‘SaaS Sprawl’ Heightens Data Security Risks for Enterprises

The bigger the tech stack, the wider the attack surface. 

In recent months, several enterprises have faced attacks on Salesforce-hosted databases, leading to the exposure of a wealth of personal data. The latest victim is HR technology firm Workday, which confirmed on Friday that an unspecified amount of personal information was stolen from its database, including names, email addresses and phone numbers.

The breach, in which hackers posed as IT and HR personnel to get employees to share their credentials, follows similar social engineering attacks on Google, Cisco, Allianz Health and airline Qantas. 

The string of incidents underscores the need to tackle security issues from two sides: the technology itself and the workforce using it, said Dave Meister, global head of managed services at security firm Check Point.

• From the technology side, enterprises are falling prey to “SaaS Sprawl,” said Meister, or having so many applications and platforms that they’re unable to properly track and monitor them. “There’s an assumption by a lot of organizations that just because it’s SaaS, that it’s protected, and that’s just not the case,” he said. 
• From the workforce side, the point of entry for hackers tends to be employees falling for phishing emails or robocalls, he said, and many organizations haven’t cultivated a strong enough “culture of security” to prevent this. 

“There’s not really a lot of tech that’s going to stop this type of attack,” said Meister. “If somebody’s calling up, requesting to get access to something, it comes down to process and procedure and company policy that’s going to prevent this type of social engineering from being successful.” 

Meanwhile, AI stands to make both challenges worse, Meister said: As companies deploy models without strong policies governing the data that can go into them, the attack surface widens and the data gets further from their control. 

But enterprises can avoid that fate, said Meister. The first step is understanding your organization’s overall “SaaS posture” by taking stock of how many apps your company uses – and how many it actually needs on a regular basis. Then, find a platform that allows for continuous monitoring and auditing of all the data going in and out. “Organizations need to have a vetting process for any SaaS tools that they’re taking on,” he said. 

The next step is ensuring that security is more than a “tick-box exercise,” Meister said. While most enterprises have some kind of security training in place for employees, the programs are often not taken seriously and have little impact. Organizations need to have security baked into their policies, culture and procedures to protect information from getting into the wrong hands from the jump. 

“There needs to be a cultural shift from an individual level and from an organizational level,” said Meister. “We need to establish cultures of protection saying ‘I’m not going to share this unless I explicitly need to.’”