Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & Training

Managing the employee risks of SaaS

By Travis Good
employee working on computer
May 12, 2022

Remote and hybrid work has accelerated the shift in how work is done today. Regardless of the trends in remote, hybrid and in-person work environments, work today is done in and across Software as a Service (SaaS) apps.

The first challenge enterprise cybersecurity leaders face today is getting an accurate inventory of all of the SaaS tools currently in use by their workforce. With the constantly changing SaaS landscape, this can pose a never-ending challenge.

The next challenge is securing SaaS tools using a mix of configuration management and security tools such as single sign-on (SSO). This is a necessary step to manage the risk of SaaS apps, but does not control for all the actions users are able to take in the applications.

Despite the best efforts by cybersecurity teams, every day employees have the ability to take certain actions in SaaS apps that have security and privacy implications. Not all of these actions result in data breaches or even security incidents, but the actions do expose companies, thus mandating an approach to measure and mitigate that risk.

Below are some examples of risk-relevant SaaS actions:

  • Exporting user lists: In many SaaS solutions users are able to export or download lists of users containing personal identifiable information (PII). Support and marketing tools often have this same functionality.
  • Sharing files: Not reserved for shared drives like Google, Dropbox and Box, users in SaaS apps like Slack can share sensitive files and even make them public.
  • Inviting external users: Internal users can invite external users to most SaaS apps.
  • SaaS integration: Certain SaaS apps are approved for certain data regulations, such as the GDPR or HIPAA, but this covered data can easily be shared to SaaS apps that do not have proper protections or data protection contracts in place.

Measuring SaaS app risk

The first step in managing the risk of SaaS app usage is measuring the risk from the use of those apps. About 10% of SaaS apps represent about 90% of the risk, so targeting this 10% is the first step. The most common apps in this 10% are customer relationship management (CRM) solutions, support platforms, productivity suites and communication tools.

Security professionals can measure SaaS risk by treating SaaS like any other type of infrastructure, with SaaS app events logged and ideally piped into a centralized security management platform. This step provides visibility and a way to continually measure risk. These SaaS app events can then trigger certain actions that will help in managing the risk of Software as a Service.

Managing SaaS app risk

If the risk of SaaS stems from necessary user actions, such as employees sharing important documents via a SaaS solution, how can this risk be managed? As SaaS has pushed more autonomy to end users, they have also pushed more responsibility for security. A security mindset in an organization is key, but this is not an easy task, especially as SaaS apps enable workflows from any location and device.

Security awareness training needs a new approach to build this required mindset. The risk from SaaS apps is not mitigated by training staff on strong passwords or ransomware. SaaS workflows are specific to the SaaS apps, so the training needs to be continuously updated and tailored the specific software in use.

Many companies are at the beginning stages in measuring and managing the risk from employee actions in SaaS apps. After all, the SaaS trend has only recently exploded. The first step in managing this risk is an inventory and risk ranking of SaaS applications. With that, a new security awareness program can be created to mitigate the risk.

KEYWORDS: cyber risk management cyber security awareness saas security training software as a service work from home

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Travis Good, MD, is Co-Founder and CEO at Haekka, which delivers contextualized security and privacy training to end users. His experience has taken him from cybersecurity to medicine to compliance on the cloud. He is the author of Complete Cloud Compliance and co-creator of widely used open source compliance policies. Prior to Haekka, Travis co-founded and was CEO of Datica, where he developed and supported the largest platform of HIPAA compliant workloads on the public cloud.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • login information

    Managing the cybersecurity risks of ungoverned accounts

    See More
  • 5g security risks

    Managing the 5G risks in an unified and standardized way

    See More
  • Employees code at work

    The three V’s of SaaS security

    See More

Related Products

See More Products
  • Hospitality-Security.gif

    Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing