Software as a Service (SaaS) has become an increasingly hot topic for businesses of all sizes. Companies looking to change the way they operate after the COVID-19 pandemic have been making use of SaaS services to help them grow. But, as more companies use SaaS, so too do more cybercriminals take an interest in it.

Here we look at four major threats to business SaaS security measures and analyse what your company can do to minimise the risk during 2022.

1. Accelerated digital transformation

The speed at which companies are adopting digital technologies has been truly incredible and the SaaS business model of subscription-based services has been growing enormously in recent years with such growth expected to continue in 2022, and beyond. You would be forgiven for thinking that this upturn is only related to the pandemic, but in fact, there was already an upward trend. COVID-19 and its effect on digital transformation has simply exacerbated the issue. 

At the start of 2022, projections of a marked spike in the public cloud application services did materialise following the post-pandemic move to remote working. Indeed, predictions reported in an IDG Cloud Reporting Survey highlighted 92% of organisation’s IT is cloud based in some way, proving just how important SaaS has become. 

This might all sound extremely positive, but accelerated growth and fast adoption of technology always have the potential downside of gaps in security. Companies that don’t take the time to integrate new systems within their security infrastructure, or think about the many consequences of utilising new SaaS services from a security perspective, can leave them vulnerable to weaknesses that can be exploited. Businesses that are adopting SaaS services should focus on integration with their existing services and IT infrastructure as a priority. Deploying the services correctly is the best way to keep the business secure.

2. Cybersecurity skills shortage

It has been well documented that there is a growing problem across the whole of the cybersecurity industry, and that is a lack of appropriately skilled professionals. In the cybersecurity jobs market, demand is far outstripping supply, leading to an additional problem of services becoming markedly more expensive. 

Without a skilled team in place to manage SaaS cybersecurity issues across your businesses, there is greater potential for problematic issues to arise and for weaknesses to be exploited by cybercriminals. While this might be an option for large highly-profitable businesses, it is not financially feasible for many organisations. A better recommendation would be for organisations to train their workforce on advanced solutions, thereby augmenting the capabilities of their existing security personnel.

It has been estimated that there is a need for another four million cybersecurity professionals worldwide, and that is just to fill the current gap. The problem is that as digital transformation accelerates, more cybersecurity specialists are needed and the gap widens further. Clearly, there is an ongoing need for a concerted effort to train up more cybersecurity professionals. It is hoped that some can be moved over from other areas of IT.

One option for businesses lacking skilled personnel is to provide training to existing members of staff to allow them to add cybersecurity as a specific remit within their role. This is a long-term route that can be extremely beneficial in the future, but may leave the organisation lacking skills right now. 

Another possibility is to work with outsourced cybersecurity specialists. There are many businesses that specialise in providing high-quality cybersecurity support to organisations of all sizes. They will do so for a monthly-fee that is far below what it would cost to hire a cybersecurity team. 

3. A lack of high-quality staff training

With more people working remotely than ever before, staff are increasingly separated from the relative security of the office. Typically, businesses offer strong protection for workers operating from corporately owned endpoints within the existing infrastructure. However, when staff work remotely, they can use unsecured personal devices and thereby create further problems with issues such as shadow IT. 

The only way to effectively combat this problem is through the provision of education and training for staff around cybersecurity best practice. Initially this training should take the form of basic cybersecurity knowledge for all members of staff, your team operates as the first line of defence for the organisation. 

However, it is important to note that cybersecurity training needs to evolve over time. Regular sessions should run on the latest threats and challenges facing the organisation, and what staff can do to both be aware of them and mitigate them. 

4. The need for 24/7 monitoring

Many very popular SaaS services can find themselves the target of regular attacks. And, while putting strong perimeter defences in place is important – it won’t be enough to stop everything. 

“As the world’s most widely used SaaS platform, Microsoft Office 365 is routinely targeted by cybercriminals,” says George Glass, Head of Threat Intelligence at cybersecurity specialists Redscan “and a range of solutions can help with Office 365 monitoring but many organisations lack the security expertise needed to use them effectively. It is only through monitoring around the clock, and fast response to threat actors that companies can be secure as possible”. 

The ability to do this can be affected by the aforementioned staff shortage as well as other issues such as alert fatigue, especially where businesses don’t have the resources for a large cybersecurity department. Utilising advanced software can help to minimise alert fatigue. Rather than overwhelming users, it reports events of interest by looking through a sea of data. 

In summary

SaaS looks set to be a growing aspect of IT infrastructure for businesses of all sizes at the start of 2022 and moving forward. As such, the onus needs to be on businesses to put in place the right cybersecurity measures to combat problems. Many of the threats to SaaS security come not through external threat actors but from internal issues pertaining to company practice.

Taking sensible steps such as putting a staff training plan in place and managing the rate of digital transformation in the business can do a great deal to limit the potential cybersecurity risks.