I’m in the dentist waiting room waiting this (long story) and since I have a little time to kill, I’ll take the opportunity to regale a concerning information security anecdote. This tale involves a SaaS provider taking a frankly shocking view as to what is acceptable in terms of information security practice. As tempting as it is to name and shame, I won’t. It’s something I have done in the past, but perhaps it’s time to grow up now. After all, ignorance doesn’t necessarily carry fault, and in any case, naming offending parties runs the risk of me coming across all smug and churlish and I wouldn’t want the message to be lost in that.
So here is the scenario, we have been trialling a few support software solutions recently, you know, the kind that issue tickets to clients for resolution by a team. Anyway, one of them seemed to stand out, it had all the features we wanted, was simple to manage, tied in with our branding, was affordable, and most importantly was easy to use by clients too. So, we ran with it through the trial period and set up payment for the following month. When the trial period ended, and as expected, I received a call. All the usual questions were asked, were we happy with it, does it meet our needs, and so on. All met with yes’s from me. Then of course along came the obligatory upsell. Now, I have no issue with upselling, it’s normal sales practice and I don’t take offence, however, this one was bizarre.
“Do you have any additional security requirements?”, I am asked.
“Additional security requirements?” I queried. “Well, it needs to be secure, what do you mean?” I added.
I was then told if I needed the data securing fully it would be an addition cost. I paused for a minute.
“So, is the data is not encrypted as default?”, I ask.
“Oh yes it’s encrypted as we use AWS”, she responded.
Another uncomfortable silence. Then she continued “the data is encrypted in transit, but not at rest, so if you need it encrypted at rest it will cost 1300 per month”. That was approximately 10 times more than I had initially agreed.
Hmmm, so I have 3 concerns here: –
Concern 1 – surely personal details about your clients should be encrypted at rest as a minimum offering from any provider of such a service. Bearing in mind the nature of the software it’s very likely personal details will find their way into the database. Frankly, I find it hard to justify the data not being encrypted under any circumstances. I just assumed it would be, it turns out I was naïve.
Concern 2 – Up-selling on security, it doesn’t seem right to me. I guess you could argue this happens in other industries, car with option security features as an example. That said, cars must have a minimum level of security before they can be put on the road, with all manner of crash, airbag and seat belt tests performed. In addition, the cost increase was 10-fold, I’m pretty confident that it will not cost 10x more to manage the service if the data is sat in an encrypted format within Amazons Web Services. Is this not a simple case of “cashing in” on the growing information security concerns since GDPR and DPA 2018? Which leads me to my final concern
Concern 3 – This situation is one of a data controller, in this case Samurai, and a data processor in this case unnamed service provider X. In fairness encryption is mandatory under DPA 2018 (the UK’s adoption vehicle for GDPR) however it is advised with good reason. If you are breached, and the personal data compromised can be demonstrated to be strongly encrypted, the ICO need not be informed, since the individuals will not be affected. Clearly this is not the case if personal data is leaked in clear text. This situation could potentially leave both parties looking at large fines from the ICO. Thus, it could be argued, it would be in their own interest to encrypt at rest as standard.
Interested to hear your views 😊
As an aside – now listening to someone’s personal details and case history being discussed loudly and at length by the receptionist. *face palm*.
Lastly if you wish to sign up for our weekly newsletter click here