Software as a Service (SaaS) is a cloud-based software delivery model where apps are hosted by a service provider and made available to users over the Internet. With this model, apps are easy to adopt and use.
However, a recent report from AppOmni reveals that one-third of companies surveyed reported experiencing a data breach this year, marking a 5% increase from the previous year.
AppOmni’s State of SaaS Security 2024 Report is based on a survey conducted with cybersecurity decision-makers from 644 organizations across the United States, the United Kingdom, France, Germany, Japan, and Australia, with nearly half of these organizations employing over 2,500 people.
Why focus on SaaS security?
One of the most pressing issues identified is the risk associated with Generative AI, with 38% of respondents expressing worries about data and intellectual property vulnerabilities stemming from this technology.
Confidence in data security within SaaS applications is notably declining as only 32% of organizations feel secure about their data. This is a sharp drop from 42% in the previous year which is particularly concerning given the backdrop of rising breaches, as 58% of organizations reported experiencing a security incident in the past year.
While 90% of organizations claim to have policies restricting unauthorized application use, 34% admit these policies are not enforced—a significant increase from the previous year. This gap between policy and practice exacerbates security risks, as organizations struggle to maintain oversight of their SaaS applications. In fact, 34% of respondents are unaware of how many SaaS applications are deployed within their organizations, complicating management and security efforts. About 50% of respondents believe that Microsoft 365 does not have up to 10 connected apps, however, AppOmni’s research reveals that on average, it has 1,000.
SaaS exploits are expanding, mainly thanks to the tussle for whose responsibility it is to secure the apps. From the survey, 50% of respondents believe that this is the primary duty of business owners or stakeholders, while only 15% attribute this responsibility to cybersecurity teams. This distribution can lead to confusion and inadequate security measures as responsibilities are not clearly defined.
Concerns regarding data loss are also prevalent, with organizations citing the loss of intellectual property (34%), reputational damage (30%), and customer data compromise (27%) as their top fears related to SaaS security. These findings emphasize the urgent need for organizations to enhance their SaaS security strategies, ensuring robust policies, clearer accountability, and improved visibility into their SaaS environments to mitigate risks effectively.
Looking ahead, the report indicates a shift in organizational priorities regarding cybersecurity. Approximately 69% of respondents anticipate increased spending on cybersecurity measures in the next 12 months. Also, 29% expect discussions around return on investment (ROI) on cybersecurity investments to become a focal point, emphasizing the need for quantifiable risk reduction.
Brendan O’Connor, CEO of AppOmni said: “SaaS has come a long way from its early days of use in isolated departments, and now underpins modern businesses across every function. But attackers continue to wreak havoc by stealing data, holding companies ransom, disrupting business operations, and damaging organizations’ reputations. Our survey findings, conversations, SaaS war stories over the last year, and the current regulatory environment make it clear that SaaS security must mature.”
“As attacker TTPs and preventable security issues are becoming more widely-known, there are signs that CISOs and their teams are prioritizing SaaS risks among their cloud security initiatives—even as budget pressures intensify. The days of waiting on SaaS vendors as the primary security providers for your SaaS estate are over. As the operating system of business, your SaaS estate requires a well-structured security program, organizational alignment on responsibility and accountability, and continuous monitoring at scale.” O’Connor concluded.
