Read on to know the growing risks in SaaS security and how various organizations are currently working to stay secure
The 2022 SaaS Security Survey Report, produced in collaboration with CSA, investigates the state of SaaS security as perceived by CISOs and other security experts in today’s enterprises. In order to assess the emerging risks in SaaS security as well as how various organizations are currently striving to secure their systems, the report collected anonymous responses from 340 CSA members.
The majority of responders (71 percent) came from the Americas, with another 17 percent coming from Asia and 13 percent from EMEA. 49 percent of these participants influenced the decision making process, while 39 percent run the process itself. The survey examined at businesses from a range of sectors, including government (9 percent), finance (22 percent) and telecoms (25 percent).
Security Incidents are due to SaaS Misconfigurations
SaaS misconfigurations have risen as the top concern for organizations since 2019, with at least 43 percent of organizations reporting they have dealt with one or more security incidents caused by a SaaS misconfiguration. The number of SaaS misconfiguration-related incidents, however, could be as high as 63 percent as several organizations have stated that they are unaware if they have ever encountered a security incident. When compared to the 17 percent of security incidents caused by IaaS misconfiguration, these figures are striking.
Leading Cause for SaaS Misconfigurations Due to Lack of Visibility and too Many Departments with Access
Despite the fact that there are several factors to take into account, the survey respondents focus on the two main causes, which are the presence of too many departments with access to SaaS security settings (35 percent) and a lack of visibility into the changes to the SaaS security settings (34 percent). These are two linked issues neither of which are surprising. Too many departments have access to security settings, and many of these departments lack sufficient training and a focus on security, which is one of the main causes of the lack of visibility.
Investment in Business-Critical SaaS Applications are Outpacing SaaS Security Tools and Staff
It’s no secret that companies are utilizing more apps; in fact, 81 percent of respondents said that they have raised their spending on business-critical SaaS applications in only the past year. On the other hand, less money is invested in SaaS security with staff (55 percent) and security tools (73 percent). The existing security teams are under more pressure to monitor SaaS security as a result of this contradiction.
Organizations are Exposed due to Manual Detection and Remediation of SaaS Misconfigurations
46 percent of organizations that manually monitor their SaaS security are conducting checks only once a month or less, while 5 percent conduct any checks. It takes longer time for security team to fix a misconfiguration once they find it. When remediating manually, about 1 in 4 organizations require a week or more to fix a misconfiguration. Organizations are vulnerable throughout this prolonged period.
Third Party App Access is a Top Concern
Third party apps also known as no-code or low-code platforms, can increase productivity and enable hybrid work. They are crucial for building and scaling a organization’s work processes. However, several users rapidly connect third-party apps without considering what permissions these apps are requesting. Once accepted, the permissions and subsequent access granted to these third-party apps, could be harmless or as malicious as an executable file. Employees are connecting to business-critical apps of their organization without visibility into the SaaS-to-SaaS supply chain, and security teams are unaware of several potential threats. As organizations continue to adopt SaaS applications, one of the key concern is the lack of visibility, particularly with regard to third-party application access to the core SaaS stack (56 percent).
A Brief Conclusion
The 2022 SaaS Security Survey Report provides insight about how businesses use and secure their SaaS applications. Without a doubt, risk increases as organizations continue to use more business-critical SaaS apps. Organizations should start securing through best practices to tackle the security threats head-on.