What must the C-Suite know about risks associated with SaaS adoption?
In fast growing companies, SaaS adoption outpaces the ability to keep track of security. Staying on top of who’s got access to which SaaS apps and with what privileges, who’s sharing sensitive data with whom, how’s data flowing between SaaS apps is a real challenge for IT/security teams because they don’t manage all the SaaS apps themselves. Gartner has estimated that “By 2024, 70% of IT organizations will lack the relevant roles, skills and tools to support SaaS-enabled digital transformation.”
As senior executives in such fast growing companies, you may have an inkling about your risk blind spots when you came across business and customer data in SaaS apps you hadn’t known were being used or found out about external data sharing only after the fact. But if you haven’t noticed or it hasn’t been brought to your attention, at a high level, you should be able to answer the following questions:
Who has access to my critical data?
What companies do the people who have access work for?
What data is being shared outside my organization and with whom?
Am I wasting money on unused licenses?
When was the last time my SaaS footprint was audited for access and security configuration?
The ability to answer these questions and the accuracy of the answers will show if your organization has SaaS blind spots. The more blind spots there are, the fewer security controls in the eyes of auditors, regulators and potential customers, which may severely impact your ability to pass audits and security due diligence to win deals from bigger, larger customers.
Why must you proactively manage SaaS risk blind spots?
Because SaaS risk blind spots can critically impact your business.
Reducing compliance complexities and costs
Preventing data theft
Employees, consultants, third-party contractors can have access to your organization’s business critical and customer sensitive data. However, if they retain this access after it is no longer needed or if they have moved on from your organization without being properly offboarded, this can lead to data theft and malicious acts. In organizations with an extensive SaaS footprint whereby business teams procure and manage their own SaaS apps, offboarding can be a real challenge because not every user logs into apps via the organization’s identity provider such as OKTA. Disabling users from the identity provider does not equate to disabling their access to SaaS apps not federated against OKTA. The thing which makes former employees, consultants and third-parties much more difficult to manage is that they are almost impossible to monitor while having intimate knowledge of how your business operates.
Preventing data breaches
People are sharing data externally via external sharing features of many apps or via use-consent third-party app integrations. This is often done without visibility of management and in breach of privacy regulations and laws. The most common mistake we see users make is creating sensitive files and folders in Office 365 and G Suite that are accessible by “Anyone with the link”. Others may be more difficult to spot such as users consenting to malicious third-party apps that can read, write and export data from approved SaaS apps. Sometimes external sharing can happen without the sharers knowing anything about it. SANS, the largest cybersecurity training company, recently disclosed a major breach where the attacker, after compromising the victim’s account via phishing, set up a rule which was automatically forwarding emails to the attacker’s inbox to enable them to extract more information.
Reducing cost wastage
Needless to say, unused licenses/inactive accounts is one of the largest cost wastages in every SaaS-powered business. But not only would these accounts cost you money, they also increase data theft risk because they can be hacked and used without their activities being noticed.
Winning bigger deals
Last but not least, access and security configuration audit is an integral part of meeting various compliance and regulatory frameworks such as ISO 27001, SOC 2 Type II, PCI DSS, etc. It is a big, hairy task which is always too time consuming that it doesn’t happen as frequently as it should. This can be perceived by auditors as lacking in security controls regardless of how good your documented processes and procedures may be. This can prevent your organization from winning larger deals from bigger customers.
How can you use Detexian to proactively manage SaaS risk blind spots?
Detexian is endorsed by AustCyber, Australia’s industry peak body for cybersecurity, as a solution for executives to monitor unauthorised changes in configurations and access for critical business SaaS applications such as Office 365, G Suite, Salesforce.
Management can generate on demand reports to understand their SaaS risk exposure at any point in time, be alerted to critical risks and help prioritise work to protect business data.
Stay on top of security audit and compliance risks when your organization leverages the power of SaaS apps. Inquire now for a free 28 day trial.