SaaS solutions keep growing in popularity, which means that SaaS security risks are also on the rise. SaaS applications aren’t inherently more vulnerable than other enterprise software; many of the same issues that impact locally hosted tools can also plague SaaS solutions. Nearly 97% of organizations used at least one SaaS app known to have a security incident in the past year — and even well-known apps from the biggest global brands are not immune.
As we highlighted in our 2024 State of SaaS Security Report, several threat vectors are creating an industry-wide security problem. Credential stuffing and exploits, bypassing multi-factor authentication (MFA), and token theft are all taking center stage. What each of these security threats has in common is that they are all human-centered.
At the same time, SaaS companies are integrating more and more AI into their services, creating a number of new challenges for security teams. Employees downloading these SaaS apps are often unaware if AI is integrated into the app, and it’s possible that user data is being used to train the AI model.
Even with these ongoing and emerging threats in mind, it isn’t game over for security teams — not by a long shot. There are steps both cyber defenders and business users can take to keep these risks under control. It starts with understanding the trends, technologies, and human behaviors that can add to these risks.
SaaS vulnerability trends: technology meets the human factor
Familiar security threats such as social engineering, shadow IT, and attacks on the supply chain can all lead to issues that affect all enterprise applications. While SaaS vendors and hyperscaling cloud platforms attempt to provide additional layers of security, they may also create more access points for bad actors to reach your systems and critical company data.
From the human aspect, the biggest security concern revolves around login credentials:
- User credentials present a huge opportunity for threat actors. Even with more complex attack methods available, bad actors still try to brute-force their way into applications using passwords—an average of 4,000 blocked password attacks per second, according to Microsoft.
- Combine stolen credentials with the tendency to use the same passwords for multiple logins, and there’s a perfect storm of risk.
- MFA is supposed to minimize this threat, and it can if it’s used effectively. Yet, our research found that large numbers of users of common SaaS app environments aren’t taking advantage of MFA: more than 65% of Microsoft 365 users and more than 49% of Google users don’t have MFA enabled.
SaaS applications can deliver a huge productivity boost while ensuring predictable costs. Still, their growing acceptance makes them a ripe target for bad actors looking for new ways into your organization.
One security threat that needs immediate attention is minimizing the attack surface created by out-of-date or uncontrolled permissions:
- 1 in 5 organizations found that employees who have left the company were not fully offboarded — and potentially still had access rights to applications and data.
- External users have data access in 85% of organizations.
- Organizations typically use 250% more applications than a workspace application query reveals.
Built-in AI presents new cybersecurity risks
Many SaaS apps now include some level of generative AI capabilities or are entirely powered by AI. These range from integrated chatbots that can automate workflows and tedious tasks (for example, “Write an email summarizing the 230-page report”) to back-end automation that the average user may not even be aware of.
The security challenges posed by AI are not only growing, they may be initially hard to spot:
- AI-powered tools may use sensitive or proprietary data to train their models — often without the users’ knowledge.
- 15% of SaaS apps have some level of AI-powered capabilities and continually update their Ts&Cs to account for them. Organizations might be giving up essential rights to keep those business-critical apps active.
- With over 6,000 AI-integrated apps on the market, shadow AI is becoming a critical security challenge, just like shadow IT.
While SaaS apps’ benefits can certainly outweigh the risks, it’s crucial to look at all the possible points of failure while setting the organization up for success. Consider an automated remediation solution to quickly resolve threats, reduce the burden on the security team, and give users the confidence to excel.