Software-as-a-service (SaaS) is a growing trend in FM because of several advantages cloud-based services deliver over in-house development. For one, it’s generally cheaper to outsource your software needs rather than spend time and money developing a bespoke solution. Ramp up time is much faster too. The general wisdom is that FMs get a better product by letting the market do the heavy R&D lifting. Data accessibility and security is generally equivalent or comparable to in-house IT, provided you do your homework. To that end, here are some key SaaS components to consider during the procurement process. Download this SaaS procurement checklist for quick reference.
Mobile Access
Remote and hybrid work schedules are on the rise. Your team and your clients need the flexibility of mobile access to stay competitive. Look for a cloud-based software with admin/client access to most features, dashboards and data via mobile device and web browser.
Customer Support
Customer support is essential to seamless integration and service continuity, so invest some time here. Take advantage of free demos and trial periods to kick the tires on a vendor’s customer service. Submit a work order and note things like response times, professionalism, expertise and problem solving.
Pro Tip: If possible omit your company affiliation when creating a demo account. Companies often give a potential enterprise account better service than a single user.
Training Resources
Training resources ensure a smooth integration, and any SaaS vendor worth their salt will offer a healthy library of video tutorials, how-to guides, in-office training and online resources for you and your staff. Have your staff sample a few offerings and rate them for accessibility, clarity and ease-of-use.
Data Security
Given the rise in ransomware attacks, data security is a priority, and most SaaS platforms collect some data on you and your users. Data storage, collection and encryption are a security and compliance issue, so ask about these practices. If a vendor isn’t forthcoming, it may be a red flag. Look for security standards and certifications for cloud-based software. These credentials might include Cloud Industry Forum certification or compliance with international standards for cloud-based security such as ISO-27001.
Data Ownership
Who owns your data is also a key consideration, especially when and if you ever switch to another vendor. So, ask about the data transfer process to other platforms. How complicated is retrieval? Can you simply download a spreadsheet or does the vendor collect it for you? The vendor may claim rights to your data beyond the contract end date. Does this violate your own privacy policies? Ensure these data ownership topics are clearly spelled out in your SLA.
Integration
Software platforms need to easily integrate with your connected systems, like your BMS, CRM or billing software. Check the vendor’s list of supported brands and models. But even if your systems are supported, the integration process may take more time than you want. Ask for a time frame for getting up-and-running with the platform before making your final procurement decision.
Pricing Model
SaaS companies often use their pricing schemes to “hide” add ons and upsells for new features after purchase. Read their pricing page carefully. Even if the annual plan is cheaper, it may contain stipulations like extra costs for adding accounts or transactions. Month-to-month plans will have limited features, so check the pricing comparison list to see which ones you’ll be missing out on with a basic plan.
Pro Tip: If a platform offers “custom” pricing for enterprise accounts, take the opportunity to negotiate a lower price based on your evaluation of the product. For example, the lack of adequate training resources might justify a lower annual price.
Customer Reviews
For real-world usability, go to the source: customers. Review sites like Capterra and G2 Crowd offer descriptions and consumer ratings of all types of products. Sites like these also let you make an apples-to-apples comparison of SaaS platforms, their features and prices.
Usability
Ill-designed SaaS platforms erode their effectiveness, so evaluate these key usability components:
User Interface
Pages, buttons and menus are organised in a logical way
There is a consistent look (i.e., colors and textures) from area to area.
The font is easy to read
Navigation
It’s easy to locate information
There’s a smooth flow when performing steps in a task
You can perform the same task from multiple places
Responsiveness
The website loads quickly
The interface works well on mobile devices and small screens
Also keep in mind that an ineffective interface is harder to learn, which can length the training process and cost you time and money.
Growth
Finally, during your SaaS procurement, decide whether your chosen SaaS will grow with your business. Does the company have a track record of innovation and growth? How easy is it to add new accounts for future employees? Is there a limit on the number of users? Does the company have plans for expanding features? Answering these questions and others like them will get your better idea of whether a specific SaaS will meet your future needs.
Ransomware attacks are now a global threat. Between 2019 and 2020, attacks rose by 62% worldwide according to the 2020 Internet Crime Report. Attacks like the Colonial Pipeline in May 2021 are high profile cases that garner media attention, but SMBs and facilities of every size are now targets of cyber thieves.
Hospitals and medical facilities are favored targets because they house sensitive medical records. Facilities like these are in no position to bargain with cyberthieves, and they end up paying hefty ransoms to recover sensitive information. And the financial fallout from ransomware attacks is significant, with security experts estimating global ransomware losses to hit $20 billion in 2021, which is 57 times the cost just five years ago.
There’s a lesson to be learned for facilities managers: letting your properties become vulnerable to a ransomware attack is costly. Instead of paying cyberthieves, invest resources into mitigating your risks: shoring up your IT services, educating staff and creating response plans.
What is Ransomware?
Ransomware is a type of malware that enters your computer system and/or network and encrypts your data. Users lose access to files, applications and/or their databases. To decrypt the data, cyberthieves demand a ransom, and if the ransom isn’t paid, the data is destroyed.
Ransomware finds its way into most systems through direct attacks on software weaknesses or by exploiting human error through phishing emails. Once it infects your system, ransomware is programmed to spread to connected devices, encrypting more documents, spreadsheets and photos as it grows.
Train Staff on Cybersecurity Best Practices
Cyberthieves exploit human weakness to gain access to your data. It only takes one staff member clicking on the wrong email link to put your building data and tenant info at risk. That’s why beefing up your team’s cybersecurity skills is a top priority. Cybersecurity habits like these help you avoid many types of computer viruses and malware.
Updating Operating Systems
Operating system (OS) updates include the latest virus signatures and definitions. Older versions don’t, which makes them more vulnerable to cyber attack. Have your team set up auto updates for their Windows and Mac OS and installed programs. That way, forgetting isn’t an issue.
Identifying Phishing Emails
Email is a common entry point or “attack vector” for cyber criminals to deploy malware, and humans are notoriously susceptible to their exploits. Train your staff how to identify a phishing email to keep your network free of ransomware.
Creating Strong Passwords
Weak passwords let cyberthieves walk right into your facility network. Unfortunately, too many employees opt for weak, yet popular, passwords like “123456” because they’re easy to remember. Teach your team the simple steps of creating a strong password or consider investing in a password manager, which automates the process of creating and remembering strong passwords.
Turn on Two-Factor Authentication
Remind your team to implement two-factor authentication when possible. Turning this feature on adds an extra layer of security by requiring the users to identify themselves with a mobile device or an authentication app. Each user typically authenticates their sign in through a PIN number or biometric scans like a fingerprint.
Backup Your Data
Since ransomware targets your data, backing it up can help mitigate losses from encryption. Still, data backup has its limitations and can’t protect you like an anti-malware software, for example, but it does offer the insurance of data replication. In other words, it’s an after-the-fact solution rather than real time protection.
Data Assessment
The first step in building effective backup is making sure you are backing up ALL your data. Some FMs may manage multiple facilities, each having separate databases and devices. Do you know where your critical info is stored? What about your team members? Are those with assigned devices backing up their data correctly? Critical data can easily be overlooked, which is why experts suggest conducting a data audit.
3-2-1 Rule
Data storage experts often advise business to follow the 3-2-1 Rule:
Make 3 copies of your facility data: a production copy and two backups).
Store your copies on 2 different media types (e.g., USB Drive, CDs, magnetic tape).
Keep 1 copy offsite from your facility.
Ransomware moves throughout your system, and any connected devices are susceptible. The intention of the offsite rule is to “air gap” your data, removing it from the network completely. Cloud storage is considered “off site” but is also susceptible to the same attack if backups are updated too quickly. In other words, your cloud storage could begin backing up already encrypted data before you became aware of the attack. This is a risk for most backup systems, which is why physically disconnected storage is essential.
Get Ransomware Detection Software
Cloud-based companies like Microsoft build ransomware detection into their online storage platforms (i.e., OneDrive), but if you’re not using cloud-based storage, this doesn’t help. For an added layer of protection against malware, invest in a cybersecurity software that meets your needs and budget. Most major cybersecurity software brands include ransomware protection and decryption tools within their plans. While malware software isn’t a replacement for good cybersecurity habits and data backups, it does add redundancy to your system.
Include Ransomware in Your IRP
Ransomware attacks are high-pressure situations. Time is critical, and decisions have to be made on the fly. So preparation is key. Ensure your incident response plan (IRP) includes ransomware mitigation strategies. There are several basic steps most experts agree businesses should take when attacked by ransomware:
Don’t pay the ransom. Experts say paying only puts you at risk of being targeted again. Plus, acquiescing only makes the problem worse for everyone else by financially incentivising the criminals.
Disconnect devices. Your first move is to stop the malware infection. Disconnect your devices from your network and the internet. Unplug ethernet cables. Remove storage devices like thumb drives. Disable wireless connection (wifi) on your mobile devices.
Get evidence. Take photos (with an uninfected phone) of the ransom notes and any correspondence with the thieves.
Run a malware scan. Use the Task Manager on your Windows 10 devices to run a scan for ransomware. Shut down any Apple devices.
Reset passwords. Change your passwords for your admin accounts.
Get help. Solicit professional IT services for advice or help. You will likely need their services to ensure your network and devices are free of malware before reconnecting.
Report the incident. Government cybersecurity agencies like CERT (NZ) can help you navigate the incident, record the attack and notify other businesses of the threat. Other reporting agencies include IC3 (US) and ActionFraud (UK).
At some point, you may want (or be legally required to) notify your tenants of the data breach. If there is a potential for the malware to spread to your tenant’s networks, early notification will help their office managers execute their own IRP’s. If cross-contamination is a low risk, you might move notification to a lower priority. Consult legal experts around your specific reporting requirements and adjust your IRP accordingly.
When protecting your facilities from malware attack, think in terms of “layers” of protection. You and your team members are the first layer of defense. Your virus software is another. The more stopgaps you have, the better your chances of avoiding infection. It pays to invest a little time and money up front than to deal with the fallout from a successful hack. And remember, when it comes to ransomware, you’re not an island. Successful criminals go on to rip off other businesses, so your action or inaction directly affects the profitability of others.
