Investing in software for a team or company is tricky. There are multiple factors to consider including price, customer service, functionality, comparable products in the market and security. The safeguards that a system has in place to prevent malicious attacks from occurring has always been a primary concern for organisations, in addition data protection laws such as the Data Protection Act 2018 stipulate that personal information must have appropriate safeguards in place. There have been multiple high-profile occurrences of data breaches which resulted in reputational damage for the companies involved and huge penalties and financial loss.
Companies reviewing SaaS platforms want to ensure that every precaution is taken to protect the security of their data. With this in mind, we asked ARKK's Information Security Manager, Richard Hammond, to come up with the most essential points firms should consider when choosing a SaaS solution.
1. The organisations commitment to integrating security by design
There have been numerous instances where business don’t put enough emphasis on security within their business model. Which is why it’s so important to have the foundations in place across all aspects of the business to ensure each team are contributing to secure business practices, in particularly when it comes to developing SaaS with security by design.
To give you an example, it’s only natural to create a product tailored and focused on the functionality, and user experience. However, other factors need to be taken into consideration such as secure coding practices, independent penetration testing, vulnerability scanning, documented and repeatable secure software development processes and robust access control, just to name a few. Then one has to take into consideration internal business processes in order to mitigate against insider threats. Now I have only scratched the surface here.
Our aim at ARKK is to provide confidence to our clients when choosing our services and SaaS products. We welcome the opportunity to complete questionnaires in order for you to thoroughly assess our internal business processes, information security management system (ISMS) technical and procedural controls, and in particularly how we integrate security within the platform where your sensitive and confidential financial data resides. We pride ourselves on the level of detail in our responses and quick turnaround times. In addition, we provide an overview of our security practices on our website.
2. Independent pen testing
Unfortunately, in the digital era all systems will likely undergo some form of cyberattack and being prepared is one of the best forms of defence. Penetration testing, or pen testing, is essentially a simulated cyberattack on a system to evaluate its security. Any SaaS business that your organisation works with should regularly conduct an independent pen test on their systems.
At ARKK we have yearly pen tests done on our product suite and when asked will provide the executive summary for companies to view as part of their security assessment. As an additional proactive step, we also perform weekly vulnerability scanning to assess if there are any potential new vulnerabilities to remediate.
3. Web application firewalls
The first line of defence for most common cyberattacks is through the use of firewalls, it's practically guaranteed that any SaaS platform will have firewalls built-in to help mitigate external threats.
We like to go one step further at ARKK and have implemented a cloud-based Web Application Firewall (WAF), what this means is that our firewalls are better at identifying and protecting against a variety of attacks such as Distributed Denial of Service (DDOS) and attacks aimed at exploiting vulnerabilities including SQLi, XSS and many more.
4. Secure software development
Software security shouldn't be a bolt-on, the most secure platforms and systems have been built from the ground up with security in mind. Security by design is a concept that ensures as software is being developed and built, security is always at the forefront.
There are various ways to develop software with this approach and our platform, for:sight, follows this methodology. At ARKK we have well-defined processes in place to adhere to, for example, the Open Web Application Security Protocol (OWASP) which are a set of industry best practices for web application security. We also have internal security solutions in place, such as logging, monitoring and privilege access management, to prevent potential malicious insider attacks.
5. Disaster recovery capabilities
Part of planning for the worst is having a robust business continuity/disaster recovery procedure in place. In the event of a cyberattack, a company's system may be taken down for a short time in order to isolate and rectify the issue. This can be incredibly problematic if, for example, it occurred during a filing deadline.
We know that system reliability and uptime are crucial to any firm so ARKK have multiple fail-safes in place to ensure minimal downtime. Our customer data is replicated in another secure datacentre so, in the event of a cyberattack or natural disaster, we can use the data stored on our alternate datacentre. What this means is that our systems will be back up and running in as little time as possible, we aim to have our systems restored within a few hours rather than days.
6. A security framework in place
Security is a holistic approach that must be adopted and adhered to within all aspects of a company. As we previously mentioned both physical and digital security are crucial to maintaining a secure infrastructure.
You want to ensure that the SaaS platform and business your company partner with have a strict security framework in place. What policies and procedures are they adhering to that are incorporated within their daily practices?
We have a wide range of security measures in place such as extensive background checks on staff to identify if there is anyone that could be joining the company with malicious intent. ARKK also limit the accessibility of information only to the relevant personnel through role-based access control and a comprehensive joiners, movers and leavers process.
In addition, we recognise the need to align to industry recognised standards and frameworks. As such ARKK is ISO 27001 certified and independently audited annually to maintain our certification. We pride ourselves on the maturity of our ISMS and continually strive to improve and grow our maturity level.
Following these 6 cybersecurity essentials will ensure that any SaaS platform your company partners with has been thoroughly checked for security deficiencies. If you'd like further information on our SaaS platform, for:sight, please click here.