From office productivity software to team collaboration solutions, there has been an explosion in the availability and use of Software as a Service (SaaS) applications in recent years. The pandemic has contributed to this growth, with the agile and hybrid nature of SaaS matching up perfectly with the hybrid working style.

For every company with more than 1,000 employees, there are on average several hundred SaaS solutions in use, representing several million dollars in annual costs. However, the costs might not end there, with the apps being installed and used outside the scope of corporate governance players. This exposes such organizations to the unexpected risk of cybersecurity breaches.

The great cybersecurity danger of shadow IT

It’s known that hundreds of SaaS apps are being purchased, with 30-40% of the information technology (IT) budget being spent on software or apps the IT team doesn’t know about. And the rapid growth of the SaaS market continues, with 70% of chief information officers (CIOs) claiming that agility and scalability are two of the top motivators for using SaaS applications.

Staff members might subscribe to the use of SaaS apps with positive intentions such as the improvement of efficiency and productivity. However, the process of underground digitalization (or shadow IT) is typically undertaken with a lack of regard for security, data protection and digital sovereignty.

It’s more important than ever for companies to ensure SaaS visibility, regain control of their IT ecosystems and protect their data.

Words of warning for digital businesses

The need for enhanced SaaS monitoring has been emphasized by the CISA’s Shields Up notice, urging American organizations to step up their cyberattack prevention and defense tactics due to the risks associated with Russia’s invasion of Ukraine.

The scale of cybersecurity risks is certain to grow in line with the wider adoption of SaaS. It will become increasingly common to use such applications for the storage, processing and sharing of sensitive and personal data.

From government agencies to public service organizations and energy suppliers, there are a broad range of institutions that might fall prey to cyberattacks.

Organizational reputations may be affected at the very least, while other repercussions may include the loss of users, sales and profits.

The scale of the issue has been emphasized over time — even back in 2013, 80% of workers admit to using SaaS applications at work, despite not having the IT department's approval.

Increasing SaaS visibility and security

There must be an automatic and continuous method of governance in order to minimize and eliminate the security risks of shadow IT. The CIO should assume a strategic role in enabling decentralized digitalization, with staff members being encouraged to make the best use of digital resources.

A regulatory framework must be maintained, with a focus on the safeguarding of data against cybersecurity breaches. Working in partnership with the executive committee and staff across multiple departments, there should be a shared responsibility for secure digital transformation.

There is a balance to be struck, in allowing employees a certain degree of digital autonomy, while ensuring that they go through the proper channels in the adoption of SaaS.

Designated company app stores can help IT teams maintain SaaS visibility, enabling business teams to choose the best software with guidance in the selection and minimization of organizational risks. Cloud services must be securely configured with measures being taken to protect against the illegitimate access of personal data.

With the majority of jobs being digital, it’s essential for HR and IT to collaborate in the onboarding and offboarding process. There must be a proper framework for the assured identification of governance or compliance issues. Old logins should be deleted in order to prevent criminal access to digital backdoors. Some SaaS subscriptions should be canceled based on the risk to sensitive data, with a central platform being used for monitoring purposes.

As demonstrated, the process of securing an organization's third-party SaaS applications requires effort from stakeholders across the enterprise, which is why a collective commitment to collaboration and compliance is necessary.