Push Security Ltd., a startup helping companies secure their software-as-a-service applications, has raised a $15 million funding round to support its growth.

The Series A round was announced today. According to the company, Alphabet Inc.’s GV venture capital arm led the investment. GV was joined by Decibel and multiple angel investors including the co-founders of Duo Security Inc., a cybersecurity startup that Cisco Systems Inc. bought for $2.35 billion in 2018.

The typical enterprise uses upwards of dozens of SaaS applications to support its business operations. Employees often store sensitive business data in those applications, which makes them a target for hackers. Push Security is working to reduce the risks posed by the SaaS products that a company’s employees use. 

The London-based startup offers a platform that automatically detects when workers sign up for a new cloud application. According to the company, its platform creates an inventory of employees’ SaaS accounts and scans them for insecure settings. If it finds an issue, the platform asks affected employees to change the vulnerable account setting.

“The most sensible way we’ve found to scale SaaS security in an employee-adopted apps world is to put users at the center of helping to improve security,” explained Chief Executive Adam Bateman (pictured, left, with co-founders Tyrone Erasmus and Jacques Louw). “We prompt users at the right time to encourage them to take an action that will benefit an organization’s security, like updating their software or securing their user account.”

The algorithms spot when employees sign up for an SaaS application using a weak password. The software also detects cases where an employee reuses the same login credentials across multiple services. Recycled passwords are a cybersecurity risk because, in the event of a breach, they can be used by hackers to compromise several applications at once. 

Workers often sign up for SaaS applications using their corporate Google Workspace or Microsoft 365 accounts. In such situations, there is no risk of weak or reused passwords. However, other cybersecurity issues can emerge.

Some SaaS applications only work if they’re granted permission to access the data in a user’s Google Workspace or Microsoft 365 account. As a result, there’s a risk that workers may make sensitive business records accessible to a potentially risky cloud service. Push Security’s platform can automatically detect risky account access permissions given to SaaS applications, as well inactive permissions that should be deleted because they’re not used.

Another set of features in the company’s platform focuses on detecting compromised email accounts. It spots breaches by searching for malicious mail rules, which are a type of inbox setting that can be misused by hackers, for example by forwarding password reset emails to an external address.

Push Security made its platform available last July. Since then, it has amassed a user base that reportedly includes about 50,000 workers across “hundreds” of teams. Along the way, the startup also added connectors for more than 480 SaaS applications to its platform.

Photo: Push Security