the boardroom as businesses become more interconnected. Below are 3 ways to ensure security with a SaaS provider:
Test before you buy
Buying a new product is exciting, and it’s easy to jump the gun before testing it. Like buying a used car, you want to test drive it to make sure the engine works and it won’t fall apart the moment you take it out of the lot.
For the vast majority of SaaS providers, this test drive comes in the form of the IT Security Questionnaire section of the RFP. You’ll want to work with IT to develop this part of the RFP. At the minimum, you should check that a vendor has a SOC 2 report, an ISO 27001 sticker and their CAIQ.
These credentials mean they’re secure enough to be worth IT’s consideration—the gatekeepers of your company’s network. The last thing IT wants is to be the cause of your company’s headline in the The Wall Street Journal because they signed off on storing your company’s crown jewels in a paper boat.
Don’t set it and forget it
Storing your data in the cloud or with a third party doesn’t mean you leave your data behind and forget about it. Instead, be proactive and vigilant. Practice ongoing monitoring by (1) making sure you delete data when needed; (2) regularly checking that the right people have the proper level of access to data, especially as roles change and (3) connecting with your provider when new regulations come out, like GDPR, to ensure they will be compliant with anything new.
Choose a security partner
As a buyer, you should feel you can trust that your provider is going above and beyond to implement solid security controls and to keep you updated on security best practices. Despite how critical trust is, 37% of businesses don’t believe their vendors would notify them of a data breach. Your provider should feel like a security partner, not a hurdle. To best defend against security threats, it’s key that vendors and buyers partner together and each do their due diligence.
As a buyer, you ultimately own the responsibility for your employee’s data, but the weight isn’t just yours—we’re here to spot you. At PeopleDoc, we invest a lot into our security and want to not only help streamline your HR operations, but also support the overall security posture of your organization. See why 750 businesses trust PeopleDoc to manage sensitive HR data securely.
Learn more about PeopleDoc's membership with the Cloud Security Alliance:
Jeff Tso is a Security Partner at PeopleDoc. He works closely with customers to ensure their data is secure and available, while reinforcing PeopleDoc's security posture. He is a former global cybersecurity consultant for high-tech, supply chains, and critical infrastructure. Jeff carries a background from Georgetown University and is a pioneer in the AI Security space.