Why SaaS Providers Shouldn’t Upsell Essential Security Features

Tom Burton
Subscribe Contact us
David Jones

What Problem do Too Many SaaS Providers Have in Common?


Many SaaS security providers have a history of treating important safety and security features as something to upsell. This raises the important question of whether a software vendor has a moral responsibility for the secure operation of their solution.


In this article, we explore the implications of treating important security and safety features as an upsell, using Boeing as a test case of where this can go wrong.


The Case of Boeing and the Aviation Industry


The case against Boeing is emblematic of a more systemic issue across the aviation industry, and many other industries. The public became aware of this issue under tragic circumstances when the Lion Air and Ethiopian Air Boeing 737 Max airliners crashed in 2018 and 2019 respectively. According to the widely quoted New York Times article, the crash could have been avoided if the pilots had access to two safety features that were sold by Boeing as optional extras.


According to the incident reports, at the root of the incident were the angle-of-attack sensors. These mechanical sensors operate in a similar fashion to a weathervane to measure whether the aircraft’s nose is pointing above or below the direction of airflow. Being mechanical, they may be prone to malfunction, perhaps jamming after having been installed incorrectly — as was believed to be the case for the Lion Air aircraft. The system that led to the aircraft’s demise, which identifies the risk of the aircraft stalling, only listened to one of the sensors. A difference in the signal being sent by the two sensors was not recognised by the anti-stall system; and the instruments that would have alerted the pilots to the conflicting signals were upsell items.


This wasn’t a fancy, nice-to-have bell or whistle that makes the flight more comfortable, efficient, or profitable. It is an underlying safety feature of the aircraft. If there was no safety requirement for the redundancy of two sensors, it is difficult to see why there would ever be more than one.


Boeing has now addressed the issue, and the anti-stall system listens to both sensors, responding safely in the event of conflicting signals. It should also be noted that the investigation identified pilot error and deficiencies in the training that contributed to the disasters (and this will be relevant to our points regarding many SaaS product decisions as well).


The SaaS Parallels


Cloud-delivered Software as a Service (SaaS) has revolutionised the tech industry, and catalysed a phenomenal level of innovation and growth. It has enabled new software capabilities to be brought to market faster than ever before, and facilitated the ability to reach a scale with costs defrayed across multiple customers that would have been unimaginable 30 years ago. However, the benefits of being able to access a service from anywhere, at any time, by anyone also presents significant risks. The ‘anyone’ can be a malicious party operating outside of the reach of law enforcement or extradition. As a result, there are clear commercial responsibilities placed on SaaS providers to secure their infrastructure from attack, and those that do not are unlikely to last long in the marketplace.


But just like the aviation industry, there are different flavours of security, and different perceptions of what is considered essential. Taking due care and applying due diligence to ensure that the platform itself is adequately secured from a direct attack is clearly the vendor’s responsibility – but what about those elements of security that relate to risk owned by their customers?


One key element of customer risk relates to the security of a user’s password. It is their responsibility to make sure they choose a long and random string drawn from upper case, lower case, numerical, and special characters (if allowed). It is also their responsibility to ensure that they do not ever use the same password for multiple applications or services.


But, we know that compromised credentials is a common failure mode. Just because it is the user’s responsibility to mitigate this risk, this doesn’t mean that system developers do not also have some mutual responsibility to make it easier for the user to exercise that responsibility; controls have been developed specifically for that purpose. The most obvious ones are Multi Factor Authentication (MFA, or 2FA), and Single Sign On (SSO). With MFA, we improve the security of the credentials by also verifying that the user is in possession of their trusted device before we trust them at sign in. With SSO, we minimise the number of credentials and accounts to manage by federating with a single corporate account; we can then concentrate our effort to secure that corporate account rather than spreading our resources thinly. Both are relatively easily implemented these days, particularly in the case of SSO where the OAuth protocols are widely offered by Identity Providers. Once implemented, both are essentially free to operate, particularly if MFA uses an Authenticator app rather than SMS text messages.


SaaS providers recognise that this security is important, and they will frequently implement MFA and SSO controls into their applications to meet that customer demand. But, too frequently, we see them only offered as part of the more expensive subscription options. This element of security is not enhancing the vendor’s core proposition; it is not making their offering more functional, better looking, or more efficient for their users. It is just making it more secure, and therefore to treat it as an item to upsell comes across as price-gouging rather than the responsible application of good security practice. It is almost as though these vendors have run out of innovative bells and whistles that their clients would value in their core product, so they have had to resort to undermining the security of their cheaper options in order to encourage their customers to pay for their more expensive ones.


It is equivalent to a bank only using the CSC code on a card to secure transactions for customers who pay for their premium banking services, because, after all, it is the customer’s responsibility to protect their card details.


Conclusion


What we have described here is not universal, and probably is not even representative of the majority of SaaS providers. But, when you are reviewing a new service, we urge you to take a closer look at what security your provider is charging extra for. If low cost, high value security controls are being upsold, then you may want to consider what other security good practices are not being considered essential.


For more information about our cyber security consulting services and Secure by Design principles in action, please contact Tom Burton, Partner for Cyber Security, using the form below.

Contact - Digital Achilles Heel

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Two blocks of data with bottleneck inbetween

Hidden Costs of Complexity: Why CIOs Must Prioritise IT Supply Chain Visibility

by Paul Brooker 29 October 2025
Read our article on hidden complexity and find out how shadow IT, duplicate tools and siloed buying bloat costs. See how CIOs gain a single view of IT spend to cut waste, boost compliance and unlock 5–7% annual savings | READ FULL ARTICLE

Fibrematic Engages Cambridge Management Consulting to Support its Go-to-Market Strategy and Expansion in Europe

by Cambridge Management Consulting 20 October 2025
Press Release
A darkly lit circuitboard with a flat padlock lying on top – purple tint

Cambridge Management Consulting Accredited as a National Cyber Security Centre Assured Services Cyber Advisor

by Tom Burton 17 October 2025
2 MIN READ
Neon 'Open' sign in business window

5 Questions to Help SMEs with Their Cyber Security

by Tom Burton 9 October 2025
SMEs make up 99% of UK businesses, three fifths of employment, over 50% of all business revenue, are in everyone's supply chain, and are exposed to largely the same threats as large enterprises. How should they get started with cyber security? Small and Medium sized Enterprises (SME) are not immune to the threat of cyber attacks. At the very least, if your business has money then it will be attractive to criminals. And even if you don’t have anything of value, you may still get caught up in a ransomware campaign with all of your data and systems made inaccessible. Unfortunately many SMEs do not have an IT team let alone a cyber security team. It may not be obvious where to start, but inaction can have significant impact on your business by both increasing risk and reducing the confidence to address new opportunities. In this article we outline 5 key questions that can help SMEs to understand what they need to do. Even if you outsource your IT to a supplier these questions are still relevant. Some can’t be delegated, and others are topics for discussion so that you can ensure your service provider is doing the right things, as well as understanding where their responsibilities stop and yours start. Q1: What's Important & Worth Defending Not everything needs protecting equally. In your personal life you will have some possessions that are dear to you and others that you are more laissez-faire about. The same applies to your digital assets, and the start point for any security plan needs to be an audit of the things you own and their importance to your business. Those ‘things’, or assets, may be particular types of data or information. For instance, you may have sensitive intellectual property or trade secrets; you may hold information about your customers that is governed by privacy regulations; or your financial data may be of particular concern. Some of this information needs to be protected from theft, while it may be more important to prevent other types of data from being modified or deleted. It is helpful to build a list of these assets, and their characteristics like the table below:
Illustration of EV sensor fields

AI at the Edge: The Backbone of Digital Infrastructure

by Duncan Clubb 25 September 2025
Explore the rise of edge AI: smaller data centres, faster networks, and sustainable power solutions. See why the future of digital infrastructure is distributed and intelligent | READ FULL ARTICLE
A close-up of the Downing St sign

How the UK Government's AI Playbook Will Reshape Public Services

by Craig Cheney 19 September 2025
Craig Cheney | The conversation around artificial intelligence (AI) in Government has shifted in recent years. The publication of the UK Government’s AI Playbook represents more than just updated guidance — it signals a huge shift in the government's approach to AI.
Volcano lava lake

The Cost of Short-Termism: Why Ignoring Sustainability Erodes Business Value

by Scott Armstrong 18 September 2025
Discover why short-term thinking on sustainability risks business growth. Explore how long-term climate strategy drives resilience, valuation, and trust | READ FULL ARTICLE
Close up of electricity pylon

AI Gridlock: The Infrastructure Problem that Might Derail the UK's AI Ambitions

by Duncan Clubb 17 September 2025
The UK’s AI ambitions face gridlock. Discover how power shortages, costly electricity, and rack density challenges threaten data centre growth – and what’s being done | READ FULL ARTICLE
Abstract neon hexagons

Why Startups Can’t Afford to Delay Their Cyber Resilience

by Tom Burton 17 September 2025
Delaying cybersecurity puts startups at risk. Discover how early safeguards boost investor confidence, customer trust, and long-term business resilience | READ FULL ARTICLE
More posts