Data breaches can quickly ruin a business. They have lasting reputational, regulatory, and financial penalties, even when the company has implemented robust defenses to reduce the probability of data loss.
Threats are getting more sophisticated daily, and individual data breaches are becoming costlier yearly. IBM’s 2022 Cost of a Data Breach report found that recovering from an incident now costs an average of $4.35 million globally, up from $4.24 million in 2021 and $3.86 million in 2020, a 12.5% increase in just two years. Specific regions and industries can be hit even harder, with US breaches exceeding $9.4 million per incident in 2022, while attacks against healthcare providers averaged $10.1 million.
In addition, breaches can be preceded by several different threat vectors. Criminals can compromise email servers to steal sensitive information—typically producing a $4.89 million recovery bill, according to IBM—or exploit vulnerabilities in third-party software dependencies deep in your stack, with IBM reporting a $4.55 million loss. But the most costly vector is actually one of the least technical: phishing campaigns, which can propel the cost of restoration up to $4.91 million.
Most organizations think of data breaches as the product of direct attacks against their own systems. But what happens when cloud-hosted software-as-a-service (SaaS) platforms are targeted? In this article, you’ll learn how to manage and mitigate this risk.
Data breaches and SaaS-hosted data
A 2021 Gartner report found that 85% of organizations will operate on a cloud-first principle by 2025. In addition, over 60% of all corporate data worldwide already resides in cloud platforms and hosted software services, according to research from Statista.
SaaS solutions offer compelling benefits to enterprises of all scales. They increase flexibility, can scale indefinitely, and eliminate the maintenance overheads of running on-premise software. However, handing your data over to third-party providers makes you dependent on their security.
Cloud data breaches are on the rise
IBM’s report revealed that 45% of all data breaches affect cloud-based services. Incidents in 2022 included attacks against LastPass, Twilio, and Microsoft.
SaaS providers are lucrative attack targets because successful infiltration can expose the data of many different organizations, including yours. Zylo’s 2022 SaaS Management Index revealed that the average organization spends $65 million per year on subscriptions for 323 separate SaaS applications. With so many services storing terabytes of data, it’s no surprise that attackers are transitioning away from campaigns against individual enterprises to focus on managed SaaS platforms instead.
To stay safe, you need to select providers with a proven track record for security and compliance. There’s no guarantee this will protect you, though—the incidents mentioned earlier illustrate how even well-established SaaS providers aren’t immune to the threat.
Most companies’ SaaS data has already been exposed
According to a report from Varonis, 81% of organizations had private data leaked from SaaS providers in 2022. It found 157,000 sensitive records on the public internet, with the majority exposed by SaaS data-sharing features. This correlates to a $28 million potential breach recovery cost.
A separate PricewaterhouseCoopers (PwC) report found that 27% of 3,500 senior executives surveyed have experienced a data breach costing more than $1 million within the past three years. That figure climbs to 34% when considering only North American companies.
The impact of each attack can vary by organization, the type of data stored, and the remit of the SaaS provider that was impacted. In the wake of an incident, IT teams and security leads should audit their remaining SaaS offerings to tighten their protections, but just 32% of the executives surveyed by PwC said they’ve been able to fully mitigate their organization’s supply chain risks.
Simple protections go underused
Some breaches occur because attackers exploit vulnerabilities in the SaaS provider’s code. However, other attacks are preventable by making full use of available protections.
The Varonis study discovered a total of 4,468 SaaS user accounts with no multifactor authentication (MFA) options configured across the survey sample of 717 organizations. Moreover, 55% of users with administrator privileges were unprotected. Those accounts could be susceptible to takeovers using basic techniques, such as credential stuffing.
Preventing SaaS data loss starts with the simplest parts of security. Mandating MFA methods, [such as time-based one-time passwords (TOTP), reduces risk by preventing attacks before they enter the target system. A Microsoft study published in 2019 claimed that enabling MFA can prevent 99.9% of compromising attempts. You can further boost your protection by regularly educating staff on security best practices, such as how to spot suspicious phishing emails and keeping devices up-to-date.
Don’t forget the sprawl: Multiservice permissions management is hard
With hundreds of SaaS accounts comes a dramatic expansion of your attack surface. Properly securing all accounts with appropriate permissions is clunky, allowing mistakes to occur. A single overprivileged user token could let an attacker steal your SaaS data.
Varonis discovered that the average company relies on over 40 million unique permission assignations to configure their services. In addition, administrators often report difficulties in managing the sprawling number of permissions they’re responsible for. Accounts can be inadvertently given too many access rights or forgotten after individuals leave the organization.
To address this risk, you should try to select SaaS applications that integrate with established identity and authorization solutions, using single sign-on (SSO), Security Assertion Markup Language (SAML), and System for Cross-domain Identity Management (SCIM) specifications. These mechanisms help centralize user and permissions management across applications, improving visibility into who can access different areas of data.
Minimizing the risks to your SaaS and cloud data
Minimizing data loss risks begins with proactively assessing the threats you face, then implementing tools and processes that allow you to recover. Although you can’t control what happens to data after it’s left your SaaS provider in a breach, you can establish a protective layer in case it’s destroyed or lost due to a cyberattack or malfunction.
Proactively back up your SaaS data
SaaS providers are usually trusted to keep data safe. Any credible solution will already be continually replicating data and storing regular snapshot backups. However, the service shouldn’t be relied upon: an attacker with access to the SaaS infrastructure may be able to view and delete those backups.
Furthermore, providers are often unable to restore a single account’s data in isolation. SaaS services usually operate under the Shared Responsibility Model, which splits responsibility for data safety between you, the customer, and the service. The provider fulfills its commitments by making platform-level backups that facilitate restoration after major incidents. However, they are often unable to use these backups to restore only the data that pertains to your account.
You should additionally back up your own data so you can recover from failures such as accidental deletion, where the service may be unable to assist you. If your business couldn’t function without its GitHub issues, Shopify theme code, or Jira cloud data, you should be making your own copies on a regular basis. You may never need them, but they’ll be indispensable when you do suffer a breach or human error occurs. You’ll also be protected if the service has an extended outage or finds its own backups unusable.
Use independent solutions to automate your backups
One way to create backups is through the APIs of your SaaS services. You could develop scripts that automatically retrieve new data periodically, then archive it to a storage that you control. However, these ad hoc downloads can be challenging to utilize during restoration. You’ll need to manually reimport their contents back into your SaaS accounts, which is usually a time-consuming chore.
Instead, look for independent solutions that integrate with your SaaS applications to automate backup creation and restoration. This hands-off approach ensures data can be easily rolled back when it’s needed. It also removes your reliance on your SaaS provider’s infrastructure.
Rewind offers on-demand and recurring backups for popular SaaS solutions. It replaces time-consuming manual exports with simple daily backup routines that are saved to your cloud storage. If data loss does occur, Rewind can quickly restore SaaS accounts from storage. It supports full account-level restoration as well as granular recovery of specific data types, such as files, products, and tickets.
Add SaaS platforms to your Disaster Recovery planning
SaaS solutions should be part of your disaster recovery plans. You need a clear procedure to follow after data loss occurs, whether it’s due to service unavailability, user error, or a malicious breach. This helps you focus your recovery efforts and avoid confusion.
Rehearse your recovery strategy periodically to check you can promptly respond when incidents occur. Test your backups regularly to check they’re working and gauge typical recovery times; then fine-tune your plan based on your findings. When data loss does occur, you’ll be ready to respond robustly by restoring your data or migrating it to another provider.
SaaS data breaches, unfortunately, are a common occurrence. Moreover, these incidents are growing year by year, with the financial cost for affected businesses rising accordingly. You can face the threat by taking simple actions to improve your resilience:
The state of SaaS data loss in 2023
- Activate security protections such as MFA: This is an effective defense against many kinds of speculative and opportunist attacks, but it remains underused.
- Centralize user and permissions management: Reduce the risk of oversight by selecting a single identity provider, then choosing SaaS solutions that integrate with it. Configuring permissions once helps prevent overprivileged tokens from being forgotten or leaked to an attacker.
- More services mean a bigger attack surface: The threat you face grows each time you sign up for a new SaaS app. Setting clear criteria to follow when selecting providers can help you identify weaknesses early on; then find an alternative solution. Requiring administrator approval to use a new application can help stop end users from performing work tasks with insecure consumer-grade platforms.
- Back up your SaaS data and practice disaster recovery: Assume the worst will happen so you’re prepared for when it does. With most major enterprises having already experienced a data breach incident, sadly, it’s likely that you will, too. Integrating SaaS services into your disaster recovery plans will ensure you’re prepared if platforms go down or attackers hold data for ransom.
Try Rewind today to start protecting your mission-critical SaaS data. Recover quickly from mistakes, mitigate data loss risks, and complete restorations in minutes by setting up automated backups for the third-party platforms you depend on.