An analysis of how 493 organizations are employing software-as-a-service (SaaS) applications published today by Wing Security finds nearly all (87%) experienced a security incident involving at least one application.

A full 81% reported security incidents involving an application that was only being used by a single user. In total, 41% of the applications analyzed were only being accessed by a single user, with 63% of those applications not being accessed for at least three months, the report noted.

In addition, the report found 20% of organizations were providing access to SaaS applications and the data within to individuals they no longer employed. A full 85% of organizations are providing access to SaaS applications to users outside of their organization.

Wing Security COO Ran Senderovitz said the report makes it clear there is a pressing need to consolidate SaaS applications at a time when organizations are now effectively tracking how any sensitive data stored in these platforms is accessed and managed. In fact, it’s not uncommon for SaaS application credentials to be stolen, with cybercriminals then taking advantage of privilege escalation to access an organization’s most sensitive data, he noted.

Organizations need to make sure policies to ensure least privilege policies are enforced in addition to consistently applying multifactor authentication (MFA), added Senderovitz.

Overall, the report finds the average employee has access to 29 different SaaS applications. That issue is only going to be further exacerbated as employees access to SaaS applications infused with artificial intelligence (AI), noted Senderovitz. The report finds nearly all organizations (98%) are accessing SaaS applications that have AI capabilities, while 83% are accessing AI applications such as ChatGPT. A full 70% are accessing AI platforms that can use the data shared with them to train future iterations of AI models.

The core issue is that most users of these applications assume there is a level of security that is often either non-existent or limited at best, said Senderovitz. For example, the report finds 25% of users of SaaS applications publicly share files with anyone with a link, with more than two-thirds of those links providing write permissions.

A full 50% of organizations shared more than 1,500 files with anyone with a link. Not surprisingly, the report finds nearly three quarters of organizations (73%) shared sensitive content externally.

Wing Security is making a case for a SaaS security posture management platform that can block sensitive data from being shared with more than 300,000 SaaS applications. Most recently, the company added support for a range of generative AI applications.

There is little doubt that attacks against SaaS applications will only increase in volume and sophistication, especially as deep fakes created using AI tools are incorporated into phishing campaigns. The issue that organizations need to come to terms with is many of these SaaS applications, especially in the COVID-19 era, were provisioned by business users who often have little appreciation for nuances of cybersecurity. Unfortunately, each SaaS application employed only serves to increase an attack surface that most cybersecurity teams are already too overwhelmed to defend.