The SaaS Tools Your Team Uses Are a Liability
The average small business uses 47 SaaS apps. Each one stores data, holds credentials, and connects to other services. Most have no security oversight. Here's why that's a problem you need to solve.
#How many SaaS tools does your business use? You don't know. That's the problem.
The average small business uses 47 SaaS applications. Slack, Zoom, Google Workspace, QuickBooks, HubSpot, Mailchimp, Calendly, Canva, Notion, Trello, DocuSign, Stripe. And about 35 others nobody in leadership approved or even knows about.
Each one:
- Stores some of your business data
- Has user accounts with passwords (probably reused)
- Connects to other services via OAuth tokens
- Has its own security posture that you don't control
- Can be breached independently, taking your data with it
When Vercel got breached through an AI tool, the attack chain started at a third-party SaaS that a Vercel employee used. When ShinyHunters stole a petabyte from Telus, it started with OAuth tokens from a chatbot integration. The entry point wasn't the target. It was a tool the target connected to.
Your SaaS stack is your supply chain. And most small businesses have zero visibility into it.
#Shadow IT is the norm, not the exception.
Shadow IT is when employees adopt tools without IT approval. It's not malicious. It's someone signing up for a project management tool because the one the company provides doesn't work for them. It's the marketing team using Canva with a personal account. It's a developer spinning up a database on Railway for a quick prototype.
Each of these creates an account with business data in a system nobody's monitoring. Nobody's patching it. Nobody's reviewing who has access. Nobody knows the data retention policy. Nobody will notice when it gets breached.
And when an employee leaves? Their personal Canva account with your brand assets, their Notion workspace with your strategy docs, their personal Google Drive with client files. All still out there. Not recoverable. Not deletable. Not yours.
#The OAuth web nobody's managing.
Every time someone clicks "Sign in with Google" or "Connect to Slack" on a third-party app, they create an OAuth grant. That grant gives the third-party app permission to access data in your Google or Slack account. Sometimes read-only. Sometimes read-write. Sometimes with scopes nobody read before clicking "Allow."
How many OAuth grants exist across your Google Workspace or Microsoft 365 right now? Check. Go to your admin panel, look at connected apps. You'll be surprised.
Each grant is a trust relationship. If the third-party app gets compromised, the attacker can use that OAuth grant to access your data without ever touching your systems directly. They don't need your password. They don't need MFA. They have a token that bypasses all of it.
The Telus breach cascaded through exactly this kind of OAuth chain. Chatbot token gave access to Salesforce. Salesforce contained GCP credentials. GCP gave access to everything.
#What to do about it.
1. Inventory your SaaS. Before you can secure it, you need to know what exists. Start with your finance team: what subscriptions are we paying for? Check credit card statements, expense reports, and procurement records. Then check your identity provider (Google Workspace or Microsoft 365 admin panel) for every OAuth grant and connected app.
Free tools that help: Nudge Security discovers SaaS apps across your organization. Productiv does SaaS management and license optimization.
2. Establish an approved tools list. Not everything needs to be locked down, but your team should know which tools are approved for business use and which aren't. The approved list should include how data is handled, who manages the account, and what happens when someone leaves.
3. Revoke OAuth grants you don't recognize. In Google Workspace admin: Security > API Controls > App Access Control. In Microsoft 365: Azure AD > Enterprise Applications. Review what's connected. Remove what you don't use.
4. Enforce SSO where possible. When employees sign into SaaS tools through your identity provider (Google or Microsoft SSO), you maintain control. When they leave the company and you disable their account, their access to every SSO-connected app is revoked automatically.
5. Require MFA on every SaaS account. If a tool doesn't support MFA, that's a reason to find an alternative. In 2026, any SaaS product without MFA support isn't taking security seriously.
6. Include SaaS in your offboarding checklist. When someone leaves, it's not just email and laptop. It's every SaaS tool they had access to. Every OAuth grant. Every shared login. Every API key they created. Miss one and you have an orphaned credential with active access to your data.
#Further reading
- Nudge Security - SaaS discovery and security posture management
- OWASP: Insufficient OAuth Token Validation - the OAuth risk explained
- Google Workspace: Managing Connected Apps - audit and revoke OAuth grants
- Microsoft 365: Enterprise Application Permissions - same for Microsoft
- CIS Controls: Software Asset Inventory - the formal control for SaaS inventory