A new report is bad news for the tech industry, with the vast majority of companies using multiple SaaS applications that were recently breached.
Wing Security analyzed more than 550 companies to gain insight into the state of SaaS application usage. A disturbing issue was the prevalence of “Shadow IT,” a term used for when employees use apps and services that are not provided or vetted by the company’s IT department.
According to the study, in large part as a result of Shadow IT, “in a staggering 84% of companies, employees were using an average of 3.5 SaaS applications that were breached in the past 3 months.”
Wing Security attributes this to the decentralized, easy access to SaaS apps:
This occurs because of the decentralized and ungoverned nature of SaaS applications. When an employee needs a quick fix to a problem or a tool to help them do their job, chances are they will “Google it” and find a SaaS application, often a free one or with a free version, to help them. These “quick fixes” often completely by-pass company procedures. It is important to keep in mind that as small and benign as an application may seem, it can still be connected (with high permissions) to one of the organization’s major SaaS applications such as Salesforce, Slack, Zoom and others.
Another major concern was the number of data permissions apps had, including apps that were not even in use. According to the company, some “76% of all permissions that were given to applications by the users were not in use for over 30 days.”
In many cases, the need for SaaS applications is in question, with a slight majority of such apps only being used by a single employee. According to Wing Security, “55% of SaaS applications are used by only one employee, raising questions about their necessity – and making it unlikely that they were known and protected by the security team.”
Another major concern is outside access. According to the company, “20% of SaaS users to be external to the organization. These are contractors, freelancers or agencies that your employees work with and have received access to your SaaS applications.”
SaaS use is on the rise, with many companies seeing it as a way to keep costs down while scaling to meet demand. Unfortunately, it appears the industry still has a long way to go before SaaS deployment matches the security of other options.
