Software as a Service: a checklist

Software as a service has revolutionised our lives and freed most of us from large up front development costs, expensive on-premise hardware and associated software and networks.

You just sign up and everything magically appears with your business data, pictures, documents. It is all backed up and safe. However, have you checked the provider is actually doing what they promised? AXLR8 have been in the SaaS business for over 2 decades and trust many suppliers but check everyone.

What questions should I ask an SaaS supplier?

Here are a few questions we suggest that you ask your SaaS supplier.

Business Stability

  1. Do you track their published accounts every year? Remember, the pandemic has tested all companies and many SaaS companies may be running on empty. More companies go out of business coming out of a recessionary period than going in to it!
  2. Are they debt free or do they have a negative balance sheet? If negative, is it getting worse year on year? Could the bank “pull the plug” tomorrow?
  3. Is the Supplier financially stable? Remember, if they miss payments to a lender, any of their key staff or any of their hosting and technology suppliers, they could disappear overnight and your data and system will probably be lost!
  4. Does the SaaS company have a portfolio of markets they work in so that a change in one market does not wipe them out overnight? Importantly, after the pandemic, are they already “running on empty”?
  5. How long have they been in business? Is their business growing or, if it has been through some recessions and recovered competently, all the better!
  6. Do they have many clients in their portfolio?
  7. Do they have an expert stable team or is there staff turnover? Worst of all, is it a one or two person company which could disappear with the health or motivation of one person?

My business critical data

  1. Do they answer their telephones in an emergency?
  2. Can I get my data from my SaaS supplier (free or for a reasonable small labour and materials fee)?
  3. Where can I read my contract for the service? If it was just something I clicked “OK” to when I signed up, then was there a clause to say they can change it at any time?
  4. Do I own my data entirely or do the supplier feel they own it?
  5. Does my supplier understand their responsibility as Data Processor and how it affects by liability under GDPR as the Data Controller?
  6. Who decides access rights for my staff? What happens when staff join or leave?
  7. If I am using the system free of charge, do the suppliers expect something back and if so, what?
  8. If I am paying, what if I miss a payment? Is there a small or large admin penalty? When does all my data get deleted? No supplier can store it indefinitely due to GDPR DP liabilities. If they do not delete my data, what are they doing with it?
  9. When can I give notice and what are the implications for recovering my data and any associated documents, mails, pictures, etc?
  10. Is the SaaS supplier compliant with cyber security standards? For example, can you find them on the IASME Cyber Essentials Plus compliant companies?
  11. Do your SaaS supplier have a reputable company for regular annual penetration testing to check security of the systems holding your (customer) data?
  12. What are their security policies?
  13. What are their privacy policies and can you find them on the Information Commissioner’s registration list?
  14. Can I talk to someone – a real human being – about the technical or commercial issues that arise?
  15. Can I customise and personalise the system and how does this affect my rights to upgrades?
  16. How often do they actually do back ups? Nightly, hourly, weekly? Are back ups hot? In other words, if my server goes down, does another one come up immediately? These different levels of disaster readiness come with very different price tickets. What level of resilience do I need?
  17. Can they scale with my business?
  18. Will they offer training for super users of the system?

Build vs Buy: should we just develop our own in-house system?

Before developing your own system with a software developer or an in-house developer, you should also be able answer the above questions.

You will be aware of the well known economics of software development:

If it costs 1 pounds to develop a system,

it costs 10 pounds to implement and

15 pounds a year to maintain it.

Outside developers bidding for your business conveniently forget that in their pitch!

On top of that, complying with basic security and GDPR is very costly and you would be paying for it on your own. A SaaS supplier can share those costs around hundreds or even thousands of users.

A reputable SaaS supplier can also bring specialist expertise and new modules from the accumulated experience of thousands of users to your business. They can concentrate on updating their platform, performance, bug fixes, encryption, security. Do not underestimate these expenses. Their helpdesk is always there. Your inhouse developer could be off sick or go on holiday – or leave the company just when you have a critical repair.

Security incident today

Thirty five client websites, including our own Staffing specialist website, have been affected by a DDOS attack this morning.

No business critical business applications are affected.

Email is not affected.

It should be resolved by the engineers at the datacentre soon. These problems are rare and this is the first in perhaps ten or more years.

Thanks for your patience. Please do not hesitate to contacts us if you need more information.

Contact Field Marketing – Success through talent

AXLR8 have now been supporting field marketing companies collecting data in store for 15 years.

Our clients have taught us so many things in that time.  Likewise, they are always learning and solving new problems to help their brands and other customers.

To celebrate we have created this video to explain how CFM, a growing leader, is challenging the top players in the retail merchandising and promotion fields.

It concentrates on two current challenges.

Building and developing the team

Clients need to attract the best talent in these competitive times for all recruiters.  They then need to build, train and deploy their teams on client projects.  CFM have the talent management team in place to achieve this using the AXLR8 ATS and to work with trusted specialist long-term business partners to supply staff where required.

Field Data Collection and Client Presentation

The value added by good field marketing and merchandising providers is the immediate, high volume, accurate data reliably collected in the field (e.g. sales and stock numbers, competitor pricing, before and after pictures during POS and merchandising projects)

Volume collection

Using their AXLR8 apps staff are booked on projects and specific store visits and collect data in high volumes in store.  The system has to handle thousands of data items every hour from hundreds of store visits on multiple projects.  App reliability and central database resilience is of paramount importance.  At the same time the questionnaires must be flexible so they are easy to create and easy to change midway through campaigns.

Customised client portals

Once the data starts to come in, the numbers, reports, pictures and other information has to be moderated and presented well to their clients on a secure portal

The system allows CFM to concentrate on client engagement staff relations and creative ideas as they know the admin is being handled by a reliable system that AXLR8 has customised to their needs.

This means they can focus on client specific needs. No wonder they are so successful.

Working Lunch with AXLR8: Public Sector

AXLR8 will be running a free series of training courses for the Public Sector covering the AXLR8 IRM (Information Request Manager) system for FOI, SAR, Reviews and Appeals and Complaints.

We hope you will find these workshops as useful as AXLR8’s commercial clients did in September’s very successful series for their industries.

The 12 sessions will run at 12:30 on Wednesdays from November 10th, 2021 to February 16th, 2022.

We run all our sessions over Zoom because of the quality of presentation and reliability. However, the feedback is that this is not possible for most public sector sites. Therefore, we will run it over MS Teams. Please be patient in the first couple of sessions whilst we find our feet using this as a webinar medium.

The agenda for the training sessions are as follows:

DayTitleAgendaAimed atDate
1Introduction – overview and definitionsWorkflow supported definitions list management of an IRUsers10th November
2Workflow KPIsDashboards, tracking IRs.Users17th November
3Logging a requestRequest creation, auto creation, adding notes, adding documentsUsers24th November 
4IRs and activities (tasks)Activities required to achieve the response to the IR.Users1st December
5Progress trackingThe calendar: Bank holidays, FOIs and SARs. Public and private notes and documents. Alerts, triggers and expediting weekend, working days and holidays. Users8th December
6Information request manager portalAccess rules, applicant blind, reports, documents and updating progress.Users15th December 
7Reviews and appealsReviews, appeals, timescales & audit. How to read audit trails, notes, history and mail attach. Users12th January 
8Public disclosure logPreparation and clean up, notes, documents, privacy. API for web presentation.SuperUsers19th January 
9Super user functions 1Data cleaning and retention, keeping your data clean, removing duplicates, DPIA and information asset register. SuperUsers26th January 
10Super user functions 2Drop down menus, lookups, labelsSuperUsers2nd February 
11Super user functions 3Report builderSuperUsers9th February
12Super user functions 4Creating new user accounts, granting and revoking access rights.SuperUsers16th February 

For more information on our Information Compliance Systems: http://www.requesttracker.co.uk/

AXLR8 Cyber Essentials

We are excited to announce that we have passed our assessment for the current Cyber Essentials again this year! In November 2021 we are returning to Penetration Testing to update findings from 2020 from an outside expert party. In December 2021 we will be audited for Cyber Essentials Plus.

We can highly recommend the detailed, professional prompt and practical approach of RightCue Assurance who led us through the process once again. Thanks!

With their help we are now preparing for Cyber Essentials + in the next two months.

#cybersecurity#datasecurity#GPDR#cyberessentials#completedproject#compliance#IASMEconsortium

Power cut today

There is a power problem in our area.

Telephones

The phones will still work. We have configured the RingCentral system to receive calls on selected mobiles. Client calls should be dealt with but we may be a little terse with incoming cold sales calls today.

Support Email

We will forward Support to a temporary mail box which will be monitored. So, you may receive an error message from our office server but the support email will get to the team. Some will be working at home.

Timecales

SSEN are working on it and will keep us updated. The local socials are going bonkers. Lights flickering occasionally everywhere.

Prevention

Hopefully, the problem will only last a few hours. Although we have large UPS storage, we will be looking for bigger reserve supplies for the office.

NACFB conference at the NEC

On 30th September, a team of us from AXLR8 went to our first trade show since lockdown. It was very professionally organised and run.

Great to meet up with so many clients and other potential technical and business collaborators.

The resilient commercial finance market is alive and kicking!

To learn more about how AXLR8 help your finance broker find more clients and process proposals quickly and easily, please contact us at 01344 776500 or send us an email.

Online AXLR8 refresher training

AXLR8 is just completing a very successful “Working Lunch with AXLR8” series of seminars in our Staffing Agency vertical market. The reason is that in most of those businesses staff may have changed. Staff turnover has been huge in so many industries over the last year and knowledge needs refreshing as we enter the “New Normal”. Also, many of the clients I speak to on a daily basis have been furloughed for long periods or have been performing other jobs.

Your organisation will also be considering staff knowledge retention and changes through this (hopefully) once in a century economic upheaval. Also, there is friction slowing the uptake of in-person training (expense, fear of infection, petrol shortages as I write, etc.)

Nevertheless, so many of the mainstream and offbeat metrics show that there is an uptick in all those business areas that indicate we are coming out of the downturn. Businesses that are barometers of the economy are on the up and up!

So AXLR8 will be running two more Working Lunch with AXLR8 series. One for Finance clients in October and one for Government in November. Please watch this space. We will also circulate invitations soon so we can win some space in your diary.

New Phone System

As part of our investment in customer service this year, we have revolutionised the telephone system. Having surveyed the market and seen many excellent new phone systems, we have gone with BT CloudWork. Our new numbers may come through as 0203 795 3629 or our direct dials depending upon who is calling.

You can still reach us on 01344 776500. However, we have dropped our old DDI numbers which were hardly used. They became a problem when people returned individual calls without going through the switchboard. If that person was away from their desk, the customer service was a VM or transfer.

Feedback

We would be grateful for your feedback if you have any trouble getting through to customer service. We do not want anyone in voicemail jail!

Future possibilities

The system from BT is based upon RingCentral which is up there in the (Nov 2020) Gartner Magic Quadrant with MS. Others trailing in that quadrant are Zoom, 8X8 and Cisco. So far we are pleased with the implementation and will be researching all the programmer interfaces for incoming caller identification to pop screens, etc. that we had developed over 15 years with our last (Splicecom) system which was well ahead of its time.

We are already dialling out direct from the AXLR8 Radical internal CRM system.

All calls will be recorded for training and quality purposes and the next development is to store them against the support ticket as we do with emails. That way all the information about a case is kept in the right “job bag”.

If you are planning phone integration with your AXLR8 system, please call us up. We heve been doing it for more than 20 years so you will be in safe hands.

Secure Passwords

Your passwords should be unique and memorable. If you do not read any more of this article, just remember to make your passwords from three random words.

Passwords should be…

  • long at least 10 characters
  • unique – do not use the same password for more than one purpose
  • memorable – if possible so you do not have it on a yellow sticky!
  • complex – add some numbers upper and lower case characters and some non-alphanumerics such as $, -,!,@ (special characters)
  • regularly changed
  • securely stored if stored at all. Possibly an encrypted file or a specialist recognised password vault
  • changed occasionally (changed too often can create its own security weaknesses). It is accepted that a more complex long password changed less frequently (say annually) is better than a simpler, shorter password changed frequently (e.g. every quarter).

Some of the above may conflict. The better (long, uncrackable, frequently changed, etc.) your password is, the more difficult it is to recall. Therefore, you need to record it and, unless this is done securely, that in itself becomes a security weakness. The familiar yellow sticky on the screen is dangerous but writing them all down on a piece of paper is asking for trouble.

Only secure systems should be trusted with your personal information:

  • encrypted password storage so not even the programmer of the system can read it.
  • SSL encrypted browser to server communications (padlock HTTPS:// in the URL) so that it is not compromised between your PC and the server
  • A ban on further attempts at password attempts after a small number of tries – five to ten attempts maximum.

Your information is probably already compromised

You must assume your password has already been found out and is available to many hackers. How?  Check this site to see where your details.

https://haveIbeenpwned.com

Put your email into the box and see the results showing how many sites, where you used that site, and what personal information has already been stolen and has been on sale for many months or years. Everyone should know this but we reckon nineteen out of twenty AXLR8 clients we show this to are completely unaware of how exposed they are.

Brute Force Dictionary Attack

Someone can easily guess my password?

There are hacking tools that attempt thousands of username and password combinations. Many of our servers that are open to the internet have 45,000 attempts per day which are blocked.

The way password guessing works is by using information already available to the hacker’s computer. Your name is an example so do not use your name with “123” after it. Further, your first & last name, school and many more pieces of personal information must be assumed to be known by hackers. If you have a word that is typically used in your password such as a pet name, animal, flower, place, or whatever, a “Dictionary” attack will probably find it by using a list of common words and configurations of those words. For example, Dictionary attacks are really good at words and phrases. They also check adding your date of birth and other information they have derived or purchased. Thus, if your password is made from the word Banana and your date of birth (in this example 10th November), you might make a password like “B4n4n4-1011” On the face of it, this is more than 8 characters and obeys many of the accepted rules from a few years ago.

Good dictionary attacks already have your date of birth, first pet’s name, primary school name, and many other answers to “hint” and “ID check” questions you might have entered in other sites as mentioned above.  Most know dates of birth and names of children, which are very common combinations for passwords. All know combinations of common passwords like “Secur1ty”, “pass1234”, “Password!” and “letmein” is well known. Similarly, although it is not the subject of this article, please do not keep your default firewall or blue tooth PIN as “1234” or “0000”. Also, obviously, do not make it the same as your bank PIN!

Yikes! What shall we do then?

Password reset

You should change your password now.

Dictionary attacks are very, very good at finding a word or phrase and number combination. However, they are unable to begin to guess at something you passed on the way to work, a randomly selected object in your house and a film you like or three things you saw on holiday or in a film plus your favourite actor.

Just choose three random words to make a memorable password and chuck  in some number(s)/non-alpha(s) characters.

e.g. apple sock ship might end up apple1812-$hipSocks.

Maximum password attempts is a good way to protect against such attacks.

In conclusion make sure your passwords obey the rules at the top of this page and, if you do nothing else, use three random words that only you would recall because only you saw a jaguar, a robin and a bike tyre puncture on your way to the shop this morning.

Repercussions

If it is your personal password for, say a private bank, game or subscription, you may lose money or pride. Worse is possible if someone steals your identity and commits criminal offences in your name. It is not enough to know you are not guilty. There are several cases where an innocent victim of such ID theft has been attacked by another victim of the crime. Lastly, if you are at work and responsible for other people’s data on a system and neglect your duty to create a secure password and keep it secret, you could damage many other people. This could happen if you are working on any accounts, CRM, HR system and many others.

Also, if you are an AXLR8 client running a business you have built up for years, you will need to make sure that you and your staff abide by these simple rules in a complex world.

If this raises any queries, please call AXLR8 support on 01344 776500 and we can help your Super Users with your system security and staff security training.