Software-as-a-service (SaaS) applications are predicted to make up the majority of software used over the next three years. Organizations are realizing how adopting SaaS instead of implementing on-prem applications can accelerate software implementation timelines at a reduced cost. But what users don’t always take into account are the security risks associated with SaaS.
Generally speaking, the more SaaS applications an organization has in its tech stack, the greater the risk of suffering a cyberattack. Many organizations take a hands-off approach to SaaS security, making these applications a prime target for hackers. To improve security, IT teams need to understand how each of their SaaS applications functions, clarify who has access to them, and identify weaknesses that hackers could exploit.
SaaS complacency is common — and costly
The average organization has around 323 SaaS applications, and on average IT teams only manage 27% of them. Managing security is difficult with this little visibility. If you can only manage about one-quarter of your applications, how can you be confident they’re all secure?
Business units and individual employees purchase and manage the remaining 73% of SaaS applications independently — a practice known as shadow IT. While employees may feel like shadow IT gives them more autonomy, the downsides are significant: Using software that isn’t vetted or monitored by IT can lead to data breaches.
One notable example came last year when a group of hackers targeted Electronic Arts (EA). In an attempt to gain access to valuable data, the hackers bought $10 worth of stolen cookies that contained the Slack login details for EA employees. Once in Slack, the hackers were able to secure a multi-factor authentication token from an IT administrator, allowing them to obtain game source codes, debug tools, and SDK and API keys.
Ultimately, Slack was the gateway cybercriminals needed to carry out an attack — but had there been closer monitoring of the application, IT could have identified the breach sooner. Attacks like EA’s are commonplace, especially when organizations have to manage hundreds of SaaS applications manually.
Although it cost next to nothing for these hackers to steal EA’s data, the cost of a data breach for the victims is much higher — costing U.S. companies an average of $4.24 million in 2021. As organizations continue to invest in SaaS, the cost of complacency grows exponentially. To prevent data breaches, your organization must reevaluate its approach to SaaS Management and limit weaknesses that hackers are now looking to exploit.
Is SaaS visibility the key to preventing data breaches?
Data breaches can happen even with reputable tools that are known to IT, like EA’s Slack example, so imagine the risks involved with applications your IT team doesn’t even know about.
To get the most out of your SaaS applications and strengthen your security posture, you need to create a SaaS Management strategy. A thorough strategy will provide greater visibility into your SaaS applications and reduce their associated risks. A successful SaaS Management strategy should incorporate the following aspects:
Make detection and monitoring ongoing. As mentioned earlier, the average business has hundreds of SaaS applications — but most IT departments don’t have a systematized way to see when new applications enter their environment. This lack of visibility is dangerous when you consider each application as a potential opening for cybercriminals to enter the organization’s network. Your IT team likely doesn’t have the bandwidth to manually monitor the sheer volume of SaaS applications in spreadsheets, but an SaaS Management platform can make this process simpler.
A SaaS Management platform can identify every SaaS application that enters your organization, including shadow IT applications, as well as monitor employee usage. Platforms that use AI can also alert you to new SaaS purchases, allowing your IT team to configure them for existing security systems immediately.
Deactivate inactive accounts. When an employee leaves, IT teams will typically deactivate their logins from vital company applications, but many less vital applications are forgotten. If the employee uses an application that your IT team isn’t aware of, that employee could maintain access beyond their time at your company. And there’s always the potential for their credentials to fall into the wrong hands.
Obviously, allowing those outside your organization access to sensitive information isn’t a good idea. As part of your SaaS Management strategy strategy, your IT team should pay close attention to employee departures and manually deactivate users as needed or use your SaaS Management platform to flag them instead.
Empower employees to take initiative. Although shadow IT applications present a significant security risk, they also satisfy employees who want control over how they work. Two-thirds of Gen Z and millennial workers say they prioritize autonomy in choosing the applications, services, and devices they use at work.
An application catalog can provide these employees with the autonomy they desire without sacrificing security. After identifying the SaaS applications your organization uses, you can then curate a self-service library of these SaaS tools. Employees can search this catalog to experiment with different applications and find the ones that work best for them.
In addition to a SaaS Management strategy, your IT team should also educate employees on common SaaS security risks. Employees should understand how to identify the signs of session hijacking, social masquerading, and phishing attacks. Above all, they should understand that caution is always the best approach — if they aren’t sure, ask.
The more SaaS applications you have, the harder it is to keep them secure
SaaS adoption and growth shows no sign of slowing down. Companies will continue to prioritize the convenience and efficiency that these applications provide, and your IT team will have to keep up. To keep new applications secure, you need a strong SaaS Management strategy that enables you to be proactive, rather than reactive. The combination of effective security education with thorough SaaS monitoring will enable your company to expand its SaaS catalog with greater peace of mind.