SaaS Security Statistics You Should Know in 2023
Table of contents
Software as a Service (SaaS) is rapidly evolving, and it's pivotal for businesses to keep up. With over 30,000 companies on the SaaS map, the industry is not just growing; it's thriving.
Here are some figures to set the stage: The SaaS market is set to soar to a staggering $700 billion by 2030, and it's sprinting there with an annual growth rate of 18.3%. The United States is at the epicenter of this SaaS boom, holding more than 70% of the global market. 
However, as with all great advancements, challenges lie in wait. SaaS security is no exception. It's akin to an intricate cat-and-mouse game between defenders and attackers. While attackers only need to succeed once, defenders face the daunting task of maintaining a flawless record.
Let’s add some sobering perspective with a pinch of data: The IBM Cost of Data Breach Report 2022 revealed that the global average cost of a data breach stands at $4.35 million, witnessing a 13% surge in just two years.
As the sector expands, security is a critical piece of the puzzle. In this article, we’ll share vital SaaS security stats that professionals need to know. Being well-informed is essential for making smart decisions and safeguarding your SaaS endeavors. Let's delve in.
Top SaaS security statistics and concerns
SaaS Misconfigurations Driving Up Security Incidents
In the realm of Software as a Service (SaaS), security stands as a pillar of paramount importance. However, a lingering issue causing concern among organizations is the role of SaaS misconfigurations in escalating security incidents. These misconfigurations, often overlooked, have been a primary source of anxiety since 2019.
To put things into perspective, consider this:
- 43% of organizations have experienced security incidents that can be directly traced back to SaaS misconfigurations. 
- What's even more concerning is that this number could potentially soar to 63%, as a notable fraction of organizations remain uncertain whether their security incidents were linked to SaaS misconfigurations. 
- Only 17% of organizations faced security incidents due to Infrastructure as a Service (IaaS) misconfigurations. 
- Sensitive SaaS data has been exposed in about 81% of organizations, highlighting the prevalence of data vulnerabilities and the urgent need for enhanced security measures.
- Attackers find it easier to infiltrate when multi-factor authentication (MFA) is missing. Surprisingly, the average company has 4,468 user accounts without MFA enabled, creating opportunities for attackers to exploit internally exposed data.
- Overly complex permission structures is a major challenge. Companies are burdened with more than 40 million individual permissions scattered across various SaaS applications. This creates a nightmare for IT and security teams responsible for managing and reducing the risk of cloud data.
What does this mean for organizations? The data points to an urgent need for proactive measures. One effective approach is embracing automation and continuous scanning, which pertain not just to IaaS but critically to SaaS misconfigurations as well. Through automation, organizations can identify and address issues in real-time, significantly reducing the window of vulnerability.
Excess access and lack of visibility are the leading causes of SaaS misconfigurations
The primary reasons for SaaS misconfigurations stem from a lack of monitoring of alterations in SaaS security settings, accounting for 34%, and an excessive number of departments having access to these security settings, contributing to 35%. 
Navigating the sea of SaaS security, let's throw the anchor down at misconfigurations. What’s sinking the ship? Two major culprits:
- Lack of Visibility: 34% of the time.
- Too Many Cooks in the Kitchen: 35% due to excess departmental access.
Lack of Visibility into Security Settings (34%)
When changes are made to SaaS security settings, it's like changing the locks without telling anyone. A staggering 34% of misconfigurations happen because organizations don’t keep an eye on these changes. The result? Security blind spots that leave the door open for unwanted guests.
The Fix: Keep a close watch! Implement tools and practices that constantly monitor security settings. When a change is made, ensure it aligns with the security policies.
Too Many Departments with Access (35%)
Imagine a kitchen with too many chefs - chaos, right? Same here. When too many departments have access to the security settings, there’s a 35% chance that something will go haywire.
40% of organizations have indicated that departments such as legal, marketing, and sales - which are primarily business-focused and engaged in job-related activities - possess security access to SaaS applications. It's vital to recognize that these departments often don’t have adequate training or the security-centric mindset needed for altering security configurations. Nonetheless, access to SaaS applications is essential for them to carry out their roles effectively. 
This scenario calls for a delicate balance. Organizations must facilitate access to multiple departments while ensuring that security teams have a clear line of sight into changes made to security settings. Such insight empowers security teams to timely identify, avert, or rectify any inappropriate alterations, thereby maintaining the integrity and security of the SaaS applications.
The Fix: Less is more! Adopt a principle of least privilege. Give departments only the access they need, nothing more. This cuts down on the risk of unnecessary or harmful changes.
There’s more investment in business-critical SaaS than in SaaS security tools and staff.
- 81% of organizations have increased their investments in SaaS applications.
The modern business landscape is witnessing a surge in investment in business-critical SaaS applications. A whopping 81% of organizations have amplified their spending in this domain over the past year. However, there's a catch – investments in security tools, and staffing aren't keeping pace. 
- While 73% of organizations have increased investment in security tools, only 55% have done the same for security staff.
This discrepancy paints a picture of mounting pressure on existing security teams. They are expected to keep the fort secure but with less proportionate support in terms of tools and manpower. What's the solution to ease this burden?
Automation might just be the knight in shining armor. It holds the promise of streamlining SaaS security monitoring. But hold on – a mere 26% of organizations have embraced automation for monitoring SaaS security. Without automation, security teams are stuck in the trenches, manually sifting through settings, detecting, and fixing misconfigurations. This is not just exhausting but also a potential ticking time bomb for security risks. 
- Only 26% of organizations have embraced automation for monitoring SaaS security.
What does this mean for organizations? It's time for a reality check. The current trend of heavy investment in SaaS applications without a parallel boost in security tools and staff is a tightrope walk. It’s not sustainable in the long run. Organizations need to reevaluate their investment strategies to ensure that security doesn’t play second fiddle. Balancing investments in SaaS applications with adequate funding for security tools and personnel, including automation, is critical to building a resilient and sustainable security infrastructure.
Organizations are left vulnerable by handling SaaS misconfigurations manually.
Let's take a peek into what happens when organizations roll up their sleeves and dive into monitoring and fixing SaaS security settings manually. Spoiler alert - it's not a pretty picture.
For the security teams, it's akin to climbing a never-ending mountain. They are taxed, and what's even more alarming is that the organization's security hangs by a thread.
Here's what the numbers say:
- 46% of organizations can only manage to check security settings on a monthly basis, or even less frequently.
- Adding to this, 5% don’t check their settings at all.
Pause and think about it. Misconfigurations could be sitting ducks for a month or more, waiting to be exploited. And when they are finally spotted, the clock ticks as security teams scramble to fix them.
- Here’s another stat: About 1 in 4 organizations take an entire week or even more to iron out a misconfiguration when they’re doing it manually.
This leaves the organization's security hanging in the balance. The longer these misconfigurations exist, the wider the window of opportunity for security breaches.
So, what's the game plan to seal these vulnerabilities?
Automation could be the secret sauce. Organizations need to embrace automation and other state-of-the-art tools to shrink the timeline for detecting and remedying SaaS misconfigurations. This is not just about efficiency; it's about fortifying the security walls and ensuring that they don’t crumble under the weight of manual processes.
Automate your SaaS security with Resmo to eliminate misconfigurations from your equation.
What is the average frequency of SaaS security configuration checks?
- 13% yearly
- 15% quarterly
- 18% monthly
- 24% weekly
- 10% continuously
- 5% don’t check at all
Leading security concerns when adopting SaaS applications
The number one security concern, with 56%, when adopting a new SaaS application is 3rd party application access to the core SaaS stack. 
54% of organizations find a lack of visibility into SaaS security settings as their primary concern.
Tip: One thing that can ensure that your IT and security teams always know about unauthorized SaaS usage is by using a SaaS app discovery tool.
41% of organizations consider the inability to remediate SaaS security misconfigurations as their main SaaS security concern.
Lack of security knowledge is the main concern for 38% of companies adopting SaaS applications.
35% of organizations are worried about the lack of automation or tooling for SaaS security, which is followed by an insufficient amount of SaaS security with 32%.
Unauthorized SaaS application use is causing vulnerabilities in workplaces
Unauthorized use of SaaS applications is becoming a major concern, causing vulnerabilities within workplace environments. With the ease of accessing and adopting cloud-based applications, employees are increasingly turning to unauthorized SaaS solutions to fulfill their work-related needs. However, this practice poses significant risks, as these unvetted applications may lack robust security measures, leading to potential data breaches and unauthorized access to sensitive information.
Unauthorized SaaS application use poses vulnerabilities in workplaces:
- Employees often resort to unapproved SaaS apps, increasing data exposure risks.
- Lack of visibility and control leads to fragmented security landscapes.
- Compatibility issues, data silos, and integration challenges arise from decentralized app usage.
Take control of your SaaS security with Resmo:
- Discover and manage all SaaS applications in your organization.
- Detect misconfigurations and vulnerabilities automatically, like lack of MFA, excessive permissions, and access rights.
- Automate security checks to ensure ongoing protection.
- Strengthen your security posture and safeguard sensitive data.
Ready to secure your SaaS applications? Discover SaaS logins in your company.
SaaS security stats FAQ
Is IaaS more secure than SaaS?
No, IaaS (Infrastructure as a Service) is not inherently more secure than SaaS (Software as a Service). The security of IaaS or SaaS depends on the provider's security measures and the user's practices in managing and configuring the services. IaaS offers more control over security configurations, while SaaS often comes with built-in security features.
Which software is more secure?
The level of security in software is not solely determined by the type of software but rather depends on various factors, including the software's design, development practices, regular security updates, and adherence to security standards. It is crucial to evaluate the specific software's security features, vulnerabilities, and the vendor's commitment to security. Both commercial and open-source software can be secure if developed and maintained with a strong focus on security. Ultimately, the security of software relies on the diligence and best practices of developers and users alike.
Are cloud-based services more secure?
Cloud-based services can provide enhanced security compared to traditional on-premises solutions, thanks to dedicated security teams, advanced technologies, and centralized security management offered by cloud providers.
While no system is entirely immune to risks, the economies of scale and robust security measures implemented by cloud providers can contribute to a stronger overall security posture. However, organizations must still take responsibility for implementing proper access controls and encryption and adhering to best practices to ensure the security of their cloud-based systems.
 Cloud Security Alliance Survey (CSA)
 2022 Saas Security Survey Report (HubspotUserContent)
Keep on reading: