SaaS security is now a major blind spot for enterprises
New research from AppOmni has highlighted a disparity between confidence levels and the amount of security incidents per organisation.
Published on 18th July 2025
The vast majority of organisations are confident about their SaaS security posture, despite the fact that most have suffered a breach or security incident in the past year.
That’s according to a new study from AppOmni, which found SaaS is one of the most actively targeted layers of the enterprise attack surface.
The study, which includes a poll of more than 800 security leaders and decision makers, warned that this domain is one of the least defended areas of modern business.
The growing risks faced by enterprises in this regard are mirrored by continued growth in the SaaS space, with businesses now using dozens – or even hundreds – of applications.
More than half of enterprises polled by the firm are using at least 50 SaaS solutions, for example, while more than a third have 100 or more.
Notably, three-quarters (75%) of organisations have fallen victim to a SaaS data breach or security incident in the last 12 months. Yet the study found 89% of those believed they had appropriate visibility of their SaaS environments.
Brendan O’Connor, CEO of AppOmni, said the study highlights a growing disconnect between the threats faced by enterprises and their ability to tackle the issue.
“The data shows a concerning ‘illusion of control,’ where the vast majority of security leaders feel confident in their SaaS security posture, even as a huge number of them are dealing with SaaS-related incidents,” O’Connor said.
“Today’s SaaS risks are not theoretical — they’re real, and they’re impacting businesses now.”
The big SaaS security talking points
Data security remains a big concern for enterprises, AppOmni found, with 57% of survey respondents citing data breaches and the potential loss of intellectual property as their main worry.
Meanwhile, just over a third (37%) expressed considerable apprehension about compromised customer data.
AI is also changing the dynamic for security teams, AppOmni warned, particularly with regard to governance. Nearly two-thirds (61%) of respondents said they expect AI to dominate SaaS security discussions in the coming year, for example.
Respondents added that there’s a growing appetite for more robust oversight of non-human identities and generative AI tool access within SaaS applications.
Tooling gaps also remain wide, with just 13% of respondents currently using a dedicated SaaS Security Posture Management (SSPM) solution, despite nearly one-third saying they need one.
Security hygiene and risk management on the agenda
A key talking point in the AppOmni centred around a continued lack of basic security hygiene. Nearly half (41%) of incidents stemmed from permission issues, for example, while 29% resulted from misconfigurations.
AppOmni said this shows there’s still much work to be done in terms of improving broader security awareness and best practices.
Elsewhere, risk management practices also require improvement, the study noted. Just over half (52%) of organisations only use periodic reviews to assess SaaS-related security risks.
This, the company added, is leaving critical gaps where misconfigurations and threats can persist undetected. Only 43% of enterprises have implemented continuous or near-real-time oversight.
Too much trust in providers
Complacency and overconfidence on SaaS security were among the most concerning aspects of the survey, according to AppOmni.
Just over half (53%) said they are confident about their stance on this front, but many are basing this on trust in SaaS vendors rather than internal validation.
Only 16% of respondents assign SaaS security solely to security teams, while 43% leave it to various business units.
“The key lesson for enterprises is that visibility alone is not security, and trust in SaaS vendors is not a strategy,” said O’Connor.
“We need a fundamental shift from ad hoc, reactive processes to a mature, disciplined approach built on continuous monitoring and clear ownership.”
Source
Image Credit
Chaiwut Sridara via Vecteezy
