NEW YORK, March. 14, 2024 – DoControl today released the 2024 State of SaaS Data Security Report which found that companies are generating approximately 286,000 new SaaS assets, such as files or recordings, each week. Additionally, one out of six employees were found to have shared company data with their personal email.
These findings emphasize the urgent need for comprehensive security strategies to mitigate insider threats, control data exposure, manage outdated access permissions, and regulate over-permissioned third-party OAuth apps.
“In today’s digitalized world, we all rely on SaaS applications to improve productivity and collaboration,” said Adam Gavish, CEO and Co-founder, DoControl. “The sheer fact that the average company managed 22.8 million SaaS assets by the end of 2023, a 189% increase from January of the same year reiterates the need for enterprises to increasingly consider tightening their current security protocols. Poor SaaS security posture not only puts them at risk for potential breaches, but can also significantly damage their brand reputation and overall business outcomes. The goal of this report is to illustrate where gaps in data security lie so businesses and their leaders can better understand their risk exposure and act accordingly.”
The 2024 State of SaaS Data Security Report quantifies the volume, types, and exposure risk of business assets stored within the SaaS estates of public and private companies across multiple industries with more than 1,000 employees within the United States (US) and Europe, Middle East and Africa (EMEA). The findings covered in the report are broken out into four different categories:
Insider Threats
Whether by accident or done intentionally, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. DoControl found a 182% increase in employees sharing company-owned assets with their personal email.
In 2023, findings showed that the average company had one out of 6 employees share data with their personal email account (1.3 million assets). The report also found 5,860 encryption keys stored in SaaS apps. While companies may feel secure storing assets in various apps, it is vital they be vigilant of assets leaving those domains.
With these significant increases, manually tracking sensitive assets will only pose more difficulty, further exposing companies to risk and data falling into the wrong hands.
Data Exposure
When files are shared with external parties via SaaS applications through collaboration beyond the company’s security perimeter, control of a company’s intellectual property and data can become extremely tenuous. DoControl found the public exposure of 35,000 sensitive assets reflects a significant lapse in data management and access controls. The report further uncovered a 49% increase in sensitive assets exposed company-wide.
Whatsmore, over the course of 2023, an average company had 21,000 new assets exposed externally each week, with the Slack platform alone witnessing a 107% growth in externally exposed assets. To lessen potential risk exposure, companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared.
Outdated Access Permissions
It’s no surprise that outdated access permissions continue to pose a significant risk to companies worldwide. Findings in this year's report showed that 90% of companies reported former employees still accessing SaaS applications post-departure. It is vital to consider that even one former employee – especially a disgruntled one – can present an unacceptable risk.
An additional form of outdated permissions is ongoing access to SaaS assets that are no longer necessary or supporting business objectives. DoControl found that 100% of companies surveyed had externally shared assets (over five years old) still stored on Google Workspace. Further, an average of 5% of Google Drive assets are both externally shared and stale, meaning they have not been accessed for 90 days or longer. These numbers indicate an unmonitored attack surface for potential breaches.
Over-permissioned Third-party OAuth Apps
Applications often allow integrations with third parties to make workflows more efficient, convenient, or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. By granting unnecessary access to applications that may not have adequate security controls in place opens the door to risks that could have been avoided.
In fact, DoControl found that 65.5% of these third-party apps did not require the level of access granted. From the 29,000 third-party apps installed and surveyed by organizations in 2023, 90% of all installed apps had not been used in the last 30 days, further illustrating the widespread issue of applications posing significant security risk.
DoControl helps avoid the devastating consequences of data exfiltration and leakage. Its unique approach to managing SaaS data access remediates any situations highlighted in the 2024 State of Data Security by providing centralized, automated, granular data access controls over the SaaS applications in companies’ technology stacks.
DoControl’s no-code, automated workflows help IT and security teams manage their SaaS data access so companies can move forward with SaaS deployments confidently, and in a secure manner.
Additional Resources:
To learn more about DoControl, visit the website or request a demo.
Methodology
This report aggregates findings across a subset of companies for which DoControl performed an audit of SaaS data access control and exposure. We have compiled the findings from audits of a cross-section of companies ranging in size from 1,000 to 10,000 employees.