תובנות

The SaaS Guest List Is Bigger Than It Looks

Kaseya's 2026 SaaS Security Report puts SaaS guest account risk, OAuth app access, MFA exceptions, and external file sharing back on the owner review list.

A business laptop showing a SaaS access review dashboard with guest users, app permissions, and external sharing indicators.

Kaseya released its 2026 SaaS Security Report on June 30, 2026, and the headline for business owners is not just another security statistic. The report says guest access, OAuth app connections, missing multi-factor authentication, and external file sharing are widening the SMB SaaS attack surface.

The company says its report analyzed more than 27.6 billion SaaS security events across more than 50,000 SMB environments, including 5,400 MSP partners and 6.2 million end-user accounts. One finding should get attention in any office that uses Microsoft 365, Google Workspace, CRM tools, accounting platforms, project-management apps, or shared file spaces: Kaseya says unmanaged guest accounts made up 69% of all monitored accounts.

That does not mean every guest account is bad. It does mean the guest list can quietly become larger than the licensed-user list. Former vendors, outside bookkeepers, temporary collaborators, consultants, client contacts, and old project partners can all remain attached to systems long after the reason for access has expired.

Why this matters beyond the security team

Most small and midsize businesses did not build one neat SaaS environment. They accumulated it. A file-sharing exception here, a trial app there, an outside user added during a deadline, a marketing tool connected through OAuth, and a few MFA exceptions for convenience can add up to a messy trust map.

That map matters because SaaS risk is often about permission rather than malware. If a third-party app still has access, a password reset may not remove the app. If a former collaborator still has guest access, a user-license review may miss that person. If files are shared outside the organization, the owner may not know which records are still reachable, by whom, and for what reason.

For a New Jersey business owner, school administrator, nonprofit leader, healthcare practice manager, or professional-services firm, the practical question is simple: who is responsible for proving that SaaS access still matches the business relationship?

The decision is an access review, not a panic buy

This is not a reason to buy every SaaS security tool that appears in an inbox. It is a reason to ask for evidence. A useful SMB SaaS security review should show where trust has been granted and whether that trust still makes sense.

Owners should expect a plain-language inventory that separates employees, guests, service accounts, and connected apps. The review should also identify MFA exceptions, externally shared files, stale accounts, and applications that can read or modify business data through OAuth permissions.

The point is not to lock down collaboration until work becomes impossible. The point is to keep collaboration from turning into a permanent hallway pass.

Questions to ask your IT provider or MSP

  • Which SaaS platforms are in scope? Include Microsoft 365, Google Workspace, CRM, accounting, HR, ticketing, file-sharing, and line-of-business tools.
  • How many guest accounts exist today? Ask for the list, not just a count, and require an owner for each external relationship.
  • Which accounts do not have MFA enforced? Separate true exceptions from accounts that were never brought under policy.
  • Which OAuth apps still have access? Identify who approved each app, what data it can reach, and whether it is still needed.
  • Which files or folders are shared outside the organization? Prioritize sensitive records, financial files, HR documents, client data, and school or patient information.
  • How often will cleanup happen? A one-time export is useful, but a recurring access review is what keeps the list honest.

A practical next step

Ask for a 30-day SaaS access cleanup plan. It should name the systems to review, the person who will approve removals, the deadline for disabling stale access, and the report you will receive when the work is done.

That report does not need to be beautiful. It needs to be specific. Which guest users were removed? Which MFA exceptions remain and why? Which OAuth apps were revoked? Which external file links were cleaned up? Which items require an owner decision?

SaaS tools make it easy to invite people in. The business discipline is making sure the invitation still belongs on the books.

Sources and further reading

  1. kaseya.com
Was this article useful?
0 net
Follow Tekmyster insights: RSS

מוכן לקבל החלטות טכניות טובות יותר?

קבל שיקול דעת טכני בכיר לפני המהלך הבא.

השתמש ב-Tekmyster כאשר אתה זקוק לשיקול דעת טכני בכיר לפני קבלת החלטת IT גדולה יותר, הענקת גישה לספקים, החלפת תשתית, קניית כלי אבטחה או המשך עם תיקונים זמניים.