Weather Forecast: Cloudy with High Chances of SaaS Data Breaches

Sometimes a weather threat announces itself loudly and all at once: a tornado suddenly pops up and rips apart blocks of houses while residents are sleeping. Sometimes a weather pattern inflicts harm more quietly, such as rain creating sporadic flooding across a region. The injuries may be equal, but the tornado will likely get more news coverage due to its more visible effect.

So it is with cybersecurity risks. The massive attacks, such as the recent SolarWinds and Colonial Pipeline incidents, earn the headlines in the major news outlets. The smaller ones keep piling up until an underlying trend becomes evident. From our perspective, that’s what is starting to happen with the security risks posed by SaaS applications. As we have discussed in previous posts about the dangers of external sharing, sharing by employees and inadequate native SaaS security controls, among other threats, SaaS applications can leave organizations far more vulnerable than they realize. This group of recent news articles demonstrates what we mean -- and hint at the long-range forecast for SaaS application breaches.. 

Security Boulevard uncovers third-party data breaches

Third-party data breaches have become a trend of late, Security Boulevard notes. The article details how the increasing reliance on work handled by external collaborators has led to security lapses across industries around the globe. One of the more egregious: A case in Pennsylvania in which a company hired to help collect information about covid-19 relied on a Google spreadsheet to share information internally. Anyone with a link to the file could see confidential data that Pennsylvania residents supplied the contracting company – family names, phone numbers, dates of birth and covid test status. Another publication reported that even though the privacy violation was publicized in April 2021 and the contractor promised that the data had been secured, it was still visible in June 2021. Although the Security Boulevard article recommended limiting vendor access to data as a method of fighting third-party data breaches, such a solution doesn’t apply when the vendor is the one collecting the data to begin with, obviously. 

Small Business Trends says 1 in 4 former employees still have access to old work files 

 An article in Small Business Trends shared the results of a survey in which 1 in 4 respondents said they still have access to data at a former job. The publication noted the immense damage a former employee can cause, which also has been an issue in the news recently. Small Business Trends didn’t have a suggestion on shutting down such access, except to tighten up on password protocols and terminating former employee access to email accounts.

CurrentWare lists five of the worst examples of data theft by employees

Extending the topic beyond file access, CurrentWare named some of the most prominent cases in which employees have taken company information that was highly valuable. Most of these thefts occurred while the employees were on the job. The article went beyond the methods for stealing and listed motivations these employees might have. Those facing financial stress are likely to accept bribes from outsiders in exchange for the information or to gain favor with a competitor. Similarly, employees with poor track records or disgruntled employees may either become negligent or intentional in allowing others to gain access to restricted data. Of particular note: a 2020 case in which employees at Shopify stole customer information from nearly 200 of Shopify’s vendors – the type of data breach often made easier when companies share info through SaaS apps.

Cyberscoop reports how hackers used Slack to grab data from EA

 And as if to make the aforementioned point, Cyberscoop described a case in which Slack was the conduit of choice for hackers that wanted to exfiltrate data from the game company Electronic Arts (EA). A $10 cookie bought on the dark web gave the hackers the needed identity credentials to access EA’s Slack channel. They persuaded a company IT person to let them in, then swiped source code to resell. The Cyberscoop article recommended that IT departments ask for other forms of identity, such as a company email, before allowing admission. Of course, as security threats mount, relying on manual methods to check all would-be intruders is not a scalable solution.

High school students report vulnerability in New York public schools’ shared Google document

 As we wrote about earlier, two high school students in New York informed school officials of an open Google Doc that contained sensitive information. Authorities were lax to respond. But as we described, the lack of granularity in the SaaS applications’ native controls makes it hard to effectively allow access as needed. It tends to be an all-or-nothing proposition.

The dangers are evident, as is the solution

We think it’s clear – SaaS applications present a broad target for those with mischievous intent, as well as those who simply aren’t aware of how they’re exposing their organizations to potential security breaches. That was why we developed DoControl – a centralized method of viewing all an organization’s SaaS apps at once, monitoring the threats they pose, developing granular policies to prevent unwarranted data access and automating remediation to ensure continued security. We’d love to show you how – just schedule a demo to see the power that DoControl provides.