Half of enterprises have publicly exposed SaaS assets

A new report finds that 50 percent of enterprises and 75 percent of mid-sized organizations have exposed public SaaS assets.

The report from security platform DoControl shows that large and medium companies have an average of 5.5 million and 1.5 million assets stored in SaaS applications respectively, illustrating the challenge IT and SecOps teams face daily in securing the intellectual property those assets contain.

"While we all rely on SaaS applications to improve productivity and collaboration, few have stopped to consider the sheer number of assets that flow in and out of these tools each day," says Adam Gavish, CEO and co-founder, DoControl. "Enterprises increasingly consider security when entering business transactions and engagements, which means the risks of a poor SaaS security posture can act as a spoiler for business outcomes. The goal of this report is to quantify and illustrate the chaos so businesses can better understand their risk exposure and act accordingly to regain control of their SaaS estate."

The report finds that 81 percent of medium-sized companies and 78 percent of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant about assets leaving those domains. As 61 percent of companies have employees who have shared company-owned assets over their personal email, manually tracking sensitive assets may be more difficult than previously imagined.

Medium-sized companies in DoControl's study have on average nearly 224k assets in SaaS applications that have been shared externally, with nine external actors per employee on average. The report also identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties might have legitimate reasons for sharing SaaS assets with fourth parties, but these situations should be managed by the originator of the SaaS assets.

Outdated permissions are an issue too, DoControl finds 67 percent of all companies have employees with lingering access to assets stored in Google Workplace that are more than five years old. In addition, out of all companies, 31 percent have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer.

The full 2023 SaaS Security Threat Landscape Report is available from the DoControl site.

Photo credit: Alexander Supertramp / Shutterstock