What Switching to SaaS Means for Cybersecurity

Imagine being an investor and walking into PTC headquarters in the Seaport district of Boston. The shining tower reflecting the sun, all 17 floors full of passionate professionals and ground-breaking software. Then an introduction to the CEO, Jim Heppelmann, who confidently declares that your investment will be safe because he keeps it with all the other investments: under his mattress. Shock would likely be an understatement when describing your reaction. What about banks? These organizations exist to manage and safeguard funds, so the individual does not have to.

This ludicrous example highlights a striking reality: many corporations today are, in a sense, stashing valuables under their mattresses. In this case, no dollar bills or coins are being shoved away but rather confidential data and user information. The hope is that, since no one knows it is under the mattress, it will be safe. That said, every responsibility to keep it safe and hidden lies firmly with the owner and their team.

To be clear, on-premises cybersecurity solutions are a good deal more secure than the average mattress, and IT teams should be commended for their hard work, but they are often fighting impossible battles when it comes to cybersecurity.

Numerous countries now engage in cyberwarfare, including Russia, China, and the U.S. Gartner recently highlighted how Russia coordinated cyberattacks as part of its Ukraine invasion plan in the early stages of the war. On top of geopolitical conflicts, organizations must be on the lookout for malicious third parties out to steal and ransom data, chaos agents just looking to wipe out or expose information for seemingly no gain, and even accidental and purposeful saboteurs within their own organization.

Given these compounding threats, it is no wonder that the FBI reported nearly $7 billion in losses due to cybercrime in 2021 alone. No matter the culprit behind the cyberattack, all have common situational undercurrents: The IT team was overworked or stretched too thin, the security measures fell behind, there was a breach.

To return to the bank vs. mattress example, there is a reason the former is looked upon as the standard today in monetary protection. By placing valuables with an organization purely dedicated to their protection and utilization, the odds of continuous, comprehensive security increase.

Following tradition should not stand in the way of embracing new and (frankly) superior methods of data protection. Cloud technology and cloud-based programs – and by extension software-as-a-service (SaaS) solutions – have developed and continue to improve, and most have outpaced the restrictions of an on-premises security solution. While it can be difficult for organizations with long-established on-premises cybersecurity solutions in place to contemplate the shift away from direct ownership of confidential data, the increasingly hostile realities of the digital landscape make it imperative to think differently.

In this whitepaper, PTC creates a baseline for understanding cybersecurity, as well as its relationship to SaaS and cloud, and how each technology can potentially strengthen data protection. To stress the importance of this movement, data from a recent survey is used to showcase just how much organizations are thinking about and investing in cybersecurity initiatives.

To support this white paper, PTC contacted 76 individuals and asked them a series of 28 questions on various topics surrounding the evolution of work, with a focus on software-as-a-service (SaaS) and cloud operations. All respondents were full-time decision makers (director level and above) working in a variety of industries throughout the US.

Survey data was gathered and compiled in March-April 2022 and reflects respondents’ viewpoints and understanding of key issues at that time.

Cybersecurity has been gaining in importance side-by-side along with internet usage. The more information is stored online, the more essential it is that certain data be protected. Unfortunately, as the digital landscape has evolved, so has the variety of cybercrime. Today, cyberattacks take many forms – with two of the most common being malware and phishing.

Other common forms of cybercrime include denial of service (DoS) and man in the middle (MitM). Unfortunately, as IoT devices have become more prevalent, these new and sometimes not fully considered solutions can serve as unprotected network access points. Even simple machines, such as printers, can be vulnerable if not properly protected. In addition, while organizations should be wary of outside parties, an uneducated or not properly trained employee can also be the source of a data breach, leaking or releasing confidential information by accident. Data gathered by RedTeam Security found that 71% of data breaches came from careless users accidentally releasing data, and another 68% came from negligence (users aware of data policy but not following all correct procedures). None of these breaches came from anyone with malicious intent, yet all caused financial damage.

Regardless of the type, most cybercrime has the same goal: Hurt the victim by maliciously exploiting their confidential data. Cybercriminals thrive off the newness and ever-changing nature of the digital landscape. Organizations where employees are not specifically trained to detect or combat cybercrime are ideal targets. Ignorance is a friend of the data breach.

This was dramatically exacerbated when the pandemic struck in 2020. Organizations that had not seriously considered remote work and what operating through a decentralized software infrastructure would look like suddenly found themselves forced into doing just that – and quickly. Many employees and executives had to adjust to solutions they were not familiar with. Part of the result: The FBI reported that complaints and losses due to cyberattacks nearly doubled between 2019 and 2021. The costs of such losses also doubled, from $3.5 billion to roughly $7 billion.

As the pandemic turns to endemic and organizations settle into a new, flexible way of working, cybersecurity’s role will only continue to gain prominence. It is no longer a question of “if” organizations will deal with cybercrime, but “when”. While PTC data showed that 64% of all respondents were aware of cybersecurity’s importance, labeling it a top priority, it can be difficult to know exactly how to respond to the challenge.

Given the vital importance of protecting data in the digital age, PTC encourages clients to adopt a holistic, multi-layered approach when it comes to not only cybersecurity but also privacy protections in general. One crucial component to remember is this: A network with one insecurity is an unsecure network, it does not matter how fortified every other access point and server are. The weak link does not just break the chain, it can disintegrate it. This is just as true in on-premises as it is in SaaS.

Effective cyber protection may be complex, but it starts with three simple foundations: people, process, and technology.

People: At its present state, there is no technology innately secure enough to excuse the importance of people. People at every level should be educated on their role in facilitating an effective cybersecurity strategy. These trainings should be focused and recurring, as cybercrime is not static. By building awareness, organizations not only lower the risk of an employee falling for a scheme, but also decrease the likelihood of data breach occurring from accidental employee behavior.

Process:Even with trusted employees operating at every level of an organization, processes must be in place to ensure visibility and record keeping. In addition, process can include design philosophies such as zero trust and principle of least privilege, both secure by design. By constructing an organization designed to limit exposure and risk – as well as track every facet of digital workflows – executives reduce the likelihood of a breach spiraling out of control.

Technology: Not all technology is created equal, so organizations should ensure they are choosing programs that work well with larger initiatives – both in terms of security and usability. Automation can be a friend here, as limiting points of human interaction reduces the opportunities for cyber criminals to make inroads into a corporate infrastructure. Regardless of solution – whether it is on-premises or cloud – steps must always be taken to ensure technology is tracked and updated when appropriate.

To better prepare clients for navigating a still new cloud-native, SaaS-propelled cybersecurity landscape, PTC recommends choosing SaaS partners who prioritize security at the people, process, and technology level.

Cybersecurity must be comprehensive and enterprise-wide; it’s not a one-and-done solution but rather a continuous process of improvement and innovation. On an organizational level, consider how to better prepare and equip people, process, and technology to develop a complete cybersecurity policy.

When discussing cybersecurity, and SaaS cybersecurity by extension, terms like zero trust and principle of least privilege are often brought up. Each has its own definition, but both are part of a larger cybersecurity philosophy: Secure by design. Secure by design is a key aspect of the modern philosophy on cybersecurity policies, as well as one of the reasons PTC sees it as relevant to cloud and SaaS solutions.

Secure by design originated in the software space. As its name suggests, it refers to software engineers taking the extra time to think and develop solutions that are fundamentally safer and less at risk than existing software. To put it another way, think of designing a bank from scratch as opposed to turning a building that used to be a fast-food restaurant into a bank. The first scenario allows for higher innate security levels without as much investment.

This type of thinking has extended outside of the software space, as organizations look to adjust their entire infrastructure to be secure by design. This can take many forms, one of which is the recurring training schedules already discussed. Organizations that formulate response plans are also making themselves more secure by design, outlining clear actions to take in the event of possible or confirmed data breach. The principle of least privilege is secure by design in the sense that it limits how users can interact with software and programs. Namely, the principle of least privilege dictates that authorized users should only be able to access the aspects of a software program they absolutely, legitimately need to perform their job functions. For example, think of payroll. It is common practice for employees to see their upcoming payments, but they have no legitimate reason to need access to the payroll of the entire organization.

Zero trust is a similar concept. As its name suggests, zero trust is a software architectural design philosophy that believes “when in doubt, verify.” No device should be trusted by default, including unknown devices coming from an established on-premises location (such as an office). This philosophy stresses identity validation at every step of the design process, helping to ensure that only the correct users gain network access.

All competitive SaaS solutions are built secure by design. On-premises solutions, by contrast, are frequently legacy systems – workflows that were created when cybersecurity was a much lower priority. Even upgraded, these processes may still suffer from vulnerabilities and exploits that are not cheaply corrected. In a digital age, it is no longer optional to consider security after the fact. Organizations should view it as a foundational aspect of all business operations for both internal- and external-facing employees.

Even with the challenges of updating legacy software, IT directors and executives may still balk at the idea of turning to the cloud for cybersecurity. As the old saying goes: “The safest hands are still our own.” Even ignoring the challenge of legacy systems, however, on-premises is not superior. While storing data onsite or in proprietary servers does put all confidential data under the organization’s immediate and full control, this is a double-edged sword.

In an ideal world, perhaps, with fully staffed IT personnel – and specifically a fully-staffed information security team – organizations could guard their data effectively, but this ignores the larger trends (not to mention increasingly powerful cyberattacks) – such as skilled worker shortages, increased turnover, and increased risk of burnout. Even organizations that prepare for a data breach with a disaster recovery plan are not safe, as 2022 research done by IDC showed 79% of respondents had activated said plan within the past 12 months.

Data gathered by PTC confirms: 68% of organizations said their IT teams operate in a near constant state of maintenance. Given the enormous shift toward digital workflows, IT is now involved in nearly every facet of business. This keeps in-house IT teams in reaction mode. They do not have the time or bandwidth to think proactively or plan for potential security challenges. Basically, whatever is not actively on fire (in metaphorical or literal terms) does not receive attention, even if it should.

Contrast this approach with a cloud storage provider – an organization with the sole function of safeguarding confidential data and information. Obviously, not every cloud storage provider is equal in terms of cybersecurity prowess but, by shifting the burden onto an organization whose only function is securely storing data, executives are in fact putting their secrets into locations that are monitored constantly for potential breaches and exposure.

Ultimately, cloud is part of secure by design because it is making the data harder for everyone in the client organization to access. Cloud providers are, by nature, prudent with permissions, typically directly asking their clients who should have access to what data. This style of operation limits the likelihood of an employee accessing a system they have no business interacting with. It also prevents an employee from – either accidentally or purposefully – damaging or destroying an on-site server. While it is possible to setup an on-premises solution, it is also yet another task for the in-house IT department to constantly monitor, update, and manage.

Software updates used to be primarily about features and adding new content and capabilities remains a highlight of trading up to the newest software. Security, however, has also emerged as a compelling incentive to update, with some providers going as far as to force the improvement. SaaS solutions should not be thought of as one-time exchanges. Organizations are not buying the software; they’re leasing the latest version. While the loss of complete ownership may sound like a downgrade, SaaS is greatly strengthening overall cyber protections.

Think of a traditionally installed program. The user loads it into their computer and there it remains, to be used as needed. On a personal computer, the user may update if they want new features or to fix a security vulnerability. In professional settings, however, such initiative toward modification is often discouraged. Yes, the employee may successfully update their machine, but they may also take themselves offline for an unacceptable amount of time. Most organizations do not even grant the average employee the necessary permissions to make such updates.

This results in numerous software versions attempting to work in unison across an enterprise landscape. At best, these versions still completely function with one another. Some features, however, may be lost depending on the software. The worst case is certain employees are operating on software with known exploits that have not been patched.

This was problematic enough when everyone worked under one roof. Decentralized employees have only compounded the issue. If the software is strictly an on-premises purchase, the employee may need to send in their machine for service, or IT will have to mail out the new software and provide detailed instructions – which may still fail.

In a SaaS solution, updates roll out uniformly, putting every employee on equal footing. It also greatly reduces the risk of cybersecurity vulnerabilities by automating the update process. Organizations using SaaS solutions do not need to assign IT to manually comb every hardware station to ensure software is still secure. With SaaS solutions, highly skilled employees are able to focus less on maintenance and oversight and more on strategizing and supporting business initiatives.

Business is going digital. This truth, which has existed for years, is not changing anytime soon. Disruptions like the pandemic (and now inflation) are fueling employee desire for decentralized work, placing more emphasis and more pressure on organizations to have robust, secure infrastructures that empower flexible work habits.

As a result, cybersecurity’s importance will only increase. Data shows that many organizations already understand this reality, with 33% of respondents believing their organization invests more in cybersecurity than other top priorities (another 43% described the level of investment as similar to other top priorities). This does mean, however, that almost a quarter of respondents did not believe cybersecurity was being invested in as much as other business initiatives. These organizations seriously risk not having the robust infrastructure needed to fight the changing landscape of cyberattacks.

When asked if they expected cybersecurity spend would increase in the next two years, 28% believed it would not. The majority of organizations understand that, as the damage of cybercrime increases, so too must protective investments.

The growing variety of internet-enabled devices and the increased presence of a decentralized workforce will only further complicate the already complex cybersecurity landscape. By switching from on-premises to cloud-based SaaS solutions, organizations ensure protection while freeing up their IT teams to take more proactive positions. In a decentralized, digital world, SaaS is not just more effective than on-premises, it is generally the more relevant solution. While it may sound counterintuitive, it may and often is safer to store confidential information outside of traditional on premises solutions.

SaaS has changed the reality of cybersecurity. Organizations are no longer bound by the limits of their own IT infrastructure when it comes to protection, and this is a net positive. When looking at the multitude of threats – including foreign nations – it is impossible to expect the average SMB to comprehensively protect itself and its data using only its own resources.

It can be intimidating to contemplate the move from managing cybersecurity through onsite resources to an external partner. Not every SaaS organization operates with the same level of cybersecurity protection and so organizations should not simply sign away on-premises data protection every time a vendor says “SaaS.” The best SaaS partners will have numerous cybersecurity protocols built into their programs and be designed from the ground up with security in mind.

Learn More About PTC

For additional information on how PTC approaches cybersecurity, see our Trust Center or contact us here.