DoControl released the
2024 State of SaaS Data Security Report which
found that companies are generating approximately 286,000 new SaaS
assets, such as files or recordings, each week. Additionally, one out of
six employees were found to have shared company data with their
personal email. These findings emphasize the urgent need for
comprehensive security strategies to mitigate insider threats, control
data exposure, manage outdated access permissions, and regulate
over-permissioned third-party OAuth apps.
"In today's digitalized world, we all rely on SaaS applications to improve productivity and collaboration," said Adam Gavish,
CEO and Co-founder, DoControl. "The sheer fact that the average company
managed 22.8 million SaaS assets by the end of 2023, a 189% increase
from January of the same year reiterates the need for enterprises to
increasingly consider tightening their current security protocols. Poor
SaaS security posture not only puts them at risk for potential breaches,
but can also significantly damage their brand reputation and overall
business outcomes. The goal of this report is to illustrate where gaps
in data security lie so businesses and their leaders can better
understand their risk exposure and act accordingly."
The 2024 State of SaaS Data Security Report quantifies the volume,
types, and exposure risk of business assets stored within the SaaS
estates of public and private companies across multiple industries with
more than 1,000 employees within the United States (US) and Europe, Middle East and Africa (EMEA). The findings covered in the report are broken out into four different categories:
Insider Threats
Whether by accident or done intentionally, insiders can exfiltrate
confidential intellectual property and customer information, exposing
companies to financial extortion and devastating brand damage. DoControl
found a 182% increase in employees sharing company-owned assets with
their personal email. In 2023, findings showed that the average company
had one out of 6 employees share data with their personal email account
(1.3 million assets). The report also found 5,860 encryption keys stored
in SaaS apps. While companies may feel secure storing assets in various
apps, it is vital they be vigilant of assets leaving those domains.
With these significant increases, manually tracking sensitive assets
will only pose more difficulty, further exposing companies to risk and
data falling into the wrong hands.
Data Exposure
When files are shared with external parties via SaaS applications
through collaboration beyond the company's security perimeter, control
of a company's intellectual property and data can become extremely
tenuous. DoControl found the public exposure of 35,000 sensitive assets
reflects a significant lapse in data management and access controls. The
report further uncovered a 49% increase in sensitive assets exposed
company-wide. Whatsmore, over the course of 2023, an average company had
21,000 new assets exposed externally each week, with the Slack platform
alone witnessing a 107% growth in externally exposed assets. To lessen
potential risk exposure, companies need to limit external sharing by
implementing least privilege permissioning and by removing access when
assets are no longer needed by the parties with whom they were shared.
Outdated Access Permissions
It's no surprise that outdated access permissions continue to pose a
significant risk to companies worldwide. Findings in this year's report
showed that 90% of companies reported former employees still accessing
SaaS applications post-departure. It is vital to consider that even one
former employee - especially a disgruntled one - can present an
unacceptable risk.
An additional form of outdated permissions is ongoing access to SaaS
assets that are no longer necessary or supporting business objectives.
DoControl found that 100% of companies surveyed had externally shared
assets (over five years old) still stored on Google Workspace. Further,
an average of 5% of Google Drive assets are both externally shared and
stale, meaning they have not been accessed for 90 days or longer. These
numbers indicate an unmonitored attack surface for potential breaches.
Over-permissioned Third-party OAuth Apps
Applications often allow integrations with third parties to make
workflows more efficient, convenient, or productive. However,
third-party applications can also pose a threat to companies, especially
when given unnecessary read-write permissions. By granting unnecessary
access to applications that may not have adequate security controls in
place opens the door to risks that could have been avoided. In fact,
DoControl found that 65.5% of these third-party apps did not require the
level of access granted. From the 29,000 third-party apps installed and
surveyed by organizations in 2023, 90% of all installed apps had not
been used in the last 30 days, further illustrating the widespread issue
of applications posing significant security risk.
Download the 2024 State of SaaS Data Security Report