The vast majority of organizations are confident about their SaaS security posture, despite the fact that most have suffered a breach or security incident in the past year.
That’s according to a new study from AppOmni, which found SaaS is one of the most actively targeted layers of the enterprise attack surface.
The study, which includes a poll of more than 800 security leaders and decision makers, warned that this domain is one of the least defended areas of modern business.
The growing risks faced by enterprises in this regard are mirrored by continued growth in the SaaS space, with businesses now using dozens - or even hundreds - of applications.
More than half of enterprises polled by the firm are using at least 50 SaaS solutions, for example, while more than a third have 100 or more.
Notably, three-quarters (75%) of organizations have fallen victim to a SaaS data breach or security incident in the last 12 months. Yet the study found 89% of those believed they had appropriate visibility of their SaaS environments.
Brendan O’Connor, CEO of AppOmni, said the study highlights a growing disconnect between the threats faced by enterprises and their ability to tackle the issue.
"The data shows a concerning ‘illusion of control,’ where the vast majority of security leaders feel confident in their SaaS security posture, even as a huge number of them are dealing with SaaS-related incidents,” O’Connor said.
“Today's SaaS risks are not theoretical — they’re real, and they’re impacting businesses now."
The big SaaS security talking points
Data security remains a big concern for enterprises, AppOmni found, with 57% of survey respondents citing data breaches and the potential loss of intellectual property as their main worry.
Meanwhile, just over a third (37%) expressed considerable apprehension about compromised customer data.
AI is also changing the dynamic for security teams, AppOmni warned, particularly with regard to governance. Nearly two-thirds (61%) of respondents said they expect AI to dominate SaaS security discussions in the coming year, for example.
Respondents added that there’s a growing appetite for more robust oversight of non-human identities and generative AI tool access within SaaS applications.
Tooling gaps also remain wide, with just 13% of respondents currently using a dedicated SaaS Security Posture Management (SSPM) solution, despite nearly one-third saying they need one.
Security hygiene and risk management on the agenda
A key talking point in the AppOmni centered around a continued lack of basic security hygiene. Nearly half (41%) of incidents stemmed from permission issues, for example, while 29% resulted from misconfigurations.
AppOmni said this shows there’s still much work to be done in terms of improving broader security awareness and best practices.
Elsewhere, risk management practices also require improvement, the study noted. Just over half (52%) of organisations only use periodic reviews to assess SaaS-related security risks.
This, the company added, is leaving critical gaps where misconfigurations and threats can persist undetected. Only 43% of enterprises have implemented continuous or near-real-time oversight.
Too much trust in providers
Complacency and overconfidence on SaaS security were among the most concerning aspects of the survey, according to AppOmni.
Just over half (53%) said they are confident about their stance on this front, but many are basing this on trust in SaaS vendors rather than internal validation.
Only 16% of respondents assign SaaS security solely to security teams, while 43% leave it to various business units.
"The key lesson for enterprises is that visibility alone is not security, and trust in SaaS vendors is not a strategy," said O’Connor.
"We need a fundamental shift from ad hoc, reactive processes to a mature, disciplined approach built on continuous monitoring and clear ownership."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
What the UK’s Online Safety Act means for IT companiesIn-depth Experts reveal the potential impact and necessary requirements of the UK’s Online Safety Act, introduced to protect children from harmful content online.
-
Software licensing is becoming a minefield for IT leadersNews Oracle Java is causing particular headaches, with many saying they plan to migrate to open source alternatives
-
Cloud breaches are surging, but enterprises aren’t quick enough to reactNews The rise in cloud breaches has been attributed to a series of factors
-
Surging CNAPP investment is a big opportunity for the channelNews UK enterprises plan to increase spending on cloud-native application protection platform (CNAPP) capabilities across 2025 - and they're hoping the IT channel can help streamline adoption.
-
Exploring modern data security and management: Multi-cloud data protection and recoveryExploring modern data security and management: Multi-cloud data protection and recovery
-
Supporting scalabilityWhitepaper Supporting scalability
-
Maximizing your AWS cost savingsWhitepaper Maximizing your AWS cost savings
-
Unlocking AWS success with DoiTWhitepaper Unlocking AWS success with DoiT
-
Technology to optimize your cloudWhitepaper An intelligent system admin who's always on the job
-
Protect your attack vectorsWebinar An effective way to reduce your attack surface
