Insights
October 16, 2024

The hidden threat: how over 50% of your SaaS accounts are opening doors to attack

Inactive accounts are drastically increasing your attack surface. What can you do to stop this?

Introduction: the inactive account threat

In a recent analysis conducted, we uncovered a startling finding: less than 50% of SaaS accounts had been logged into over the past 90 days. That leaves over 50% of accounts sitting dormant, but still active - a massive risk for potential breaches. On average, this equates to over 20,000 unused accounts for a 1000 person company, making them potential entry points for attackers.

But why is this such a problem? Dormant accounts aren’t just inactive; they’re dangerous. When left unchecked, they become low-hanging fruit for cybercriminals or insider threats looking to exploit access to your systems. Every unused account is a door left wide open, potentially leading to sensitive data or critical resources.

Did You Know?

Based on our customer survey data, we've found that employees respond that they don't need access to their apps 60% of the time!

The problem: expanding SaaS attack surfaces

As businesses continue adopting more SaaS solutions, the attack surface—the sum of potential vulnerabilities—continues to grow. Every user account represents a point of access to business-critical systems and data, and with the average employee having 42 active accounts to various SaaS applications, keeping track of who has access to what becomes increasingly complex.

When accounts remain active despite being unused, they become an attractive target for bad actors. The larger your attack surface, the higher the risk of a security breach.

Beyond external threats, insider risks loom large too. Employees who retain access long after their role has changed or after they’ve left the company are often the source of unauthorised access to critical systems. The risk of privilege creep—where employees accumulate access to resources they no longer need—further compounds this problem. Without proper controls, dormant accounts remain a ticking time bomb, waiting to be exploited.

Did You Know?

80% of breaches involve the use of stolen credentials, often targeting unused or mismanaged accounts. (Crowdstrike 2023 Global Threat Report)

IAM to the rescue: managing access proactively

To protect your business from the risks posed by dormant accounts, it’s crucial to enforce access management best practices. Here’s how you can effectively tackle the problem with the right tools and strategies:

1. Automated access policies

Automated access policies set the groundwork for managing user permissions effectively. By establishing rules that deactivate accounts after a specified period of inactivity, you can minimise the risk of dormant accounts lingering in your environment.

📖 Example

If an account hasn’t been used in 90 days, it’s automatically deactivated until reviewed and re-enabled.

This simple but effective measure serves as the foundation for implementing least privilege access. It ensures that accounts are only active when they’re needed, reducing your attack surface and preventing old accounts from being targeted.

2. Just-in-time (JIT) access

JIT access further enhances security by ensuring users only have access to the resources they need, when they need them. This helps to minimise the attack surface and reduces the likelihood of dormant accounts forming.

By restricting the duration of access, JIT enforces least privilege by ensuring users never hold more permissions than necessary at any given time, especially for high-risk resources.

📖 Example

A software engineer can request temporary access to a production database for up to 1 hour. Once the hour has passed, access will be automatically revoked.

3. Access reviews

Regular access reviews help ensure that a user’s permissions align with their current responsibilities. By auditing access regularly, organisations can spot dormant accounts or over-provisioned permissions and address them proactively. This again helps enforce least privilege access, and ensures compliance with regulations such as SOC 2 and ISO 27001, which require continuous monitoring and review of access controls.

Ploy can help automate the access review process, making it easy to track and manage in an era of distributed tool ownership.

Top Tip

Download our comprehensive User Access Review Guide for more info on how to conduct effective UARs!

Conclusion: closing the door on inactive accounts

The fact that over 50% of SaaS accounts are inactive should be a wake-up call for any business using cloud services. Every inactive account represents a potential vulnerability, and without proper controls, your attack surface will continue to grow unchecked.

Fortunately, with automated IAM solutions in place, you can take back control. By shrinking the attack surface and enforcing least privilege access, you can ensure your business stays secure in an ever-expanding SaaS environment.

Ploy’s comprehensive access management solutions can help you manage and monitor these risks, keeping your organisation protected from both external and internal threats.

Seb Pace

Founder's Associate