Written by Arye Zacks, Senior Technical Researcher, Adaptive Shield.
APAC security teams need more advanced tools to detect and prevent cyber attacks on SaaS applications
Nearly 70 percent of enterprises in APAC are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, according to The Annual SaaS Security Survey: 2025 CISO Plans and Priorities by the Cloud Security Alliance (CSA).
More than half of enterprises in APAC also added headcount to their SaaS security programs in 2023, growth that is on par with other regions, the survey found.
In some areas of SaaS security, however, APAC is still catching up. Notably, survey respondents from the APAC region reported weaker SaaS security capabilities in areas such as threat detection, third-party connected apps risk mitigation, and SaaS security misconfiguration remediation.
The survey was commissioned by SaaS security leader Adaptive Shield. Global security professionals across industries shared their perspective on SaaS security successes and challenges as CISOs prepare to set priorities for 2025.
Regional findings appear to correspond with increasing challenges in cybersecurity in APAC, an increasing target of cyber attacks in 2023, including data breaches and ransomware. Australia saw a 23% spike in cyber attacks, Singapore recorded a 52.9% increase, and organizations in India reported 15% more cyber attacks.
Based on regional data collected in the survey, here are some insights into the state of SaaS security in the region as organizations plan cybersecurity programs for 2025.
Download the SaaS security survey report
SaaS Security is More Important Than Ever
The survey shows the growing importance of SaaS security to organizations, amid continuous double-digit growth in enterprise adoption of SaaS applications to manage business operations and drive growth. In APAC, organizations are prioritizing SaaS security, with 66% making it a high or moderate priority.
“In an era where SaaS platforms power a wide spectrum of industries, the threat of SaaS breaches looms larger than ever,” the CSA said in the survey report. “For years, SaaS security has been an afterthought. However, the landscape depicted in this year’s survey paints a dramatically different picture, one where SaaS security has surged to the forefront of corporate agendas,” the CSA added.
Investment in SaaS Security is Up
The emergence of SaaS-specific security roles was identified for the first time in the annual survey, with 68% of APAC respondents confirming they have dedicated teams.
In addition, 49% percent reported having a SaaS security team of at least two full-time staffers, while another 19% said they had one person dedicated to securing SaaS applications. This result is on par with NorthAmerica where 51% of respondents reported having a SaaS security team and 17% having one dedicated person.
“Dedicated SaaS security teams make sense in an enterprise context. The role of SaaS security is cross-functional, overlaying multiple areas that are rarely touched by just a single team. Due to the nature of SaaS, these teams are involved in identity security, risk management, endpoint security, and threat detection,” the CSA said in the report.
Additionally, in APAC, organizations increased SaaS security budget in 2023 compared with 2022, with 26% reporting they increased budget, slightly behind the Americas where 31% reported spending more on SaaS security last year.
Organizations are Still Learning How to Improve Their SaaS Security Capabilities
As cyberattack methods evolve to target identities in SaaS applications, strong identity protection capabilities are a key factor in ensuring SaaS security. Credential theft and unauthorized access pose significant risks in SaaS environments.
Asked if their organizations have a solution to manage identity-based SaaS threats, 53% of the APAC respondents confirmed they have this capability. This is lower than other parts of the world, as 58% of organizations in Europe and 66% in the Americas reported having these tools.
Further on the threat detection front, 43% of APAC respondents reported being able to detect abnormal activity using their current tools or methods, comparably weaker than 56% for the Americas, but similar to 42% for Europe. In the detection of MFA changes, the APAC gaps are wider across regions. In APAC, 46% report the capability to detect MFA changes in SaaS applications, compared with 58% in both the Americas and Europe.
In addition, 59% of APAC respondents reported being able to detect logins from different locations, a level on par with EMEA, but lower than the 67% of colleagues in the Americas.
As for SaaS application risk mitigation, only 32% of APAC respondents reported having a solution to manage third-party connected app risk, compared with 50% in the Americas and 36% in Europe. Regarding SaaS security misconfiguration remediation, 36% said they had a solution compared with 45% in the Americas and 36% in Europe.
Managing SaaS Security Challenges
While organizations have improved SaaS security oversight, 71% in APAC pointed to achieving visibility into business-critical apps and monitoring security risks from third party connected apps as their biggest challenges in managing SaaS applications.
“Critical business SaaS applications form the technical and operational infrastructure for today’s organizations. A breach doesn’t only result in SaaS data theft, but can disrupt business continuity, hurt a company’s reputation, lead to fraud, facilitate identity theft, and provide a threat actor with persistent access,” the CSA said.
According to APAC respondents, the most difficult apps to secure include business-critical apps such as Microsoft 365, Google Workspace, GitHub, Bitbucket, and Jira.
Additional challenges include fixing SaaS misconfigurations (62%); managing applications post-Mergers & Acquisitions (M&As) (62%), ensuring data governance and privacy (63%); and aligning SaaS application settings with compliance standards (61%).
SSPM Users Able to Better Handle SaaS Security Challenges
Companies that have adopted SaaS Security Posture Management (SSPM) are faring better than those using other tools, such as CASB and manual audits, to secure the SaaS stack, according to the report.
Those using SSPM are more than twice as likely to have full visibility into their SaaS stack — 62% of these organizations are able to oversee over 75% of their SaaS environment compared to those who utilize other tools and manual processes in their strategy (31%).
The survey reveals gaps in APAC compared with other regions in many areas, including threat detection, highlighting the importance for organizations to improve SaaS security capabilities using tools developed specifically for SaaS security.
