SaaS plays a fundamental role in our modern technology ecosystem and elevates the need for mature IT processes.

Nearly every organization relies on SaaS for some part of service delivery, but dependency on these solutions cannot override adherence to IT processes. If organizations become too complacent, they run the risk of a vendor outage affecting their ability to do business with their customers.

3 Steps to Lowering Risk

Modern IT service delivery is somewhat like a complex supply chain: multiple vendors doing their part to ensure a successful outcome is achieved. Unfortunately, one snag in the chain, one problem with one vendor, can disrupt the entire process, increasing business risk and potentially leading to a failed outcome.

Organizations have different priorities, yet the need for lowering risk is universal regardless of industry or organization size. Here are three steps you can take to protect your institution against potential vendor problems:

1. Conduct a risk assessment: How reliant are your core business processes on SaaS solutions? How interconnected are your systems with outside vendor services? Where are the touch points located, and how many are there? In other words, if one of your SaaS providers had a problem, what would that mean to your organization’s ability to operate?Performing a risk assessment is the best way to answer this question (as well as many others). Once you understand your level of exposure, you can craft a strategy to reduce the impact to your organization if one or more SaaS vendors stop providing services.
2. Tighten change management processes: Recent news stories have proven the old axiom “trust but verify” is a wise strategy. We have become comfortable with SaaS solutions and outsourcing many parts of our IT services to other companies. Maybe too comfortable. The performance and reputation of many vendors have been stellar, which in some ways has lulled organizations to sleep when it comes to change management. After all, we want our hardware and software to be up-to-date on maintenance patches (especially security ones), and it’s a comfort knowing vendors are taking action to ensure our systems (and their software) are current. But we can’t simply assume all will be well when updates are applied.This is why change management processes are so important. Before any change is applied to your production environment (whether by a vendor or your internal team), it must first be tested. Turn off automatic updates in production. Create a buffer zone. Apply changes to non-production environments first, and then simulate business operations to validate the efficacy of the update and to ensure the change does not degrade performance, or cause some other problem, before promoting the new code to production.For noncritical systems, you can be less strict. But you need to have a good grasp of which systems are critical and which ones are not before you relax. There has been more than one example of a software patch taking down a critical business process, because the server it was applied to was incorrectly deemed “noncritical.”
3. Update disaster recovery and business continuity plans: When was the last time you reviewed your disaster recovery and business continuity plans? Better yet, when was the last time those plans were really tested? If it has been a while, it may be time to take a look at them.A good first step is to conduct a business impact analysis. That is, review your core business processes and supporting systems and determine what would happen to your operation if you experienced an outage. Consider a range of outage scenarios, everything from the inability of users to login to applications or to access datasets to actual physical disasters such as tornados, earthquakes, fire, or floods. And yes, faulty SaaS software updates should be one of those scenarios.Update your plans according to your findings. Can your people work offline if systems are down? If so, for how long—an hour, two hours, a week? Can you continue to receive orders, locate inventory, pack, and ship products without access to your order entry and warehouse management systems? Can you continue to serve your customers by processing transactions manually? If so, do your employees understand how to make that shift? Can you accept cash if your credit/debit processing system is down?There are a host of questions, depending on the business you’re in. Putting solid plans in place, testing them, and training your people on executing them is one key part of lowering the risk of any outage.

Taking the Next Step

Reducing business risk comes down to preparedness. While we can’t control outside forces (i.e. cyberattacks, supply chain issues, vendor errors, etc.), we can prepare our organizations to respond to adverse conditions and either eliminate or lessen the impact of them on our operations.

ePlus Security is a leading security technology advisor and integrator with a broad solutions portfolio, strong industry relationships, and an unmatched breadth of engineering talent and expertise. With a focus on customer experience, our security team designs and delivers outcome-focused, customized cybersecurity programs aimed at defining and mitigating business risk, maximizing technology investments, and creating safer digital environments.

For guidance on performing a risk assessment, revising change management processes, or developing disaster recovery and business continuity plans, ePlus can help. Check out ePlus Security for more information or contact us to schedule a call with a security consultant.

Related articles