New Report Suggests Surge in SaaS Assets, Employee Data Sharing

Written by

Security researchers have noticed a substantial increase in software-as-a-service (SaaS) assets, with an average of 286,000 new assets generated weekly in 2023, an 189% surge from the previous year. 

The data comes from DoControl’s 2024 State of SaaS Data Security Report, which also suggested one in six employees was found to have shared company data through personal email accounts, highlighting the prevalence of insider threats.

Adam Gavish, CEO and co-founder of DoControl, stressed the critical importance of enhancing security protocols in today’s digital landscape.

“The sheer fact that the average company managed 22.8 million SaaS assets by the end of 2023, a 189% increase from January of the same year, reiterates the need for enterprises to increasingly consider tightening their current security protocols,” the executive said.

“Poor SaaS security posture not only puts them at risk for potential breaches but can also significantly damage their brand reputation and overall business outcomes.”

The report focuses on four key areas: insider threats, data exposure, outdated access permissions and over-permissioned third-party OAuth apps.

It reveals an 182% rise in employees sharing company-owned assets via personal email accounts, and more than 5860 encryption keys stored in SaaS apps. Additionally, there’s been a 49% increase in sensitive assets exposed company-wide, with an average of 21,000 new assets externally exposed each week.

Outdated access permissions pose a significant risk, with 90% of companies reporting former employees still accessing SaaS applications post-departure. Moreover, 100% of surveyed companies had externally shared assets more than five years old stored on Google Workspace, indicating an unmonitored attack surface.

The report also addresses the issue of over-permissioned third-party OAuth apps, revealing that 65.5% of these apps did not require the access granted. From the surveyed 29,000 third-party apps installed in 2023, 90% had not been used in the last 30 days, exacerbating security risks.

Read more on OAuth security: API Security Flaw Impacted Grammarly, Vidio and Bukalapak

To mitigate these risks, DoControl recommended centralized, automated data access controls for SaaS applications. The report’s findings underscore the urgent need for companies to bolster their security strategies and adopt proactive measures to safeguard their data assets.

What’s hot on Infosecurity Magazine?