Software-as-a-service applications have long been the target of cyber threats, and a new study finds that these threats remain the top concern for 78% of U.S. technology leaders, even as more SaaS applications find their way into the enterprise.

Although enterprises place data privacy and security at the top of their priorities, their continued reliance on SaaS and cloud offerings continues to put them at risk, according to the SaaS Disruption Report: Security & Data by Onymos and Enterprise Strategy Group.

Shiva Nathan, founder and CEO of Onymos, told TechRepublic that a significant risk of this dependency is that when companies purchase a SaaS system to accelerate application development, they must grant data access to the third-party SaaS provider in return.

Granting this access could lead to cyberattacks and accidental data leaks, which could be particularly problematic today as the average business relies on over 130 SaaS applications, compared to just 80 in 2020, Nathan explained.

“That’s a 62% increase,” he said. “Each of these (SaaS apps) is a new attack surface for state and non-state actors. And they’re exploiting it. The number of attacks on the software supply chain is increasing, especially against the healthcare industry, which has had to shift to a virtual care model during COVID-19.”

To facilitate this transition, healthcare organizations have long relied on third-party providers, Nathan added. According to the report, the following sectors also rely heavily on SaaS applications:

• Government.
• Logistics and supply chain.
• Manufacturing.
• Retail.
• Banking and financial services.
• Education.

Gartner predicts that by 2025, 45% of organizations worldwide will experience attacks on their software supply chains. The report backs up this prediction: nearly half (45%) of technology leaders say they have been the victim of a cybersecurity incident related to a third-party SaaS application in the past year.

The importance of data retention

The survey, which included 300 leading app development, IT and security professionals, also found that 91% of survey respondents emphasized the critical importance of data retention for custom internal applications, reflecting its high priority in application development.

Nathan said that statistic surprised him because these “technology leaders recognize the importance of keeping their data, yet they are so reliant on SaaS. There is clearly a tension in these organizations between speed of production and data ownership,” he noted. “That tension has always existed, but it’s growing.”

IT Manager Priorities

Nearly three-quarters (72%) of executives surveyed cited “security” as their top priority, closely followed by 65% ​​who cited “data protection.”

These priorities are also reflected in the project assignments, responsibilities and tasks in the organizations’ application and software development projects, the report said. Three of the top five priorities were:

• Ensuring data protection (60% said this was a high or top priority).
• Creating secure applications (49% said this was a high or top priority).
• Maintain complete control over data ownership (42% said this is a high or top priority).

The survey also found that 65% of internally developed applications are business critical and only 36% of technology leaders run all of their applications on-premises or in private clouds.

SaaS apps require more attention to their security posture

Given the high level of concern about data security, companies need to rethink their current business model regarding the use of SaaS and cloud offerings, says the Onymos/ESG report.

“Today, you often hear technology leaders talk about their ‘security posture’ – a ‘data posture’ is just as important,” Nathan emphasizes. “This includes asking what data you share with your SaaS providers to get their service; do they really need that data; what do they do with it; and where does it go?”

“The rise of AI products and services only makes answering these questions more important,” he said.

The report made several recommendations, including a significant change to current SaaS and cloud practices by adopting “no-data” architectural principles that prioritize data privacy and security.

“This type of architecture allows organizations to retain full ownership and control of their data, eliminating the need to share or grant access to it with third-party SaaS and cloud providers and reducing the associated risk,” the report says. “Organizations should also be allowed to own and modify the code of the SaaS solutions they use for their application and software development.”

This allows development teams in companies to review and test the code as if they had created it themselves, the Onymos/ESG report says. “With this approach, companies can have full confidence in the validity, reliability and security of the code,” the report continues.

In addition, IT should prioritize and regularly conduct rigorous third-party security audits and penetration tests. “These tests should also provide insight into how the company’s data flows through various applications and SaaS solutions so that unintended data access and sharing issues can be avoided,” the report says.