I know I have that file somewhere… Let me just search for it.
Specialising in disaster response planning from a technology and cyber perspective is a fascinating place to be. As a society we've become so reliant on our devices, and arguably even more so, on the apps that live on them. Your shopping list is in Reminders. Your work contract is in Gmail. Your whole life is in there somewhere, give me a second, let me just search for it.
There was a time people argued "Cloud isn't going to be that big." Now we just expect it to work, to be there the moment we need it most.
Put this in the context of your everyday life, have you ever tried to find a photo on your phone when there’s no reception, forgetting that it’s not actually saved on your phone but requires a connection?
Because that's the terms and conditions you agreed to.
The features you think you bought
You sign up for a SaaS, they walk you through the shiny features, and you make assumptions. Reasonable ones. As I write this, Google Drive keeps version history, so I assume my expensive business platform does the same. Then you go digging, and it turns out version control on that platform is a premium add-on you need to pay extra for. Or it's there, but only for thirty days.
Or it works, but it hasn’t been properly configured.
And just like that, you've got a compliance and security gap, because your access controls weren't quite right when the review process relied on an already overloaded tech support team to keep up with ever-changing org structures and work titles.
Has any of this sounded relatable yet?
Let's talk about your asset register
Start with something low-stakes. If you're a large organisation that's ISO compliant, you've got an asset register. Everyone does.
Once upon a time it lived in a spreadsheet, and that was good enough. Then the spreadsheet fell behind (of course it did, you've got a hundred AWS subscriptions to track), so you moved it to SharePoint. Now you have version control and access control.
Then the tech moved on and you shifted to a drive. But people move on too, and between the turnover you couldn't keep asset owners and relationships straight, and now your auditors want fourth-party vendor assurance on top.
So you went to a purpose-built SaaS. Tagging, ticketing, alerts, the lot. Everything is awesome.
But is it?
When risk is transferred, the responsibility isn’t
When your organisation moves your business onto a SaaS, you're transferring risk. You're handing the uptime, the patching, the infrastructure to someone else's data centre, and that can be a genuinely good decision. But you can transfer the risk and still not transfer the responsibility. If it falls over, it's still your customers' data sitting in there. It's still your employees waiting to be paid.
Here's the part the sales demo skips.
The vendor's bad day becomes your bad day. So the question was never "is the cloud safe?" The question is "if my provider has a very bad week, do I still have control of my own recovery?"
Now make it the system that pays your staff
That's the warm-up. Now run the exact same story on the platform that holds your customer PII and pays your people. The systems you genuinely cannot operate without for more than a few days.
Let’s look at UniSuper as an example, May 2024, a Google Cloud misconfiguration, deleted the entire cloud account of a $135 billion Australian super fund, including its backups across multiple locations. The result was roughly a two-week outage for 647,000 members. The company had done their due diligence and recovered because they held backups with a separate provider at no small cost. However, if this were SaaS, independent data backups may not have been available unless explicitly agreed on as a feature.
But that won't happen to you, right?
Maybe, but if it does, picture this, you can't get into the platform, and even if you could, you wouldn't recognise what's left. Your backups, if you have them, are a pile of misaligned exports nobody can reassemble. Your whole company can't log timesheets or raise an invoice. Customer data you're legally responsible for is sitting somewhere you can no longer reach. And the person who "owns" the system doesn't have the resources, the access, or the plan to do anything about it.
"Was it Tony who set it up back in 2018? They left the organisation years ago".. sounds familiar?
How long could you actually survive?
How much money does your company have in the bank to keep paying people while you can't bill for weeks?
Did you read the terms and conditions before you ran your entire business on this platform? Because the recovery you assumed was included often isn't. You might have skipped the backup option to begin with, seeing as it came with a 100GB minimum policy, and who's got the margin to pay for that?
This is the bit that keeps me up. Not the breach itself, but how few organisations can answer one simple question: if this disappeared tomorrow, what is the financial, reputation and human impact?
So what are your options?
You don't fix this with panic. You fix it with a few honest questions you can actually go and ask on Monday:
Have you read what your provider genuinely guarantees on backup and recovery, or did you assume it? Find the line. Not the marketing page, the contract.
Do you hold your own independent backup, one you could restore without the vendor's help or goodwill?
Can your data be loaded to another platform if needed, or is it a proprietary format?
If the platform vanished tomorrow, what is the business impact? Put a number on it.
Who owns the recovery plan for each critical SaaS, and do they have the budget and the authority to act when it counts?
Have you tested any of this, or does the plan only exist on paper?
None of these needs a big program of work to start. They need someone willing to ask them out loud.
What now?
Moving to SaaS can be the right call ten times out of ten. But "someone else runs it" is not the same as "someone else is responsible for it," and it's your customers and your employees who feel the difference if you get that wrong.
So before you sign, or before your next audit, ask the unglamorous question. Not "what can this platform do?" but "what happens to my people when it can't?"