Why SaaS Providers Shouldn’t Upsell Essential Security Features

Tom Burton
Subscribe Contact us
David Jones

What Problem do Too Many SaaS Providers Have in Common?


Many SaaS security providers have a history of treating important safety and security features as something to upsell. This raises the important question of whether a software vendor has a moral responsibility for the secure operation of their solution.


In this article, we explore the implications of treating important security and safety features as an upsell, using Boeing as a test case of where this can go wrong.


The Case of Boeing and the Aviation Industry


The case against Boeing is emblematic of a more systemic issue across the aviation industry, and many other industries. The public became aware of this issue under tragic circumstances when the Lion Air and Ethiopian Air Boeing 737 Max airliners crashed in 2018 and 2019 respectively. According to the widely quoted New York Times article, the crash could have been avoided if the pilots had access to two safety features that were sold by Boeing as optional extras.


According to the incident reports, at the root of the incident were the angle-of-attack sensors. These mechanical sensors operate in a similar fashion to a weathervane to measure whether the aircraft’s nose is pointing above or below the direction of airflow. Being mechanical, they may be prone to malfunction, perhaps jamming after having been installed incorrectly — as was believed to be the case for the Lion Air aircraft. The system that led to the aircraft’s demise, which identifies the risk of the aircraft stalling, only listened to one of the sensors. A difference in the signal being sent by the two sensors was not recognised by the anti-stall system; and the instruments that would have alerted the pilots to the conflicting signals were upsell items.


This wasn’t a fancy, nice-to-have bell or whistle that makes the flight more comfortable, efficient, or profitable. It is an underlying safety feature of the aircraft. If there was no safety requirement for the redundancy of two sensors, it is difficult to see why there would ever be more than one.


Boeing has now addressed the issue, and the anti-stall system listens to both sensors, responding safely in the event of conflicting signals. It should also be noted that the investigation identified pilot error and deficiencies in the training that contributed to the disasters (and this will be relevant to our points regarding many SaaS product decisions as well).


The SaaS Parallels


Cloud-delivered Software as a Service (SaaS) has revolutionised the tech industry, and catalysed a phenomenal level of innovation and growth. It has enabled new software capabilities to be brought to market faster than ever before, and facilitated the ability to reach a scale with costs defrayed across multiple customers that would have been unimaginable 30 years ago. However, the benefits of being able to access a service from anywhere, at any time, by anyone also presents significant risks. The ‘anyone’ can be a malicious party operating outside of the reach of law enforcement or extradition. As a result, there are clear commercial responsibilities placed on SaaS providers to secure their infrastructure from attack, and those that do not are unlikely to last long in the marketplace.


But just like the aviation industry, there are different flavours of security, and different perceptions of what is considered essential. Taking due care and applying due diligence to ensure that the platform itself is adequately secured from a direct attack is clearly the vendor’s responsibility – but what about those elements of security that relate to risk owned by their customers?


One key element of customer risk relates to the security of a user’s password. It is their responsibility to make sure they choose a long and random string drawn from upper case, lower case, numerical, and special characters (if allowed). It is also their responsibility to ensure that they do not ever use the same password for multiple applications or services.


But, we know that compromised credentials is a common failure mode. Just because it is the user’s responsibility to mitigate this risk, this doesn’t mean that system developers do not also have some mutual responsibility to make it easier for the user to exercise that responsibility; controls have been developed specifically for that purpose. The most obvious ones are Multi Factor Authentication (MFA, or 2FA), and Single Sign On (SSO). With MFA, we improve the security of the credentials by also verifying that the user is in possession of their trusted device before we trust them at sign in. With SSO, we minimise the number of credentials and accounts to manage by federating with a single corporate account; we can then concentrate our effort to secure that corporate account rather than spreading our resources thinly. Both are relatively easily implemented these days, particularly in the case of SSO where the OAuth protocols are widely offered by Identity Providers. Once implemented, both are essentially free to operate, particularly if MFA uses an Authenticator app rather than SMS text messages.


SaaS providers recognise that this security is important, and they will frequently implement MFA and SSO controls into their applications to meet that customer demand. But, too frequently, we see them only offered as part of the more expensive subscription options. This element of security is not enhancing the vendor’s core proposition; it is not making their offering more functional, better looking, or more efficient for their users. It is just making it more secure, and therefore to treat it as an item to upsell comes across as price-gouging rather than the responsible application of good security practice. It is almost as though these vendors have run out of innovative bells and whistles that their clients would value in their core product, so they have had to resort to undermining the security of their cheaper options in order to encourage their customers to pay for their more expensive ones.


It is equivalent to a bank only using the CSC code on a card to secure transactions for customers who pay for their premium banking services, because, after all, it is the customer’s responsibility to protect their card details.


Conclusion


What we have described here is not universal, and probably is not even representative of the majority of SaaS providers. But, when you are reviewing a new service, we urge you to take a closer look at what security your provider is charging extra for. If low cost, high value security controls are being upsold, then you may want to consider what other security good practices are not being considered essential.


For more information about our cyber security consulting services and Secure by Design principles in action, please contact Tom Burton, Partner for Cyber Security, using the form below.

Contact - Digital Achilles Heel

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Pembroke College lawn bathed in sunlight

Case Study: A Corporate Partnership Between Pembroke College & Cambridge MC Based on Shared Values

by Tim Passingham 12 March 2026
CAMBRIDGE | See how Cambridge MC and Pembroke College are creating mutual value through a unique corporate partnership spanning student opportunities, academic collaboration and industry events | READ FULL CASE STUDY
Neon sharks made out of code.

Ransomware in 2026: What Boards Actually Need to Know

by Simon Crimp 9 March 2026
Cyber Security | Ransomware in 2026 is a board-level resilience issue. Learn the key risks, weak spots and practical questions boards should ask to improve readiness, recovery and response.
The Top 21.2026 at the awards event in Cambridge, UK.

#21toWatch 2026 Winners Revealed: Deeptech Founders Tackling Society's Toughest Health and Climate Challenges

6 March 2026
The #21toWatch Top21.2026 winners have been announced at an awards ceremony at The Glasshouse innovation hub in Cambridge.
Asian business woman near a long window and looking at a tablet.

IWD 2026: Embracing The Power of Femininity at Work

by Arianna Mortali 6 March 2026
BLOG | A student’s perspective on why women shouldn’t have to ‘play masculine’ to succeed at work – and how valuing empathy, confidence and inclusive leadership can help close gender gaps and build healthier organisations.
Abstract squiggle of circles

Where Should Leaders Really Start with AI in 2026?

by Simon Crimp 19 February 2026
Where should leaders start with AI in 2026? A practical guide to moving beyond pilots, clarifying risk appetite, strengthening governance, improving data readiness, and delivering measurable enterprise value from AI at scale | READ FULL ARTICLE
Close up of a data centre stack with ports and wires visible

Case Study: Enhancing Data Centre Infrastructure through a Comprehensive Connectivity Study

12 February 2026
We were approached by one of the fastest growing data centre providers in Europe. With over 20 data centres throughout the continent, they are consistently meeting the need for scalable, high-performance infrastructure. Despite this, a key data centre in Scandinavia had become reliant on a single, non-redundant 1 Gbps internet service from a local provider, posing significant risks to operational continuity. To enhance the reliability of its network and resolve these risks, our client needed to establish additional connectivity paths to ensure the redundancy of its infrastructure. The Ask Cambridge Management Consulting was engaged to address these connectivity challenges by identifying and evaluating potential vendors and infrastructure options to create second and third connectivity paths. This involved exploring various types of connectivity, including internet access, point-to-point capacity, wavelengths, and dark fibre. Additionally, Cambridge MC was asked to provide recommendations for building a local fibre network around the data centre to control and maintain diverse paths. This would allow the data centre to connect directly to nearby points of presence (PoPs) and reduce dependency on external providers, thereby enhancing network resilience and operational control. The goal of this project was to ensure that the Nordic data centre could maintain continuous operations even in the event of a failure in the primary connection. Approach & Skills Cambridge MC approached the project with a focus on ensuring operational continuity and resilience for the data centre. By identifying multiple connectivity paths, we aimed to mitigate the risk of network failures and ensure that the data centre could maintain continuous operations even in the event of a failure in the primary connection. This approach allowed Cambridge MC to provide a comprehensive solution to address both immediate and long-term connectivity needs. We employed a combination of Agile and Waterfall methodologies to manage the project. The initial investigative phase allowed a Waterfall approach, in which our team conducted thorough research and analysis to identify potential vendors and connectivity options. This phase involved detailed interviews with various telecommunications providers and an assessment of publicly available information. Once the initial analysis was complete, the workflow transitioned to an Agile approach for the implementation phase. This allowed Cambridge MC to adapt to new information and feedback from stakeholders, ensuring that the final solution was both flexible and robust. Challenges Lack of information: One of the primary obstacles we faced was the lack of detailed network maps and information from some of the potential vendors. To overcome this, the team conducted extensive interviews with contacts at these companies and leveraged its existing network of industry contacts to gather as much information as possible. Remote location: Another challenge was the remote location of the data centre, which limited the availability of local infrastructure and required us to explore creative solutions for connectivity. Cambridge MC addressed this by proposing the construction of a local fibre network around the data centre, which would allow for greater control and flexibility in connecting to nearby PoPs. Fragmented factors: Additionally, coordinating with multiple vendors and ensuring that their services could be integrated seamlessly posed a logistical challenge. We mitigated this by recommending a phased approach to implementation, starting with the most critical connectivity paths and gradually expanding to include additional options. Outcomes & Results Increased Connectivity: Cambridge MC successfully identified and evaluated multiple connectivity paths for the data centre. By exploring various types of connectivity, including internet access, point-to-point capacity, wavelengths, and dark fibre, we provided a comprehensive solution that significantly enhanced network resilience and reliability. Greater Control & Flexibility: Our recommendations for building a local fibre network around the data centre allowed for greater control and flexibility in connecting to nearby points of presence, ensuring continuous operations even in the event of a failure in the primary connection. New Vendors: The team’s extensive network of industry contacts and deep understanding of the regional telecommunications landscape allowed for a thorough and nuanced evaluation of potential vendors and connectivity options. Scope for Future Work: Cambridge MC identified several future developments with the potential to further enhance international connectivity and provide additional redundancy for the data centre. We also proposed further assistance, including a site visit for a more in-depth analysis of options, issuing RFI/RFP to vendors for capacity and fibre, and conducting similar connectivity studies for other candidate sites in the region.
Neon discs fading from blue to green to purple, cascading diagnolly across the screen.

Thames Freeport’s Connectivity Lab Participants Announced

by Cambridge Management Consulting 28 January 2026
Thames Freeport this week revealed the eight companies selected to participate in the Freeport’s Connectivity Lab, an initiative focused on validating commercially proven technologies in live port and logistics environments.
Aerial view of a data centre warehouse in the English countryside

The Modern Data Centre: Power, Progress, and Paradox

by Duncan Clubb 13 January 2026
Author

Case Study: Supporting Thames Freeport to Create an Innovation Strategy to Drive Inward Investment

by Matt Lawson 2 January 2026
Emerging as a hub for innovation, Thames Freeport is a unique initiative designed to stimulate trade and transform the lives of people in its region. Leveraging global connectivity and occupying a strategic position with intermodal capabilities across river, rail, and road, Thames Freeport has recognised its opportunity to drive economic regeneration for the local area. Thames Freeport engaged Cambridge Management Consulting to design a clear strategy for innovation over the next three to five years. Key considerations for this innovation strategy included objectives and KPIs, the future of the business ecosystem in the region, physical clusters and assets such as innovation hubs, and opportunities and challenges on the way. The Solution Working with our innovation partner, L Marks, Cambridge MC conducted an innovation strategy project which involved the following: Engaging with a range of stakeholders and partners from local authorities to corporate partners across the Thames Freeport area, leveraging interviews with key individuals to build a common picture of innovation aspirations, opportunities, and challenges. Conducting a series of workshops for the Thames Freeport team to consider visions and objectives, themes and focus areas, physical hubs and overall programme structure, and a three-year roadmap plan. Building a comprehensive innovation strategy which internalised all of the above questions. This was then presented to their board and formed the basis of the public tenders for innovation programmes that were then made public. 
More posts