SaaS misconfigurations are putting businesses at serious risk

security threat
(Image credit:

Misconfigured software-as-a-service (SaaS) solutions are putting companies at enormous risk of data breaches and loss of business, new research suggests.

According to a new report from SaaS security posture management company Adaptive Shield, most CISOs (85%) see SaaS misconfiguration as a significant threat.

The key issue seems to be the number of tools in circulation. CISOs say they have too many SaaS tools that need to be checked regularly, with just 12% of companies with 50-99 applications able to check their security settings at least once a week. The larger the app count, the less frequent the checks. 

To try and solve the problem, most CISOs (52%) delegate the responsibility to the SaaS owner, who often “has less knowledge and security training”, putting the business at risk.

According to Maor Bin, Adaptive Shield CEO, the findings “present a clear view of an urgent need to secure the SaaS landscape”.

Ransomware on the cards

The findings support additional data published earlier this month by cloud security company Lightspin, which found that many businesses fail to properly configure their cloud instances, in part due to confusing information from vendors.

Analyzing 40,000 AWS buckets and their cloud storage permissions, the company found that almost half (46 percent) of AWS S3 buckets may be misconfigured and should be deemed insecure.

Misconfigured buckets can result in various cybersecurity incidents, including data theft and malware infection, for organizations of all sizes, from SMBs to enterprises.

SMBs that fail to properly configure their SaaS products and cloud instances risk being infected by ransomware and having their systems locked down. Ransomware often results in downtime that lasts for days and prevents businesses from operating normally until the systems are restored. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.