• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure

Understanding SaaS App Risks and How to Mitigate Them

It’s no secret that SaaS apps like Zoom, Slack, Google Workspace, Box, Office365 and many more help organizations optimize their workflow, but inherent risks must also be avoided.

May 19, 2021 Dmitry Dontov Leave a Comment

Cybersecurity testing, penetration testing, cyber threats
Photo/Adobe Stock

We’ve seen rapid, widespread adoption rates for Software as a Service (SaaS) apps over the last 24 months as organizations adapt to post-COVID business operations. And all signs point to continued growth. In fact, Gartner predicts that worldwide spending on cloud services will grow more than 18% in 2021 (and in 2022). This isn’t hard to believe when you consider the fact that an application like Microsoft Teams added 95 million new users in 2020 alone.

But as SaaS adoption continues to climb, security will continue to be a significant issue. According to a new report from the Cloud Security Alliance, 58% of respondents are concerned with the network security implications of cloud adoption (including data leakage, service outages, misconfigurations, unauthorized internal access, compliance, ransomware and more). Let’s take a deeper dive into SaaS application risks and what you can do to prevent them:

Understanding the Risks

SaaS application security risks fall into three primary buckets. The first is business operational risk that may cause a downtime incident, the second is data loss and data leakage due to human error or cyber threats, and the third is compliance or regulatory issues. Any organization using SaaS apps needs to be aware of these potential risks and understand that even legitimate, reputable applications could cause problems in these areas. So, it’s not just the malicious applications or browser extensions created by cybercriminals you need to be worried about.

And the cost of this risk is real. For example, according to IBM’s 2020 Cost of Data Breach Report, the average data breach cost in 2020 was $3.86 million. Keep in mind, that’s the average. Norsk Hydro claimed its final bill was more than $75 million. If we’re looking at ransomware specifically, the average recovery cost paid in 2020 was a staggering $312,493 (a 171% year-over-year increase). And finally, compliance-related penalties can have a significant impact on the bottom line as well. For example, GDPR violations can eclipse 200 million Euros or 4% of total global turnover (whichever is higher). In short, you simply can’t afford to turn a blind eye to SaaS app risks.

You might be wondering how likely you are to encounter these issues. The answer is more likely than you think! Application security vulnerabilities account for a massive 43% of data breaches, and even world-renowned tools can be vulnerable. Just look at the security issues Zoom experienced over the last 12 months. As for ransomware infections via apps, hackers even disguised a malicious app as a COVID-19 map tracker loaded with AZORult malware. The endless list of real-world issues proves SaaS apps security is a real concern.

It’s vital to understand the dangers third-party SaaS applications can introduce for your company. In an ideal world, your Security Operations team would thoroughly perform a manual risk assessment for each application or extension before use. However, with most employees still working remotely and administrators struggling with limited control over their users’ activity, this may not be a reality today.

In most cases, the threats from these apps come from two different perspectives. First, the app may try to leak your data or damage it. And second, it may be a legitimate app, but the code may be poorly written and includes multiple vulnerabilities. Poorly coded applications can introduce vulnerabilities that lead to supply chain attacks like SolarWinds. Many expect cloud and SaaS providers to take responsibility for security, but this isn’t realistic. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by employees becomes the organization’s express responsibility.

Why SaaS Became a Ransomware Target

Ransomware has been around for years. But SaaS platforms and services have become increasingly critical for business success over the past decade. Moreover, as the pandemic has driven massive growth in remote workforces, the cloud has become an even more enticing (and lucrative) target for cybercriminals. As a result, cloud ransomware is on the rise. This new generation of cyber extortion spreads through the cloud and encrypts SaaS data associated with cloud services.

As cloud services accumulate vast numbers of users in a single ecosystem, they become prime targets for attackers. And as cybercriminals release increasingly sophisticated algorithms each year, protecting against ransomware is becoming more challenging. For example, new ransomware attacks block on-premises antiviruses and backup agents, delete backed-up data and download sensitive information. They steal a victim’s saved credentials from web browsers and email clients – and even threaten to upload private data publicly if the victim doesn’t pay the ransom – and more.

Installing a SaaS app means giving it permissions to access your data, including mail, files or profile information. Granting permissions is an expected procedure, like accepting a user agreement. So it’s no wonder why authorizing apps to access cloud data hardly raises suspicion within most organizations.

But there’s a catch. By granting permissions to a seemingly harmless cloud app, an employee may be giving access to a hacker without realizing it. Cybercriminals can embed malicious code into an app to get access to and control over data. If an employee installs a malicious app, a cybercriminal could review, edit, delete and encrypt your files. And of course, cybercriminals will try to profit from getting access to your data. They steal business data to sell on the dark web or encrypt the files with ransomware and demand money for decryption.

Dmitry Dontov is the CEO and Chief Architect of Spin Technology, a cloud data protection company based in Palo Alto, and the former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur with over 20 years of experience in security and team management, Dmitry has a strong background in the cloud protection field and is an expert in SaaS data security.

Improving SaaS App Security

Unfortunately, there’s no silver bullet that can help you to keep your business data 100% secure in the cloud. But the good news is that a combination of best practices and technology can help you significantly reduce the impact of these risks. There are three essential best practices for mitigating SaaS app security risks. First, offer regular security awareness trainings for your employees. Next, install a risk assessment solution that can monitor and assess multiple risk factors on the fly and report potential security threats. And lastly, use security policies to automate allow-list and block-list management.

On the technology side, consider adding a SaaS application security solution that can automatically scan all third-party apps connected to your cloud environment to get complete visibility of what is going on in your organization. Beyond that, analyzing daily log records can uncover abnormal behavior patterns among your apps and employees. This can help identify risks and prevent banned app downloads in real time.

You also need a backup tool for your data. Malicious third-party apps or extensions can infect your data with ransomware or delete it, so a reliable backup solution is an indispensable element of your disaster recovery strategy. Finally, ransomware is growing fast, so you need dedicated ransomware protection capabilities that can prevent attacks from third-party applications.

Just remember that you need a way to immediately flag and stop these attacks in their tracks. In 99% of cases, responsibility for security incidents and data breaches is ultimately yours. Use the above best practices to mitigate SaaS application security risks and avoid becoming just another security statistic.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Software as a Service

Related Content:

  • AI Automation burnout What is It About AI That Brings Excitement,…
  • AtlasIED North Syracuse Central School Dist 2 North Syracuse Central School District Streamlines Communications with…
  • cisco webex-rooms-modern-space AVI-SPL Receives Cisco 2023 Reimagine Workspaces Partner of…
  • A young man with a tablet computer stands in the middle of a server room. Collection and storage of large amounts of data. Checks the operation of servers and automation Does Conversational AI Have A Role to Play…

Free downloadable guide you may like:

  • Creating Great User Experience and Ultimate Flexibility with Clickshare

    Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When designing the office spaces – and meeting spaces in particular – enabling that connection between co-workers is crucial. Introducing the right collaboration technology in meeting spaces is the biggest challenge for IT managers […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Advertise with Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSDO NOT SELL MY PERSONAL INFORMATIONTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.