Third-party risks become bigger security concern

Cybersecurity teams have long realized that software-as-a-service (SaaS) applications, specifically and IT services in general, represent a tempting target given how much data is aggregated in a cloud computing environment. A ransomware attack against CDK Global, a provider of business applications delivered via the cloud to nearly 15,000 car dealers, is proof positive. The company, following a ransomware attack has not been able to provide access to most of its applications as it continues to negotiate with an unidentified cybercriminal gang.

Ironically, that attack came about a week after the passing of a deadline for complying with a Federal Trade Commission (FTC) Safeguards Rule that requires U.S. auto dealerships to comply with the amended data security safeguards put in place by the Federal agency to protect personal customer information.

SaaS applications are, of course, only one type of third-party service that organizations are dependent upon. The security of managed IT services, especially, has been a growing concern. A recent analysis of cybersecurity breaches published by SecurityScorecard, a provider of platforms for assessing cybersecurity risks, finds that 29% involved some type of third-party attack vector. Overall, 75% of the breaches that involved a third-party service could be traced back to some element of the IT supply chain, the report noted.

Fortunately, the overall state of SaaS application security appears to be improving. In addition to the investments made by the providers of these applications, organizations that rely on these applications have been paying more attention to how best to secure them. A recent survey of 478 IT and security professionals conducted by the Cloud Security Alliance (CSA) finds that 57% of respondents work for an organization that has a SaaS security team with at least two dedicated full-time employees. Another 13% have one dedicated full-time employee.

Commissioned by Adaptive Shield, a provider of a SaaS application security posture management platform, the survey also finds 39% of respondents reporting their organizations have increased SaaS cybersecurity budgets compared to last year.

Overall, a quarter (25%) of respondents said their organization experienced a SaaS security incident in the past two years, compared with 53% last year. The most common security incidents reported were data breaches (52%) and data leakage (50%), followed by unauthorized access (44%) and malicious applications (38%).

A full 70% of respondents added they now have moderate to full visibility into their SaaS applications. However, challenges remain, with achieving visibility into business-critical apps (73%); tracking and monitoring security risks from third-party connected apps (65%); locating and fixing SaaS misconfigurations (65%); ensuring data governance and privacy (63%); and aligning SaaS application settings with compliance standards (61%) all being identified as ongoing issues.

As cybersecurity professionals well know, the level of risk any organization incurs increases exponentially each time another service expands the overall size of the attack surface that needs to be defended. Many of those services were added in the heyday of the COVID-19 pandemic by business leaders who didn’t care much about how secure any cloud application or service was so long as it enabled their teams to keep working. Unfortunately, cybercriminals are now making it abundantly clear that when it comes to identifying potential targets, the providers of these services are at the top of a very long list.