A new study released today by cybersecurity asset management firm Axonius Inc. finds that software-as-a-service security is lagging behind despite the ongoing adoption of SaaS among enterprises.

The study, based on a survey of enterprises in the U.S. and Europe, found that 74% of respondents reported more than half of their applications are now SaaS-based, up from 66% a year ago. However, SaaS security ranked fourth or lower on their list of current security priorities. More than a third said they were concerned with costs associated with rising SaaS-based app usage.

Even as SaaS security is not prioritized by many, 66% of respondents said that the increase in SaaS applications has resulted in more complexity and increased security risk in their organizations. For those not highly considering SaaS security, 28% nominated limited time and resources, 23% said pressure to focus on other issues from the C-Suite had hindered their efforts, and 15% said staffing shortages were limiting their ability to secure their SaaS apps.

“The biggest concern with SaaS adoption right now is that most organizations are underestimating the number of SaaS applications that exist within their environment,” Dean Sysman, co-founder and chief executive officer of Axonius, said in a statement. “SaaS offers numerous benefits… but that also presents an enormous risk.”

Sysman noted information technology and security teams already struggle to identify the assets that exist within their organizations. SaaS apps further complicate their ability to gain visibility into data and interconnectivity, manage configurations and close security gaps, as well as track licensing, usage and spending.

The study argues that the consequences of insecure SaaS environments are already being seen. The breach of Okta Inc. in March is cited as one example, with that attack then leading to further breaches across other services. The theft of OAuth user tokens from Heroku and Travis-CI via GitHub in April is identified as another example of how one insecure environment can lead to the compromise of other services.

“The appetite for SaaS will only continue to grow, further exacerbating data sprawl and security implications,” noted Jerich Beason, Commercial Bank chief information security officer and an adviser to Axonius. “These risks are no longer hypothetical, and without full visibility into the SaaS application landscape, organizations will continue to find themselves vulnerable to data loss from shadow SaaS, non-compliance with federal and industry regulators and financial strain from lack of insight into organizational spend.”

Image: TheDigitalArtist/Pixabay