Software

SaaS data breaches are on the rise: report

Many cybersecurity managers underestimate their SaaS app connections and are unsure who’s responsible for SaaS security.
article cover

Francis Scialabba

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

If software-as-a-service (SaaS) security concerns are keeping you up at night, you might not be alone—and for good reason.

SaaS security incidents are on the rise. An August 27 report by AppOmni stated that 31% of organizations said they experienced a SaaS data breach this year, a five-point uptick from last year.

The report, which queried professionals from 644 organizations across six countries, revealed that cybersecurity decision-makers aren’t too optimistic about their immunity to these events. Only 32% of respondents said they were confident in the security of their company’s or customers’ data stored in SaaS applications, down from 43% in 2023. Loss of intellectual property or proprietary data and reputational fallout were among the top concerns.

Rose-colored SaaS-es. The lack of confidence may serve as good foresight, as many organizations underestimate their SaaS ecosystem. While 49% of respondents claimed that they had fewer than 10 apps connected to the Microsoft 365 platform, AppOmni’s aggregated data discovered more than 1,000 Microsoft 365 SaaS-to-SaaS connections per deployment, on average. AppOmni co-founder and CTO Brian Soby told IT Brew that the miscalculation—which he said likely extends beyond just Microsoft 365—is driven by employees’ lack of visibility to all the SaaS applications a business uses, combined with day-to-day guesses that create a “very false impression.”

But oversights don’t stop there. Nearly three-quarters (72%) of respondents rated their organization’s SaaS security maturity level as mid-high to highest, a stat that’s remained unchanged from last year despite several SaaS-related data breaches during that time.

“The current state today borders on blind hope, and it is because they…haven’t deployed any capability to actually know,” Soby said. “And if they knew the reality, it would horrify most people.”

Fingers pointed. An unclear perception of where SaaS security responsibility lies is also a cause for concern. Half of the report’s respondents said that they felt the responsibility of securing SaaS falls on the shoulders of the business owner of the app or platform, while 34% said it’s on the business owner and the cybersecurity team.

“There’s massively a problem of accountability, because everybody’s just pointing in different directions, and the people being pointed at have no effective capability to do the job that people are saying is now their job,” Soby said.

Man in the mirror. SaaS security incidents are only going to increase as knowledge within the bad actor landscape grows, Soby added. He recommended that leaders increase visibility to find out what major applications their company uses, starting with their most important application and working outward.

“Shore up defenses there…Stop the bleeding. Stop digging the hole,” Soby said. “Start securing those, and then go outward to the applications they’re connected to.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B