What are the main SaaS security risks?

The main SaaS security risks include: (1) Business interruption from vendor outages, (2) Data leakage through unauthorized sharing of sensitive data with third-party SaaS vendors, and (3) Credential compromise from reused or weak passwords across SaaS platforms. Data leakage and credential risks can be controlled through SaaS monitoring tools, while business interruption risk requires vendor resilience assessment.

What is data leakage via SaaS?

Data leakage via SaaS occurs when employees upload, screenshot, or paste business-critical or legally regulated data into SaaS tools without IT awareness or proper security controls. This creates two risks: (1) Potential violation of data protection laws if tools are used outside established compliance programs, and (2) Expanded attack surface that doubles the entry points for data breaches, since both the company and the SaaS vendor can be compromised.

How does credential compromise happen through SaaS?

Credential compromise via SaaS happens when employees create accounts for SaaS products that IT doesn't know about, allowing them to use credentials that don't conform to company policy or reuse passwords from other systems. This doubles the attack surface for credential theft, as attackers can steal credentials from SaaS platforms and use them to access corporate VPNs, email, and other entry points, performing intrusions that appear as legitimate user behavior.

What are SaaS monitoring tools?

SaaS monitoring tools are security solutions that provide visibility and enforcement capabilities for IT leaders to track and govern SaaS product usage across their organization. These tools monitor data flows and credential usage at the perimeter, integrate SaaS products into data security and identity management programs, and help leaders make informed decisions about which vendors to trust.

Why is third-party cyber risk from SaaS increasing?

Third-party cyber risk from SaaS is increasing because businesses are becoming increasingly dependent on SaaS vendors for critical functions, with Gartner forecasting sustained double-digit growth in SaaS spending through 2027. This rapid adoption often occurs beyond IT oversight, making companies vulnerable to vendor technology and cybersecurity lapses. Recent analysis shows third-party losses from ransomware increased 43% among mid-market and small businesses, with severity jumping 72%.

How can organizations extend governance to SaaS applications?

Organizations can extend governance to SaaS by implementing SaaS monitoring tools that address disparities between internal security controls and vendor controls. These tools enable risk leaders to monitor SaaS usage, control data flows at the perimeter, enforce credential policies, integrate SaaS into existing data security programs, and maintain the ability to make deliberate decisions about which products and vendors to trust or avoid.

What is the role of multi-factor authentication in SaaS security?

Multi-factor authentication (MFA) is a critical mitigation control for credential compromise risk in SaaS environments. IT leaders should deploy MFA across all SaaS applications to add an additional layer of security beyond passwords. Many enterprise SaaS tools support MFA integration or can require complex passwords when proactively managed, but this requires IT awareness of which SaaS products are being used across the organization.

What is shadow IT in the context of SaaS?

Shadow IT refers to SaaS products and technology tools that employees use without IT department knowledge or approval. This occurs when SaaS adoption happens beyond the scope of oversight and enforcement capabilities that IT leaders employ. Shadow IT creates security risks because these products may not have proper security controls, credentials may not conform to company policy, and sensitive data may be shared without proper governance or compliance oversight.

Article

The Runaway Risk of SaaS

As seen in Cybersecurity Insiders, this article from At-Bay’s CISO for Customers, Adam Tyra, explores the growing risk of SaaS applications and the scenarios that can be directly controlled by managed SaaS monitoring tools.

Data leakage via SaaS

Account compromise via SaaS

Extend monitoring and governance to include SaaS

Adam Tyra

November 12, 2025

Third-party cyber losses are on the up. In fact, a recent cyber claims analysis shows that third-party losses from ransomware attacks increased by 43% among mid-market and small businesses last year. The severity also jumped by 72%. This particular threat has distinguished itself as worthy of a conversation about the risk attributable to Software-as-a-Service (SaaS) tools.

While the adoption of these tools continues to accelerate, with Gartner citing “sustained double-digit growth” in SaaS spend through 2027, businesses are making themselves shockingly dependent on SaaS vendors for the delivery of critical functions, ranging from payment processing to customer relationship management. The rapid uptake means the usage of these SaaS tools often occurs beyond the scope of oversight and enforcement capabilities that IT leaders employ to govern technology and secure data in their organizations’ environments.

This increased reliance on SaaS tools without corresponding governance is resulting in unexpected loss scenarios as businesses become increasingly vulnerable to the technology and cybersecurity lapses of their vendors. The main source of loss we currently see is attributable to business interruption – essentially the inability of a company to operate its own business for want of a critical function delivered by a third party. Unfortunately, companies can’t directly impact the resilience of their vendors, making business interruption stemming from the reliance on third parties a risk without a direct technical solution. However, there’s two other prevalent loss scenarios that can be directly controlled by SaaS monitoring tools: data leakage via SaaS and credential compromise via SaaS.

Data leakage via SaaS

A world awash in data is steadily filling with vendors promising to help businesses make sense of it. SaaS tools addressing use cases from simple data storage to custom analytics and data visualization have been joined by no-code automation tools to help companies wire it all together easily and cheaply. As more and more SaaS vendors flood the market, laws and regulations governing the usage of all types of sensitive data are proliferating at the local, state, and national levels.

The productivity gains promised by these tools are real, but many companies are failing to consider the risk implications of sharing their business-critical data with third parties. In many cases, professionals charged with data security aren’t even aware that sensitive content is being uploaded, screenshotted, and pasted into these tools bit by bit.

The risk here is two-fold. First, if these tools are being used with legally regulated data outside the scope of an established compliance program, a business may unknowingly violate one or more laws every time an employee moves data into the tool. Second, even if the SaaS product includes the security controls required for the data it’s processing, sharing data with a third party doubles (or more) the attack surface that can become the entry point for a data breach. Risk leaders often fail to realize that they may be forced to inform customers of a breach involving their personal data even when the breach occurs in someone else’s technology environment (i.e., a SaaS vendor).

Account compromise via SaaS

Every cybersecurity awareness training talks about the dangers of credential reuse. Employees are told to use complex passwords, change them frequently, and not write them down on post-it notes stuck to the bottom of their keyboard. For their part, IT leaders have mechanisms to mitigate the risk of credential compromise, including by deploying multi-factor authentication (MFA). Many enterprise SaaS tools also include the ability to integrate MFA or require complex passwords when they’re proactively managed. And herein lies the risk.

SaaS products routinely slip between the cracks of credential management efforts because the teams charged with this responsibility just don’t know that these products are in use. This results in a scenario where users are able to create accounts with credentials that don’t conform with company policy or, worse, reuse credentials that might have been secure against compromise in the environment where they were created but may not be anymore after being used for a SaaS product. As with the data leakage risk described earlier, this scenario doubles the attack surface available to attackers who are looking to steal credentials. These credentials can then be taken back to the corporate environment where they were originally created and used to access VPN tools, email, and other common entry points. The ultimate use of compromised credentials is to perform intrusions that are very difficult to detect, since they look like legitimate user behavior.

Extend monitoring and governance to include SaaS

As third-party risks are on the rise, SaaS monitoring tools are becoming a key enabler in the cybersecurity toolkit.

SaaS monitoring tools can deliver the visibility and enforcement capabilities that IT leaders need to stay on top of the creeping risk presented by SaaS. These tools can address the disparities between the security controls that companies maintain in their own environments and those that their vendors maintain. Further, they enable risk leaders to monitor SaaS product usage for their teams and maintain the ability to make deliberate decisions about which products and vendors to trust and which ones to shun.

By monitoring and controlling data flows and credential usage at the perimeter, SaaS monitoring tools can integrate SaaS products into the data security and identity management programs that control risks in the rest of the company’s technology estate.