An inventor carefully inserts papers with the design concepts of a new product into their messenger bag-like briefcase. The inventor heads down to the lobby to check-out and runs into an old friend. They both decide to meet at the hotel’s restaurant in 10 minutes to further reconnect. The inventor decides to stow luggage with the bellhop. For a brief second, the inventor contemplates whether to also leave their briefcase. After thinking about how secure the luggage room is, with only the bellhop having access, coupled with the fact that lunch would take place a mere 20 feet away the inventor decides to leave the briefcase and goes to lunch.
As lunch is about to finish, a loud explosion comes from the vicinity of the luggage storage room. Water starts to spill onto the lobby floor. A watermain that enters the building right over the luggage room has burst. As the lobby floor continues to fill with water, smaller items such as pens, lipstick, toiletries, and paper float all over the floor. Among the items that are floating on the large lobby floor are the distinctive blue and green pieces of paper containing the inventor’s idea. The inventor wades through the water to look for each of the 50 pages that outlined the invention. Only 30 were found.
Contemplating the information destroyed, misplaced, and perhaps stolen, the inventor is disappointed to have made the decision as to have left the briefcase in the luggage room and fills their head with “why did I do that?”
It may seem like the experience of the inventor is an anomaly, but decisions that are being made by organizations to use a free or low-cost software as service tools (SAAS) presents a danger similar to the watermain pipe in the luggage room when using these applications. As there is always a cost associated with something, in lieu of funds being transferred for the use of the application, the data collected about and entered by the user becomes the means that the application developer “profits.”
This data may be used in many different ways such as: for the development of new products, studying how the user utilizes the product, or retaining information entered into the application to be mined and compared with information entered by other users. How is the privacy of your organization’s data (inclusive of your customers) being protected when using these free/ low-cost options? This risk is like having a watermain pipe hanging over your organizational data. If the pipe bursts (where the SAAS loses information, undergoes a cyber-attack, is a victim of ransomware etc.) where does that leave your organization?
When the decision has been made to use a third-party application that stores information in the cloud, your organization has delegated the security of said information to the third party SAAS provider. Especially in cases where the SAAS is “free”, there often is nothing outlined in the terms of service or the privacy policy that protects the information you enter into the application as being your information.
Furthermore, there often is no assurance that when a decision is made to discontinue using the application that all data that is stored in the application will be destroyed. Like the inventor in our scenario, the maintenance of confidentiality of proprietary information is paramount to the survival of an organization. Investing blind faith in making the decision to use a free SAAS tool could lead to major headaches later—ideas taken, lost information, corrupted information—in essence, your own watermain break.
Your organization can empower itself by spending some time doing research prior to using a new SAAS solution. Here are some things you should look for:
- Review the terms of service. Don’t simply click through these terms to quickly get started on interacting with the new application. What protections does the developer outline for the user? What rights are established for the information that the user provides? If a decision is made to stop using the application, can all data that was entered be completely removed?
- Review the privacy policy. Check to see how the information that is being stored is used, especially if the information could lead to the identification of an individual. Contact the developer and ask for information on how your organization would be contacted in the event of a breach experienced by the developer.
- Develop organization-wide guidelines as to the approved uses of applications for specific purposes. For example, a free SAAS spreadsheet application cannot be used to house personally identifiable information.
By investing in the understanding of the scope of the protections and use to the data that will be entered into the SAAS, your organization can steer clear of a digital watermain break and be reassured of the exact uses of the information that may be stored in a free application.
