Software as a Service (SaaS) is a cloud-based software delivery model in which applications are hosted by a service provider and made available to users over the Internet. This model makes apps easy to adopt and use.
However, a recent report from AppOmni found that a third of businesses surveyed suffered a data breach this year, up 5% from the previous year.
AppOmni’s State of SaaS Security Report 2024 is based on a survey of cybersecurity decision makers from 644 organizations in the United States, United Kingdom, France, Germany, Japan and Australia. Nearly half of these organizations have more than 2,500 employees.
Why should you focus on SaaS security?
One of the most pressing issues identified is the risk associated with generative AI, with 38% of respondents concerned about data and intellectual property vulnerabilities arising from this technology.
Confidence in data security within SaaS applications is declining significantly, with only 32% of organizations feeling secure about their data. This is a sharp drop from 42% the previous year, which is particularly concerning given the backdrop of rising breaches, with 58% of organizations reporting having experienced a security incident in the past year.
While 90% of organizations claim to have policies in place to restrict unauthorized application use, 34% admit these policies aren’t being enforced—a significant increase from the previous year. This gap between policy and practice exacerbates security risks as organizations struggle to monitor their SaaS applications. In fact, 34% of respondents aren’t aware of how many SaaS applications are deployed within their organizations, complicating management and security efforts. About 50% of respondents believe Microsoft 365 doesn’t have a maximum of 10 connected apps, but research from AppOmni shows it has an average of 1,000.
SaaS exploits are on the rise, largely due to the battle over who is responsible for securing the apps. The survey found that 50% of respondents believe this is the primary responsibility of business owners or stakeholders, while only 15% attribute this responsibility to cybersecurity teams. This division can lead to confusion and inadequate security measures, as responsibilities are not clearly defined.
Concerns about data loss are also widespread, with organizations citing loss of intellectual property (34%), reputational damage (30%) and customer data breaches (27%) as their top fears regarding SaaS security. These findings highlight the urgent need for organizations to improve their SaaS security strategies, ensure robust policies, clearer accountability and greater visibility into their SaaS environments to effectively mitigate risk.
Looking ahead, the report highlights a shift in organizational priorities regarding cybersecurity. Some 69% of respondents expect to increase spending on cybersecurity measures in the next 12 months. Also, 29% expect discussions around return on investment (ROI) on cybersecurity investments to become a central issue, emphasizing the need for quantifiable risk reduction.
Brendan O’Connor, CEO of AppOmni, said: “SaaS has come a long way from its early days of siloed departments to the foundation of modern businesses across every function. But attackers continue to wreak havoc by stealing data, holding companies hostage, disrupting operations, and damaging organizations’ reputations. Our research, conversations, SaaS war stories from the past year, and today’s regulations make it clear that SaaS security needs to mature.”
“As attacker TTPs and preventable security issues become more widely known, there are signs that CISOs and their teams are prioritizing SaaS risks in their cloud security initiatives, even as budget pressures increase. The days of waiting on SaaS vendors to become the primary security providers for your SaaS estate are over. As the operating system of your business, your SaaS estate requires a well-structured security program, organizational alignment around responsibility and accountability, and continuous monitoring at scale,” O’Connor concluded.