Enterprise security now overlooks SaaS vulnerabilities as a significant concern
Many organisations are facing a troubling illusion of control when it comes to their security posture in Software as a Service (SaaS) environments, according to a recent study by AppOmni. The study highlights a significant disconnect between the evolving risks posed by SaaS environments and organisations' actual preparedness and visibility into those risks.
The research reveals that over half of the enterprises polled are using at least 50 SaaS solutions, making SaaS one of the most actively targeted layers of the enterprise attack surface [1]. Despite this, 75% of organisations have experienced a data breach or security incident involving SaaS applications in the past year [2].
This misplaced confidence stems from a gap in understanding the scale and complexity of vulnerabilities within SaaS stacks. Nearly half of incidents stemmed from permission issues, while 29% resulted from misconfigurations [3]. The CEO of AppOmni, Brendan O'Connor, stated that this gap highlights how enterprises often underestimate the threats faced by their SaaS environments [5].
The study found that just over half of organisations only use periodic reviews to assess SaaS-related security risks, while only 43% have implemented continuous or near-real-time oversight [4]. O'Connor emphasised the need for a shift from ad hoc, reactive processes to a mature, disciplined approach built on continuous monitoring and clear ownership [6].
The study also found that only 13% of respondents currently use a dedicated SaaS Security Posture Management (SSPM) solution, and just over a third of enterprises have 100 or more SaaS solutions [1]. This growing complexity in SaaS environments is driving a growing appetite for more robust oversight of non-human identities and generative AI tool access within SaaS applications.
Data breaches and the potential loss of intellectual property are the main concern for 57% of survey respondents, while just over a third expressed considerable apprehension about compromised customer data [7]. Despite the high number of SaaS-related incidents, 89% of those organisations believed they had appropriate visibility of their SaaS environments [8].
The study also points to complacency and overconfidence on SaaS security as concerning aspects, with only 16% of respondents assigning SaaS security solely to security teams, while 43% leave it to various business units [3]. This lack of clear ownership and responsibility contributes to the illusion of control that many organisations face.
Looking ahead, 61% of respondents expect AI to dominate SaaS security discussions in the coming year [9]. As SaaS environments become increasingly complex, it is crucial for organisations to adopt a proactive, disciplined approach to SaaS security to address the growing threats and protect their valuable assets.
- The troubling illusion of control amongst organizations in dealing with their cybersecurity posture within SaaS environments is exacerbated by the widespread use of multiple SaaS solutions, as highlighted by a study by AppOmni.
- The study reveals that the lack of continuous or near-real-time oversight and the underestimation of SaaS threats by numerous organizations lead to a significant number of data breaches and security incidents involving SaaS applications.
- As SaaS environments become more complex, the growing use of generative AI tools and non-human identities within SaaS applications necessitates a proactive, disciplined approach to cybersecurity, including the adoption of dedicated SaaS Security Posture Management solutions.
