Most companies have understandably been in an urgent “just get work done” mode for the last few weeks – with little time for the typical due diligence we would usually apply on effective methodology, budget implications or future headaches. It’s the reality of our times right now, and unfortunately, all of us are in the same boat for a yet-to-be-determined span of time.
Based on conversations with our customers, we know the impact of this new normal has varied greatly and is heavily influenced by how their workforce operated prior to the current crisis. Some organizations were highly mobile already and simply needed to enable outliers. Others have had to completely change the way they work, sometimes having to ask employees to purchase and expense laptops from big box stores when IT ran out of devices.
But across the board, an unplanned spike in SaaS usage is a common concern. Let’s break down the challenges and then take a look at a few suggested action steps for where to go from here.
I like to think of IT as the members of the Guardians of the Galaxy; a diverse group that comes together to fight chaos and restore order in the galaxy - or, in IT’s case, the network. Their job is to make sure we’re using the right kind of resources for the most effective and efficient way of getting work done across the organization. But right now, most workforces are focused on trying to get their job done – whether they have the right tools or not. Given this, many IT teams are facing:
- Business units buying software and sending IT the bill. This, of course, happens even in the best of times, but leaders are under more pressure than ever to enable to their teams
- Individual users subscribing to SaaS applications without informing IT. Not only is the spend uncontrolled, but more importantly any sensitive data held in these apps is untracked and could lead to a potential security breach
- “Free” or Trial offers are being accepted by users with little consideration for how they will get the data out of the application once the complimentary trial period is over
- Compliance concerns are left largely unaddressed, either because they aren’t completely understood or because employees are out of their routine.
Establishing a New Foundation
Dealing with a surge in SaaS is both a hardware and a software issue. Now that the initial tsunami of change is hopefully subsiding, it is time to get a handle on the current status quo. This means:
- Identifying any new devices and bringing them under management
- Ensuring devices are patched and updated with the latest operating systems and security software
- Providing users with a portal or list of remote access tools and cloud applications to ensure they remain compliant from both a licensing and data privacy perspective
- Discovering any additional software, SaaS apps and cloud instances that are in use, so that IT can perform the due diligence around costs and security
Once you have a grasp on the current landscape, it’s time to dig deeper into the SaaS applications being used. As you discover new vendors in your estate, here are the questions you should ask them right away to understand your new risk profile:
- Who owns the data that is entered into your application?
- How is data segregated and protected?
- Who has access to this data?
- How is identity verified?
- What backup and restore process exists and when was it last tested?
- What happens if there is a data breach?
- What happens when the contract ends?
Common Software Exposures
Many SaaS applications are incredibly easy to purchase and start using – but they can be difficult to stop using. It’s important for IT teams to investigate any potential exposures that they may need to mitigate.
Some exposures are not all bad. Take Zoom for example. Users receive full access to the video conference tool for up to 40 minutes per call for free. The company is seemingly playing the long game with this approach. If you’re using it to connect now and it becomes a habit, chances are good that you’ll buy it a year from now, especially considering competitor solutions don’t offer a free version. And despite some recent issues with security and privacy, the company has been very active in trying to quickly address these problems – which means potential new users may benefit in the long term.
On the flip side, take Box or Dropbox or even Microsoft Teams – it’s a hassle to get your data back out of their platforms if you decide to switch tools. This isn’t something users are necessarily thinking about upfront when their top priority is immediate productivity. Exiting this kind of SaaS agreement is difficult, so be sure to read the T&Cs carefully.
Freemium versions are also challenging, particularly with data sovereignty issues. GDPR has a specific clause that requires a right to request data deletion but in some free versions of applications, the vendor may clearly state that they can hold your data as long as they want. This could set you up for painful compliance issues down the road.
Times are challenging for everyone right now and keeping the business functioning has to be the top priority. Keep in mind though, your organization needs to be in this for the long term too. Get your arms around the new hardware and software accessing your network now and remember, there’s no such thing as a free lunch.
Looking for more best practices and advice? Check out our new Essential Resources Center.