New Research Shows 87% of Organizations Leave SaaS Apps Unprotected; 66% of Organizations Assume Vendors Will Save Them
Boston, Massachusetts, Sept. 30, 2025, a leader for modern data protection of on-prem, cloud, and SaaS and one of the fastest growing companies in the industry, today announced the findings of the newly released HYCU State of SaaS Resilience Report 2025, an independent global survey of 500 IT business decision-makers. It is clear from the findings that SaaS adoption and cyber incidents are growing while data resilience is far behind enterprise needs.
According to the newly released Report, 87% of companies surveyed have at least one critical SaaS application at risk due to inadequate protection, and 65% of companies experienced a SaaS-related breach in the prior year.
"The scale of disruption organizations are experiencing is both eye-opening and alarming," said Simon Taylor, Founder and CEO, HYCU. "Far too many remain unprotected, unaware of the risks until it's too late. This independent work underscores the urgency for change. As leaders, we all feel the pressure to move quickly and embrace SaaS as a foundation for agility. At HYCU, we're proud to have pioneered this space to help customers chart a safer course. SaaS applications are no longer optional. They are mission-critical, and they deserve the same level of resilience and rigor as any Tier 1 system."
SaaS: The New Blind Spot in Cyber Resilience
According to survey respondents, organizations now use an average of 139 SaaS applications, with many forward-thinking organizations deploying well over 200. The introduction of every new app creates new data, new permissions, and new vulnerabilities. As SaaS portfolios grow, so does the exposure.
The report reveals a schism between risk and risk management from IT:
- 65% of organizations were hit by a SaaS-related breach in the last 12 months with $405,770 as the average daily cost of SaaS downtime, adding up to $2.3 million over a 5-day recovery period.
- 87% admit they have at least one SaaS application at risk due to inadequate protection.
- Only 56% of SaaS applications are under the control of IT
- 43% of respondents admit no one truly owns SaaS data resilience.
"Most organizations assume their SaaS vendors have recovery covered. But in practice, it's a shared responsibility, and far too often, no one's owning it," Taylor said.
A Dangerous Misunderstanding of Responsibility
One of the most concerning takeaways: 66% of respondents believe their SaaS vendors are solely responsible for protecting their data, yet over half admit they lack confidence in the vendors' capabilities. For those who do understand that data resilience is their responsibility, we still see a tragically low number of organizations implementing SaaS data protection best practices with an admitted minority of organizations following basics like the 3-2-1 rule, The survey showed that of all respondents, only:
- 70% do not perform policy-driven backups for some apps
- 74% do not have offsite data retention
- 75% do not test resilience regularly
This leaves the vast majority underprepared when cyber threats hit, integrations break, minor disruptions or data is deleted, accidentally or maliciously.
"The idea that you can't lose data in SaaS is dangerously outdated," said Taylor. "We're not just talking about backup anymore. This is about business continuity. About recovery. About whether your business can function the day after a breach."
Enterprise Apps in the Crosshairs
Survey respondents highlighted mission critical applications like GitHub, Salesforce, Microsoft 365, Box, and Slack, platforms that are deeply integrated, broadly accessible, and often essential to daily operations. A disruptive cyber threat in just one can cascade across the entire organization.
The Path Forward: Recovery-First Resilience
As the report makes clear, resilience isn't about blocking every threat, it's about bouncing back fast when threats break through. That means:
- Knowing exactly how many SaaS applications are in use
- Automating backups with secure, offsite copies, separated from the SaaS provider
- Being able to recover with precision, from mistakes, threats, and even supply chain compromise
- The HYCU R-Cloud Platform (https://www.hycu.com/platform) is built to solve exactly this problem. With purpose-built protection for more than 90 workloads across SaaS and Cloud services, R-Cloud gives organizations the power to discover, protect, and recover all their SaaS data and keep data secure, sovereign, and only in their control.
"Resilience used to mean avoiding failure. Now it means recovering fast when failure is inevitable," Taylor added. "This report is a wake-up call. It's time to stop treating SaaS as someone else's problem. Because when the breach happens, it's your data on the line."
Download the full report: 2025 State of SaaS Resilience Report.
For more information on HYCU, visit www.hycu.com, follow us on X, connect with us on LinkedIn, Facebook, Instagram, BlueSky, and YouTube.?
###
About HYCU?
HYCU is the fastest-growing leader in the multi-cloud and SaaS data protection as a service industry. By bringing true SaaS-based data backup and recovery to on-premises, cloud-native, and SaaS IT environments, the company provides unrivaled data protection, migration, disaster recovery, and ransomware protection to thousands of companies worldwide. The company's award-winning R-Cloud platform eliminates complexity, risk, and the high cost of legacy-based solutions, providing data protection simplicity to make it the#1 SaaS Data Protection platform. With an industry leading NPS score of 91, HYCU has raised $140M in VC funding to date and is based in Boston, Mass. Learn more at?www.hycu.com.?
Media Contact:
Don Jennings
HYCU, Inc.
(617) 791-1710
don.jennings@hycu.com
Don Jennings HYCU, Inc. 617-791-1710 don.jennings@hycu.com
