The State of B2B SaaS Cybersecurity

We conducted a survey of 500 representatives from B2B SaaS companies and analyzed their responses regarding the cybersecurity programs at their organizations. Read the article to learn about the state of B2B SaaS cybersecurity and how SaaS companies can protect their businesses.

The Business 2 Business Software as a Service (B2B SaaS) Market

According to Gartner, global cloud services are predicted to grow by 17% in 2020, with the largest market segment being SaaS due to the scalability of subscription-based software. In fact, they predict the SaaS market to grow by nearly 50% between 2020 and 2022. Investments in SaaS continue to be attractive “due to its lean cost structure and high customer lifetime values”, according to SaaS Mag

Due to the flexibility of SaaS and its efficiency from a technological and financial aspect, companies are increasingly relying on cloud-based technology, and IT teams are embracing cloud applications.  

“Building, implementing and maturing cloud strategies will continue to be a top priority for years to come,” said Sid Nag, research vice president at Gartner.

Why should B2B SaaS Companies care about cybersecurity?

A hacking attack happens every 39 seconds, allowing cybercriminals to steal 75 records per second. Some of the most prevalent attacks happening right now include DDoS attacks, insider threats, malware, and password attacks.

  1. A distributed denial of service attack is when hackers try to overload your system with so much traffic that your networks shut down. That means that your users and employees – the legitimate traffic – are not able to access the app, service, or website. According to Kaspersky's "IT Security Risks Survey 2017", the average cost of a DDoS attack was $2 million for enterprises and $120,000 for SMBs.
  2. Insider threats come from former or current employees who may misuse their access to your system. For example, an employee for a social networking site might use their access to obtain personal photos shared in private chats, or a disgruntled employee might download sensitive data to the cloud or an external hard drive and try to sell it on the dark web. More than one in every three data breaches involve insiders.
  3. Malware is malicious code that includes trojans, viruses, and ransomware. Around 31 percent of all attacks in 2018 involved malware.
  4. Brute force attacks involve a lot of guessing and luck. Hackers submit passwords and passphrases multiple times in the hopes of getting your password right.

B2B SaaS companies implement some security measures, but could be doing more

At Zeguro, we surveyed 500 representatives from B2B SaaS companies1 to gain some insights into the types of security tools and measures these companies are implementing today. The majority of respondents (79%) sell to both enterprises and SMBs, while 15% sell exclusively to SMBs and 6% sell exclusively to enterprise customers.

Nearly three-fourths of respondents (74.2%) have in-house security personnel. Among them, 53.1% say their in-house security personnel is someone in IT and 30.73% say their in-house security personnel is a C-suite executive; the remaining 16.17% say their in-house security personnel is themselves. Among those that do not have in-house security personnel, 56.59% do not have external security personnel, such as a security consultant, while 43.41% do have access to external security personnel. 

Most B2B SaaS companies have allocated budget in 2020 for cybersecurity

The majority of respondents (83.8%) have allocated budget in 2020 for cybersecurity in varying amounts: 

  • Allocated $500k or more: 10.74%
  • Allocated $250k to $500k: 13.37%
  • Allocated $100k to $250k: 15.99%
  • Allocated $50k to $100k: 20.53%
  • Allocated $10k to $50k: 21.96% 
  • Allocated $0 to $10k: 15.27%

Overall, more than four out of ten respondents (42.49%) reported allocating between $10,000 and $100,000 for cybersecurity in 2020, but just over one in ten (10.74%) have allocated $500,000 or more. The remaining 2.15% of respondents were unaware of the amount of budget their companies have allocated for cybersecurity in 2020. 

Network security is the most common cybersecurity measure implemented by B2B SaaS companies

We found that network security is the most common cybersecurity measure implemented by B2B SaaS companies today, with 67.2% of survey respondents reporting that they’ve implemented network security. 

Nearly six out of ten (59.8%) of survey respondents said they’ve implemented employee cybersecurity training, and 56.8% have implemented cloud security. Other cybersecurity measures have been implemented by half or fewer respondents, including: 

  • Security policies: 50%
  • Endpoint security: 39.6%
  • Mobile device management: 35.8%
  • Incident response: 32.6%
  • Governance, risk, and compliance tools: 29.8%

Regulatory compliance is a primary motivator for cybersecurity, but obstacles remain

Compliance with security regulations and frameworks is a top driver of cybersecurity at B2B SaaS companies. Among survey respondents, 67.2% said that compliance is a key motivator for cybersecurity at their companies. For just under half (49.4%), fear of a cyber attack is a key motivator, while 44.4% are motivated by contractual requirements.

Despite compelling motivations, there are a number of obstacles to cybersecurity for B2B SaaS companies. More than four out of ten survey respondents (42.8%) said that a lack of cybersecurity knowledge and expertise is their company’s biggest blocker to effective cybersecurity, while insufficient personnel and insufficient budget was noted as the biggest blocker to effective cybersecurity for 25% and 23% of respondents, respectively. Just 6% said that effective cybersecurity isn’t a priority for their companies. While it’s only a small percentage, it’s still concerning that some B2B SaaS companies do not consider cybersecurity a priority. In this day and age, cybersecurity needs to be ingrained into the company culture.

Nearly two-thirds of B2B SaaS companies have cyber insurance

Cyber insurance is an important part of holistic risk management. Businesses implement cybersecurity measures to detect and mitigate risks while they buy cyber insurance to transfer their risk to their insurance companies. Cyber insurance also plays an important role in meeting contract requirements. Many enterprises will require their B2B SaaS contractors, partners, and vendors to carry cyber insurance before agreeing to work with them.

Just over two-thirds of survey respondents (67.2%) say their company has cyber insurance. Among them, more than half (57.74%) say having a safety net is their reason for purchasing cyber insurance. Just over four out of ten respondents (40.18%) say they have cyber insurance because of contractual requirements.

We put together a checklist with things cyber insurance buyers should keep in mind.

Data breaches impacted about one-third of B2B SaaS companies in the past 12 months

More than one-third of B2B SaaS companies surveyed (36.6%) reported experiencing a data breach within the past 12 months. Among those that reported suffering a data breach within the past 12 months, the estimated costs of the breach varied, although most estimated that their costs fell between $0 and $250,000. That total figure (59.01%, or nearly three out of five respondents) is spread out among three cost ranges. Specifically, nearly one out of five respondents reported an estimated cost of the data breach between $0k and $50,000, another one in five reported an estimated cost between $50,000 to $100,000, and another one in five said the breach cost an estimated $100,000 to $250,000:

  • $0k to 50k: 19.67%
  • $50k to $100k: 19.67%
  • $100k to $250k: 19.67%
  • $250k to $500k: 15.85%
  • $500k to $1M: 10.93%
  • $1M to $5M: 3.28%
  • $5M to $10M: 3.28%
  • $10M+: 7.65%

More than nine out of ten survey respondents (91.2%) have a company website, and the majority use WordPress, which is notorious for security vulnerabilities. Likewise, more than four out of five respondents (84.4%) utilize a customer portal that their customers can log into, another common source of security risks for SMBs. B2B SaaS companies and other SMBs should employ a web vulnerability scanner to continuously scan their websites and customer portals for vulnerabilities to reduce the risk of a data breach. 

More than three-fourths of B2B SaaS companies are subject to compliance requirements

Regulatory compliance requirements are emerging across all industries, and B2B SaaS companies increasingly must comply with various compliance frameworks. In our survey of B2B SaaS companies, more than three-fourths of respondents (76.4%) reported that they need to meet the requirements for one or more compliance frameworks. Among them: 

  • More than half (52.36%) must comply with HIPAA
  • Nearly two out of five (39.01%) are required to comply with the California Consumer Protection Act (CCPA)
  • Nearly three out of ten (28.8%) have to meet PCI DSS requirements. 
  • More than one-fourth (26.7%) must meet SOC 2 requirements. 
  • More than one-fourth (26.18%) must comply with GDPR

Regulatory compliance is a pain point for many organizations, including B2B SaaS companies. While it can be challenging to ensure continued compliance, the risks of non-compliance can be severe, including costly fines and penalties, not to mention a loss of reputation and potential loss of business. Many compliance frameworks include measures that enhance data security, protecting consumers’ data while simultaneously enhancing a company’s security posture and reducing the risk of a data breach. In most cases, following compliance frameworks is a win-win. 

A comprehensive security platform like Zeguro can help B2B SaaS companies meet compliance with regulations like PCI DSS, SOC 2, and HIPAA through targeted employee training, web vulnerability scanning, and tools for implementing information security policies. Zeguro also offers tailored cyber insurance priced for an organization’s risk profile to help businesses recover with minimal disruption should a breach occur. 

What can you do?

Everyone often thinks that the burden of the responsibility for cybersecurity lies with the leadership team and/or the IT team. 

To make it simple, here's the truth: Cybersecurity is everyone's responsibility.

However, for any cybersecurity plan to succeed, there has to be a point person or committee who will be accountable for keeping your systems secure, your people trained and educated, and the leadership informed.

Your cybersecurity champions should come from every department, not just IT. The key people can come from HR, operations, finance, and other departments. You should also bring your company lawyer, auditor, or accountant in on the conversation.

Follow best practices in cybersecurity hygiene

Prevention saves you a whole lot of heartaches, stress, and money when it comes to cybersecurity. There are best practices that you can adhere to, including:

  1. Training your employees on the basics of security, which includes getting familiar with the most common threats and vulnerabilities, how to spot them, and how to handle them when spotted.
  2. Protecting access with a strong password and multi-factor authentication, which also includes changing your password periodically.
  3. Updating and patching software and apps you are using to stamp out any vulnerabilities.
  4. Making secure backup copies of sensitive and essential data.
  5. Controlling physical access to computers and hardware.
  6. Having policies on personal devices being used for work.

Another thing you could do is lessen the potential entry points of attack. Take inventory of your IT system and see if there are holes that you can plug. Disconnect any computer or machine that is not in use. If you are using cloud services, make sure that the provider is also secure.

Get cyber insurance

Cyber insurance is an excellent way to make sure that you have that parachute when you experience a data breach.

For instance, cyber insurance policies can take care of expenses arising from a breach that resulted in the loss of customer and employee data. You don't have to worry whether you have enough money to cover for expenses related to responding to the data compromise or from liabilities you may face because of the incident. Some insurance policies even cover the funds lost due to payment fraud.

Get a cyber insurance quote here.

Your business as a hacking victim: It's not a matter of if, but when

When you have close to three hacking attempts happening every minute, the question you should be asking yourself is not "what if" you suffer an attack. You should have a clear action plan on what you will do "when" you're hacked.

B2B SaaS companies are prime targets for cyber attacks. They either store a lot of their own customer data or they work with larger enterprises and have access to their data or systems.

Employ the best practices in cyber hygiene, train your employees, and invest in top-notch tools.  Then, protect your business with cyber insurance to make the inevitable less frightening.

1 The survey was conducted using the Pollfish survey platform, which distributes its surveys through a vast network of 3rd-party apps and websites that allow Pollfish access to their users. Users are incentivized to complete a survey within the app. We asked a series of qualifying and demographic questions to target an audience of B2B SaaS companies.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Learn More
Ellen Zhang
Written by

Ellen Zhang

Digital Marketing Manager

Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.