Table of Contents
Originally published on IT Briefcase.
A quick Google search for “security breach” won’t just deliver news about the biggest scandal from the past few years. Instead, you’ll likely find one from just yesterday or last week. Following the digital transformation, data breaches are happening more often.
Well into the age of tech, many businesses are still in their infancy when it comes to digital transformation, in terms of SaaS adoption, processes, and precautions. The lack of user education and prolific shadow IT put companies, employees, and customers are at risk.
Common SaaS Security Risks Facing Cloud-Forward Companies
Terms like “spam” and “virus” are well known in reference to bugs and breaches of the early 2000s. But in the digital age, hackers take to the cloud when working into a company’s systems. Through session hijacking, phishing attacks, credential harvesting, and social masquerading SaaS users are at risk.
Session Hijacking
Session hijacking allows the hacker to take over a user’s account while still in use. The attacker tricks the user into authenticating the service so the hacker can actively monitor application dashboards and actions taken within the account. During session hijacking, the hacker can even kick you out the user during the session.
High-traffic websites and cloud-based applications that contain sensitive company and customer data pose the greatest risks to users. The first line of defense for IT leaders is discovery: discover which applications house sensitive data and the identity of license holders.
Once all applications are discovered, minimize risk through Single Sign-On (SSO) and Multi-Factor Authentication (MFA) security. Additionally, the identified users should be trained to avoid accessing SaaS applications on open networks to reduce susceptibility to attacks.
Phishing Attacks
Phishing banks on human curiosity and human error. When employees click on malicious links or share sensitive information to seemly reputable websites, they are victims of phishing attacks. Among a company of thousands, ensuring no employee falls prey to phishing is difficult.
Education is key when protecting against email phishing attacks but not foolproof. As emails are the most common source of phishing scams, file sharing applications enable employees to download files or access links within a secured application rather than email.
Cybercriminals will target enterprise app users with phony urgent requests to change passwords or make payments. To protect against these phishing attacks, that often result in credential harvesting, IT must first start with the discovery of all SaaS applications in the enterprise tech stack. Through discovery, IT will know what notification are legitimate and which are phishing attacks.
Social Masquerading
Ever had a mysterious Facebook friend request from someone you Facebook friended years ago? The fake profile is attempting a social masquerading attack: cybercriminals pose as well-connected friends in order to gain access to victims’ account information.
One way to prevent social masquerading at work is to simply ban social media use in the office. However, in many lines of work, social media is now a necessary tool to connect with prospects and current customers.
While educating employees about social masquerading is important, disallowing social login protects the company from attacks. Once again, the most powerful defenses against cyber attacks are Single Sign-On (SSO) and Multi-Factor Authentication (MFA) security.
Build an Ironclad SaaS Security Strategy
The benefits of digital transformation and SaaS are many but increased SaaS adoption carries inherent risk. The success of hackers hinges on the ignorance and insecurity of enterprise tech and employees. Consequently, the first step to securing the enterprise is through the elimination of tech ignorance. To educate employees on SaaS best practices, launch a security-specific corporate learning strategy.
Secondly, IT must identify and analyze every application bought and used throughout the enterprise. Focus risk mitigation efforts on applications that contain customer, financial, and business data. While software housing PII or sensitive data holds inherent risk, not every application was created equal: rank and document the breach probability of each application.
Cyber attacks are increasing: today IT must prepare all applications and SaaS users enterprise-wide. An ironclad security strategy will include proper education of SaaS buyers and users, understanding of security implications of each application, and clear processes to mitigate risk.
ABOUT THE AUTHOR
Ben Pippenger
As Chief Strategy Officer, Ben is responsible for shaping and driving Zylo’s corporate strategy by monitoring and analyzing key market trends. As Zylo co-founder, he is passionate about the power of SaaS and helping organizations understand how they can manage, measure and maximize their investments for greater business impact. Ben is a self-proclaimed SaaS geek, with more than 20 years of B2B software experience, and a recognized SaaS and software management thought leader. Before founding Zylo, Ben held leadership roles in product and account management at Salesforce and ExactTarget.