A survey of 300 application and software development, IT and security leaders finds nearly half (45%) working for organizations that, in the past year, have experienced a cybersecurity incident involving a third-party software-as-a-service (SaaS) application.

Conducted by Enterprise Strategy Group (ESG) on behalf of Onymos, a provider of tools for building custom workflows, the survey identifies the most common cause of those incident to be malware attacks (46%), phishing (34%), insider threats (31%), web application attacks (31%) and distributed denial of service (DDoS) attacks (27%).

Onymos CEO Shiva Nathan said the survey makes it apparent that SaaS applications have become honeypots that are becoming increasingly targeted by cybercriminals attempting to either encrypt or steal data.

As a result, more organizations in the wake of a series of successful attacks against providers of SaaS applications are asking providers of these applications to allow them to store their data in a separate more secure repository, he added. Many SaaS application providers, for example, now make it possible to move data from their platform to, for example, an S3-based storage service that is managed by an internal IT team, said Nathan.

That shift is also being driven by data sovereignty requirements that are becoming more stringent, the need to aggregate data to train artificial intelligence (AI) models, and concerns about who else might be granted access to data to train AI models using data residing in a cloud service managed by a third party, he added.

Nearly all (91%) survey respondents said they believe retaining data within custom-built, internal applications is crucial.

Overall, more than three-quarters of respondents (78%) said they are concerned about security threats impacting applications built on top of SaaS application platforms, with security (72%) and data privacy (65%) identified as the most critical priorities.

In general, CIOs and CISOs are being tasked with recovering control over data stored in SaaS applications, many of which were adopted by business units at the height of the COVID-19 pandemic, noted Nathan. The challenge is much of that data may reside in shadow applications that were never officially sanctioned by the IT organization, so discovery of where all the data resides may be a challenge, he added.

Of course, cybercriminals are not especially concerned about whether a SaaS application has been sanctioned by an IT organization. They are simply trying to wreak as much havoc as possible in the hopes of increasing the size of a ransomware payment that might be made. In the case of a recent attack on CDK Global, however, automotive dealerships were unable to complete transactions until that provider of a SaaS application service reportedly came to terms with cybercriminals that had encrypted its data. Each organization will need to decide to what degree they are comfortable waiting for ransom negotiations conducted by third parties to conclude following the next potential successful attack.

One way or another, it’s clear organizations need to regain control over their data. The only issue that remains to be resolved is ensuring they can secure it better than the SaaS application provider that previously controlled it.