Report: SaaS permissions leave huge amounts of data exposed

SaaS companies face a unique threat in the cybersecurity landscape: their own cloud services may very well be working against them by exposing their data companywide.

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
August 28, 2024
Written by
Maxime Cartier
Fact checked by

SaaS companies face a unique threat in the cybersecurity landscape: their own cloud services may very well be working against them by exposing their data companywide. This means, bluntly, that anyone who can bypass MFA — which as we’ve proven is very easy to do — can view not just the data exclusive to those they’ve hacked, but they can also view 1 out of every 10 records in your company's cloud database. These could include highly sensitive company-exclusive data such as payroll data, health and personal identifiable information of your employees, and company secrets. This is a potentially devastating find, as this is precisely the type of data that is most at risk during a ransomware attack. 

According to a recent report by Varonis, companies have an average of 4,468 user accounts that don’t have MFA enabled. This adds up, as most SaaS products are built to create more exposure of data, as in a perfect world (one without hackery!) pertinent data would be shared freely between individuals and departments. However, as you may have noticed (the writer gestures broadly to the world outside your window) we do not live in a perfect world. Therefore, SaaS products should include readily available options to reduce data exposure. 

Admittedly, it’s super nice to have a whole bunch of applications that work together. But the security flaw lays within the ease of use: if a hacker can get into one application, they can make lateral moves and access anything that application is connected to. Think of this internal-access threat as the equivalent of spending hundreds of thousands of dollars on a security system for your home only to have all your possessions stolen because you left the back door unlocked. It’s easy to overlook, and a series of high-profile hacks (Uber and Rockstar immediately come to mind) that have occurred simply due to the interconnectivity of their SaaS suites is proving that many of the world’s biggest companies are not covering all their bases when it comes to cybersecurity threats.

This type of internal-access threat is a stark reminder that not every threat comes from external sources. This is an avenue that any disgruntled employee, or money-seeking hacker, can go down.

Read the full Varonis report here

Here’s some ways to mitigate this problem: 

  • Create centralised access permissions for a very select few — your company’s head of IT and/or security team should be the only ones with GMA (“God Mode Access”). 
  • Create a visual of the structure of permissions that are enabled. You may be surprised just how internally exposed much of your company’s data is. 
  • Delete accounts that are no longer in use. This could and should be a part of all employee off-boarding, whether they are full time or contractors. 
  • Decide whether the interconnectivity of your suite of SaaS apps is worth compromising your overall security. 

Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this