Companies expose 35,000 sensitive SaaS assets each year

A new report from DoControl finds that companies are generating approximately 286,000 new SaaS assets, such as files or recordings, each week. However, it also found the public exposure of 35,000 sensitive assets at the average company, a significant lapse in data management and access controls.

The report finds a 182 percent increase in employees sharing company-owned assets via their personal email too. In 2023, findings show that the average company had one out of six employees share data with their personal email account (1.3 million assets).

In addition it discovered 5,860 encryption keys stored in SaaS apps. While companies may feel secure storing assets in various apps, it is vital they be vigilant about assets leaving those domains.

"In today's digitalized world, we all rely on SaaS applications to improve productivity and collaboration," says Adam Gavish, CEO and co-founder of DoControl. "The sheer fact that the average company managed 22.8 million SaaS assets by the end of 2023, a 189 percent increase from January of the same year reiterates the need for enterprises to increasingly consider tightening their current security protocols. Poor SaaS security posture not only puts them at risk for potential breaches, but can also significantly damage their brand reputation and overall business outcomes. The goal of this report is to illustrate where gaps in data security lie so businesses and their leaders can better understand their risk exposure and act accordingly."

Over the course of 2023, an average company had 21,000 new assets exposed externally each week, with the Slack platform alone seeing a 107 percent growth in externally exposed assets. To lessen potential risk exposure, companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared.

Another issue highlighted is granting unnecessary access to applications that may not have adequate security controls in place. This opens the door to risks that could have been avoided. In fact, DoControl finds that 65.5 percent of these third-party apps didn't require the level of access granted. From the 29,000 third-party apps installed and surveyed by organizations in 2023, 90 percent of all installed apps had not been used in the last 30 days, further illustrating the widespread issue of applications posing significant security risk.

The full report is available from the DoControl site.

Photo credit: Alexander Supertramp / Shutterstock