The Evolution of Human Risk in the World of SaaS

Travis Good
November 7, 2022

The real risk of human actions has increased as more technology has moved to the cloud and more workflows have moved to SaaS (Slack, Google Workspace, Microsoft 365, Salesforce, Workday, etc.). We are just scratching the surface of the implications of these technical changes. Human risk today is driven by user decisions in SaaS apps and user behavior when faced with social engineering attacks, most commonly email phishing attacks.

The primary strategy to counter human risk today is security awareness training. But, security awareness training has not kept pace with shifting work in SaaS apps so security awareness training does not deliver on the promise of improved security or reduced human risk.

🦍 The Evolution of Technology

It’s helpful to walk through the technical evolution of the last 20 years. It really is crazily significant as it’s fundamental changed not just the technologies used but also the way work is done and, in many cases, fundamental business models, capital strategy, and unit economics. The timelines below are rough cuts. Some companies evolved their technology faster and some slower.

100% On Premise

🏛 20 years ago, companies stored all sensitive data onsite and managed 100% of the risk. Companies quite literally owned and operated all of their infrastructure. In this world, every layer of the technical stack, as well as the corresponding risk, was managed by the company.

Co-located (colo) Data Centers

👷‍♀️ 15 years ago, companies moved sensitive data into remote data centers, sharing the physical risk. Companies typically still managed all of the software components, including networking and operating systems.

Managed Cloud Services

☁️10 years ago, companies moved sensitive data to managed cloud services, sharing physical, network, and sometimes operating system risk. The large cloud providers, first AWS then Microsoft and Google, ushered in a new world of computing as they exposed various infrastructure services via software.

SaaS Applications

📱 Over the last 5 years, companies moved sensitive data to SaaS applications, sharing all of the infrastructure risk. SaaS vendors, quite literally, manage every aspect of the technology stack and deliver their applications over the web.

👩‍💻 Human Risk and SaaS

As technology has evolved to the cloud and to SaaS applications, the nature of how those technologies are deployed and configured has evolved in step. The cloud and, in particular SaaS, push configuration and administration down to managers and often users.

In the process, managers and sometimes users of SaaS applications gained the responsibility of configuring many of the security and privacy settings controlling access to sensitive data.

😳 The scale of the SaaS trend is massive. A recent report finds that:

  • companies have an average of 157,000 sensitive records exposed via SaaS apps;
  • 10% of SaaS records are exposed to all employees; and 
  • SaaS admins have 40 million unique permissions to set at each company.

While there are SaaS app management platforms, the challenge for companies is that you cannot automate away all of the things that your employees do in SaaS apps.

Companies have tons of sensitive data in SaaS apps and SaaS admins have control over millions of settings that affect the security of that data.

Here’s some simple advice for SaaS admins and uses:

👉Pay attention to SaaS app settings

👉Check defaults when you start using SaaS apps

👉Set configurations to be the least permissible possible

👉Periodically review SaaS app settings

👉Operate with a security mindset across all SaaS apps and workflows

🔒 Security Awareness and SaaS

Security awareness has not kept pace with SaaS. This is one of the primary reasons that trusted market research firms like Forrester are predicting disruption in the security awareness and training (SA&T) market in the coming years. When companies roll out security awareness training, it oftentimes misses SaaS completely.

The simplest approach companies can take to address the increasing human risk from SaaS app usage is to create their own content about SaaS app usage, risk, and security. The first step is the low hanging fruit of ensuring employees understand that there is a risk from using and configuring SaaS apps. This alone is a meaningful step.

For those companies looking for a platform built to address the growing issue of human risk in SaaS apps, Haekka was designed to connect security knowledge to employees in SaaS apps (where they work). Through simple, short, intelligent teachable moments delivered in the context of work, Haekka keeps security top of mind regardless of where and how employees are working.