Mid-market organisations today are engaged in a unique balancing act, where they are required to manage and defend a growing digital footprint, but lack the deep pockets and vast resources of their larger counterparts. To better help security teams at mid-sized companies remain resilient in an increasingly complex threat landscape, the Cloud Security Alliance (CSA), the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, has released SaaS and AI-Risk for Mid-Market Organisations survey report.

The survey, commissioned by Wing Security, a leader in SaaS security, takes a deep dive into the strategies mid-sized companies are using to protect their high-value assets — from navigating SaaS security gaps to tackling artificial intelligence (AI)-related risks — and highlights the real-world challenges and priorities these companies face when managing their risk.

“Mid-market organisations are making progress in recognising and addressing SaaS security risks, but significant gaps remain. To build a robust security posture, it’s essential to prioritize specialised technologies that enhance visibility, automate processes, and close key vulnerabilities. By aligning priorities across IT, security, and business units, these organisations can better safeguard their assets and confidently navigate the evolving SaaS landscape,” said Hillary Baron, Senior Technical Research Director, Cloud Security Alliance.

The report explores how mid-market organisations are addressing SaaS security risks, from managing misconfigurations and AI-driven threats to overcoming budgetary constraints and limited tooling, and highlights the gaps in their current strategies while providing actionable insights for improving their security posture. Among the survey’s key findings:

• Security teams are struggling with a growing attack surface and tracking application use. Mid-market organisations are grappling with managing the large volume of SaaS applications, both sanctioned and unsanctioned, with actual numbers often exceeding expectations. Disconcertingly, less than half (44%) of organisations prioritize protecting all their sanctioned applications, and a mere 17% include unsanctioned ones in this priority. Given that limited visibility into these applications results in significant security gaps, specialized tools and automation are essential to securing this expanding digital footprint.

• Prioritizing “crown jewels” while leaving gaps. Many companies are concentrating their configuration management efforts on their most critical applications (e.g., Google Workspace and IDP/IAM service). While prioritising these core systems is essential, broader SaaS environments should not be overlooked — a worrisome 28% of organisations plan to automate configuration management across all applications. To fully mitigate risks, organisations must expand automation and ensure comprehensive coverage across all applications, including those perceived as lower priority and application-to-application connections.

• AI risks without a formal plan. AI-related risks, particularly to data and intellectual property, are a growing concern. Whereas 55% of organisations reported being moderately concerned and another 20% stated they were highly concerned, only 51% of organizations have dedicated security teams to address AI-specific risks. The absence of a unified strategy and clear accountability leaves organisations vulnerable to evolving threats and compliance challenges.

• Reliance on manual processes and insufficient tooling. Smaller security teams often rely on manual processes (48%) and general-purpose tools like cloud access security brokers (CASB) (48%) — neither of which are sufficient for SaaS security needs. The good news is that many organisations are planning to adopt specialised solutions like SaaS Security Posture Management (SSPM) and Data Security Posture Management (DSPM) — 52% and 56%, respectively — to enhance visibility and address critical risks.

• Growing SaaS security through current initiatives. Nearly 90% of organisations plan to expand IT budgets or enhance existing security initiatives — such as risk management, configuration management, and risk detection and response — to address SaaS security. While relying on general IT/security budgets or reallocating funds from other projects can lead to reactive, patchwork investments that fail to fully address the unique risks SaaS applications pose, only 3% have a dedicated line-item budget specifically for SaaS security. Dedicated funding and aligned priorities across teams remain critical for building an effective SaaS security strategy.

“Securing SaaS applications is a significant challenge for mid-sized companies, where limited resources meet an expanding attack surface. Yet, the importance of safeguarding these critical tools cannot be overstated. With the right strategies and technologies, mid-sized organisations can overcome these difficulties, ensuring the protection of sensitive data and maintaining business continuity in an increasingly SaaS-driven world,” said Galit Lubetsky Sharon, CEO, Wing Security.

Wing Security financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in October 2024 and received 406 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.

Download the full SaaS and AI-Risk for Mid-Market Organizations survey report.

For more SaaS news, click here