Software as a Service (SaaS) is a cloud-based software delivery model in which a service provider hosts applications and makes them available to users over the Internet. With this model, applications are easy to adopt and use.
However, a recent report from AppOmni reveals that one-third of companies surveyed reported experiencing a data breach this year, marking a 5% increase from the previous year.
AppOmni’s State of SaaS Security 2024 report is based on a survey of cybersecurity decision makers at 644 organizations in the US, UK, France, Germany, Japan, and Australia, with nearly half of these organizations employing more than 2,500 people.
Why focus on SaaS security?
One of the most pressing issues identified is the risk associated with generative AI: 38% of respondents expressed concern about data and intellectual property vulnerabilities arising from this technology.
Confidence in data security within SaaS applications is declining markedly, with only 32% of organisations feeling secure about their data. This is a sharp drop from 42% the year before, which is particularly worrying given the backdrop of rising breaches, with 58% of organisations reporting they have experienced a security incident in the past year.
While 90% of organizations say they have policies restricting unauthorized application usage, 34% admit that these policies are not enforced, which is a significant increase from the previous year. This gap between policy and practice exacerbates security risks as organizations struggle to maintain oversight of their SaaS applications. In fact, 34% of respondents are unaware of how many SaaS applications are deployed within their organizations, complicating management and security efforts. About 50% of respondents believe that Microsoft 365 has as few as 10 connected applications; however, AppOmni research reveals that, on average, it has 1,000.
SaaS security vulnerabilities are expanding, primarily due to the dispute over who is responsible for securing applications. According to the survey, 50% of respondents believe that this is the primary responsibility of business owners or stakeholders, while only 15% attribute this responsibility to cybersecurity teams. This distribution can lead to confusion and inadequate security measures, as responsibilities are not clearly defined.
Concerns around data loss are also prevalent, with organizations citing loss of intellectual property (34%), reputational damage (30%), and customer data breaches (27%) as their top fears related to SaaS security. These findings highlight the urgent need for organizations to improve their SaaS security strategies, ensuring robust policies, clearer accountability, and better visibility into their SaaS environments to effectively mitigate risks.
Looking ahead, the report indicates a shift in organizational cybersecurity priorities. Some 69% of respondents anticipate increased spending on cybersecurity measures over the next 12 months. Additionally, 29% expect discussions about cybersecurity return on investment (ROI) to become a central focus, highlighting the need for quantifiable risk reduction.
Brendan O’Connor, CEO of AppOmni, said: “SaaS has come a long way from its early days in siloed departments to now being the foundation of modern enterprises across all functions. But attackers continue to wreak havoc by stealing data, holding companies to ransom, disrupting business operations, and damaging organizations’ reputations. Our survey results, conversations, SaaS war stories over the past year, and the current regulatory environment make it clear that SaaS security needs to mature.”
“As attacks and preventable security issues become more widely known, there are signs that CISOs and their teams are prioritizing SaaS risks among their cloud security initiatives, even as budget pressures intensify. The days of waiting for SaaS vendors to be the primary security providers for your SaaS estate are over. As the operating system of the enterprise, your SaaS estate requires a well-structured security program, organizational alignment on responsibility and accountability, and continuous monitoring at scale,” O’Connor concluded.
