SaaS breaches are on the rise, and nearly half the corporate victims have more than 2,500 employees.

Those are among the sobering conclusions from a survey of security experts at 644 organizations in six countries — the U.S., UK, France, Germany, Japan and Australia — by AppOmni, which found a third of organizations suffered a SaaS data breach this year, up 5% from last year.

The State of SaaS Security 2024 Report outlines a confluence of security challenges: decentralization, inconsistent enforcement, and lack of clear responsibilities.

“SaaS security is still falling far short,” AppOmni Chief Marketing Officer Chandra Sekar said in an interview. “Managing it has become a problem of decentralization. Who’s using what, and which applications.”

“There is a general sense of confusion of where the responsibility lies,” Sekar said. “SaaS are living, breathing apps and configuration and policy systems happen.”

Because SaaS apps have become a system of record (most cloud app spending is on SaaS), and at the center of how business is conducted, they have also become prime targets of cybercriminals. Adding fuel to the security fire is that only 15% of organizations have security teams managing SaaS.

The cloud application services market (SaaS) generated more than $232 billion in end-user spending in 2024, easily the most in global public cloud services spending, according to market researcher Gartner.

Generative AI threatens to enflame the situation, according to 38% of respondents concerned about data and intellectual property risks related to genAI, the survey found.

“I’m surprised the number isn’t higher,” Sekar said. “Almost all AI apps are SaaS-based.”

While 90% say their organizations have policies allowing only sanctioned apps to be used, 34% say those policies are not enforced. What is more, only 27% are confident about the security levels of their sanctioned apps.

The alarms bell have been duly struck, but the issue remains amid understaffed and under-funded SaaS defenses. Only 32% of the survey’s respondents are confident in the security of their company’s or customers’ data stored in SaaS apps, compared with 42% last year.

Nonetheless, hope is seemingly on the way: 69% of respondents anticipate increased cybersecurity spending in the next 12 months.

And 29% expect return on investment on cybersecurity funding (quantifiable risk reduction) to become a key discussion point in the coming year.

“Our report last year highlighted the clear disconnect between security self-assessments and actual SaaS risks,” AppOmni Chief Executive Brendan O’Connor said. “Now, we find that despite greater awareness and effort, things are getting worse. The details behind those statistics are even worse — despite increased budgets and initiatives, organizations need to do a far better job of securing SaaS deployments.”