AppOmni State of SaaS Security Report 2024 Finds Security Of Enterprise SaaS Applications Is Still Far Short of Ideal

August 2024 by AppOmni

AppOmni unveiled The State of SaaS Security 2024 Report, the company’s second annual examination of this critical discipline. Based on a survey of security decision makers at 644 organizations in six countries—and encompassing key findings, ongoing conversations, illustrative anecdotes and analyses of the regulatory environment—the report finds that while Software-as-a-Service security is finally getting the attention it deserves, there’s still a major gap between intent and implementation. In particular, there are still ad hoc strategies and other practices that fall short of a robust security program. The move toward decentralization has generated confusion over responsibilities, and many organizations remain unaware of which SaaS applications are used, by whom, and what is risky.

Brendan O’ Connor, Chief Executive Officer of AppOmni said: "Our report last year highlighted the clear disconnect between security self-assessments and actual SaaS risks. Now, we find that despite greater awareness and effort, things are getting worse. Just as there are constant headlines about breaches, the number of SaaS exploits has reached 31%, up five percentage points from last year. The details behind those statistics are even worse—despite increased budgets and initiatives, organizations need to do a far better job of securing SaaS deployments."

Among other vital takeaways, the AppOmni report finds:

A downside to dispersed domains: SaaS apps are easy to adopt, and they have empowered departments to independently deploy solutions that meet their particular needs. However, the benefits of decentralized operations are accompanied by a blurring of responsibilities between the CISO, line-of-business heads, and the cybersecurity team. Changes required for comprehensive SaaS security often take a backseat to business goals, even as business unit heads lack the knowledge to implement security controls.

Adoption without awareness: SaaS apps are being widely deployed without sufficient knowledge of related risks. When organizations implement SaaS apps, they see a surge in third-party integrations that deliver extended functionalities, automated workflows, and unified data access, etc. However, most organizations lack visibility into their entire SaaS-to-SaaS connection footprint. For example, 49% of the respondents who frequently use Microsoft 365 believed they have less than 10 applications connected to the platform; AppOmni’s aggregated data indicates there are 1,000-plus connections on average. Ultimately, gaining visibility into the entire SaaS attack surface is a critical first step in the SaaS security journey, and continuous monitoring is just as important.

Policies without enforcement: Fully 90% of respondents have policies in place to ensure the use of only sanctioned apps, but 34% admit that those rules are not strictly enforced. This percentage actually spiked by 12 points since 2023. The problem is that SaaS apps don’t undergo the same security vetting as those deployed by IT teams, and greatly broaden the potential attack surface. In this environment, organizations need to enforce baseline policies for all business-critical SaaS apps, and identify who has access to what data in those apps.

Going deeper, the AppOmni report encompasses research and analyses of issues such as eroding vigilance after deployment, uncertainty over the optimal solution, and the search for ROI between competing priorities. Each set of findings comes with takeaways and recommendations.

Nearly half of the 644 organizations responding to the survey represent enterprises with 2,500-plus employees. Respondents are from six countries—the US, the UK, France, Germany, Japan and Australia—and spanned across multiple security roles.

Nearly half of the 644 organizations responding to the survey represent enterprises with 2,500-plus employees. Respondents are from six countries—the US, the UK, France, Germany, Japan and Australia—and spanned across multiple security roles.