The risks posed by Software-as-a-Service (SaaS) are no longer just an IT issue—they are a board-level concern. So says CommSec in a recent blog. Recently, JPMorgan’s Chief Information Security Officer warned that SaaS adoption is weakening global finance by introducing systemic vulnerabilities. His warning underlines a reality many IT leaders already face: while SaaS enables agility and innovation, it also creates blind spots that attackers are quick to exploit.
The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system. Patrick Opet, Chief Information Security Officer, JP Morgan.
The scale of the problem is significant. More than 70% of business applications are now SaaS-based, with platforms such as Microsoft 365 (M365) underpinning daily operations. Yet almost 80% of cloud security incidents are linked to SaaS misconfigurations. Attackers are also exploiting weaknesses in outdated patching strategies that do not align with the SaaS model.
For IT leaders, SaaS and cloud security are essential, not optional.
The SaaS Security Challenge
SaaS delivers scalability and cost efficiency, but its shared responsibility model leaves gaps. Vendors secure the core infrastructure, while customers must manage access, data sharing, and identity. Without careful oversight, these gaps create significant risks.
Key issues include:
- Data exposure from poor sharing settings or misconfigured access.
- Unauthorised access due to weak identity controls.
- Compliance risks from data residency and regulatory requirements.
- Shadow IT compounds the problem, with unsanctioned SaaS tools creating blind spots that attackers can exploit.
Why Traditional Approaches Fail
Legacy patch management does not map to SaaS. Customers cannot patch SaaS applications themselves, relying instead on vendor updates. This creates challenges:
- Limited control, since IT cannot verify patches directly.
- Delayed fixes if vendors release updates slowly.
- Unresolved risks from unpatched integrations with older systems.
A recent article from Help Net Security highlighted how many organisations struggle because they apply on-premises thinking to cloud-first environments. Instead, security needs to shift toward monitoring, configuration, and identity governance.
“IT security is under greater scrutiny, yet SaaS security is often overlooked,” says Barry Rooney, CTO. “MFA and password hygiene are essential, but they only address part of the issue. APIs, in particular, can become critical entry points if misconfigured or poorly monitored, leaving organisations exposed.”
To read the full blog on CommSec’s website, which explores more on this issue, click here
For more cyber news, click here
