A few months ago, after Zendesk discovered that a hacker had accessed some of its customers’ support information, the company went beyond disclosing the occurrence and announced plans to improve the security of its Software as a Service (SaaS) for tracking customer service inquiries. Since then, the company has put in place features for users and behind-the scenes upgrades to prevent future attacks.
The company brought on Ryan Gurney (pictured) as its vice president of security. Gurney headed up security at Engine Yard and previously worked as a senior manager of security engineering at eBay. Before Zendesk hired him, there had been a head of security, but that person had other responsibilities. Zendesk now has four people focused full-time on security, double what there was before.
The attack quickly motivated executives to invest more time and money in making the service secure, Gurney said. He wasn’t sure exactly how much the changes have cost the company, only that it was “a large investment.”
The network underlying Zendesk has gotten security upgrades, Gurney said. That entails bringing in more robust security incident and event management gear from McAfee for spotting trends that could point to vulnerabilities worth looking into. Zendesk also installed new dedicated intrusion-detection gear from Sourcefire, alongside existing systems from Cisco and Palo Alto Networks.
Among the new functions that will be visible to Zendesk users: digital signatures on emails the service sends out, so users will be able to check for authenticity; more detailed logs of activity; the ability to turn off access to suspicious devices; email alerts for potential security issues; and more complex login settings for customer-service agents and admins. Zendesk detailed the moves in a Tuesday blog post.
Taken together, the features give Zendesk users more knobs to turn on security, theoretically helping them manage their own risks. And Zendesk itself is trying harder to prevent security issues from popping up in the background.
Zendesk is hardly the only company to be on the receiving end of cyberattacks. Dropbox and LinkedIn got attacked last year. Apple’s developer website got hit two weeks ago. Big companies might have the budgets to fend off many attacks, but they’re not the only ones attackers want to target. Often companies forgo the process of disclosing hacks, Gurney said, so it’s hard to know the full range. But clearly SaaS companies should be cognizant of the possibility. Then it becomes a question of whether they want to inform the public and get points for buckling down on security.