Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Study: The Truth About SaaS Security and Why No One Cares…Yet

Published 09/29/2022

Study: The Truth About SaaS Security and Why No One Cares…Yet

Originally published by Axonius here.

Written by Tracey Workman, Axonius.

A few months ago, we decided to conduct a study of IT and security professionals in the U.S. and Europe to better understand how they’re handling the rapid adoption of SaaS applications across their organizations.

We already know increased SaaS consumption has made the ability to gain a credible SaaS asset inventory challenging, so we expected survey respondents to report a mixture of concern and anxiety over their ability to secure and manage their SaaS applications.

But boy, were we wrong!

The data we ended up getting back in the study, The Truth About SaaS: Why No One Cares About SaaS Security...Yet, told a much different story. Instead of prioritizing SaaS security, the majority of respondents reported almost a casualness to the state of SaaS in their organizations. In fact, SaaS security didn’t even rank in the top three in a list of security priorities.

At first, we figured there had to be something wrong with the data. But upon deeper analysis, we realized that most organizations simply haven’t yet recognized the risks that SaaS applications pose to their security posture, and here’s why.

SaaS Spending Rises to the Top

SaaS adoption within organizations can almost be viewed as an addiction, from apps that help teams better communicate like Slack and Zoom, to apps that help manage tasks like Notion and Monday.com. There’s both an endless supply, as well as a never-ending appetite to download and install them. Need to build an online form to collect customer feedback? Or automate how you track invoices? Good news, there’s a SaaS app for that!

But this appetite has dramatically increased SaaS spending. It accounts for the largest portion of cloud services (Infrastructure as a Service, Platform as a Service, SaaS) costs in organizations, according to Gartner. SaaS spend is forecasted to reach $176.6 billion — a 16% year-over-year growth — in end-user spending in 2022.

And that’s in line with what we found in our study, with 66% of respondents reported spending more on SaaS applications today than a year ago.

So we’re adopting more SaaS apps with 74% of respondents reporting more than half of their applications are now SaaS based. We’re spending more on SaaS apps, and yet only 34% cited in our study are worried about the costs associated with this rise in usage.

Blame the Lack of Time and Resources

Perhaps the reason for the nonchalance when it comes to spend is the numerous other pressures already facing IT and security teams — and often from above. In our study, 23% of respondents said pressure from the C-suite to focus on other issues was a reason for not prioritizing SaaS security, while an even greater percentage (28%) pointed to limited time and resources.

It’s not hard to see why.

Every day, there’s a new headline pointing to a ransomware attack, data breach, or insider threat. At the same time, the ongoing adoption of hybrid and remote work continues to expand the attack surfaces of many organizations. This combination of heightened threats and greater vulnerabilities makes it even more challenging for IT and security teams to secure their organizations, and cloud and data security are often seen as the weakest link rather than SaaS.

The SaaS Tipping Point

As we referenced above, we’re in the thick of rapid SaaS adoption and we’ve reached a tipping point. But as SaaS usage becomes more mainstream, the security risks will as well.

For one, misconfigurations can occur in any SaaS application, regardless of how prominent or well-known the SaaS provider may be. And even though 77% of respondents reported high confidence when it came to configuring their SaaS apps correctly, SaaS configuration settings and permissions are highly complex. Managing them at scale isn’t realistic, especially when teams are already spread thin.

Beyond misconfigurations, there’s also the risk of shadow SaaS apps that have bypassed IT’s typical vetting procedures. In our survey, 90% of respondents stated their major concern is shadow SaaS and the risk of employees using SaaS applications without the knowledge of their security or IT teams. And it should be. In fact, additional research has found 80% of employees use applications on the job that aren’t approved by IT.

These are just two of the bigger security challenges when it comes to SaaS applications, but there’s also non-compliance concerns, increased costs, and the potential for loss of sensitive data.

We’re beyond being able to push this back to next month or even next week. SaaS security needs to be prioritized today, and the good news is that we can help.

Share this content on your favorite social network today!