Exposed cloud data a $28 million cyber risk for the average company
The average company with data in the cloud faces $28 million in data-breach risk, according to a new report from Varonis.
The Great SaaS Data Exposure examines the challenge CISOs face in protecting data across a growing portfolio of SaaS apps and services such as Microsoft 365.
The study highlights how hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyberattacks.
For the report, researchers at Varonis analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide.
Key findings from the Varonis report include:
Companies face dangerous cloud data risks
In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk.
Broad internal data exposure is a real problem
One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximizes damage during a ransomware attack.
Missing MFA makes attackers' jobs easier
The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.
Sitting-duck admin accounts leave companies vulnerable
Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors.
Untenable permission structures pose a big challenge
Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.
"Cloud security shouldn't be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it's nearly impossible to ensure your data isn't walking out the door," says Brian Vecci, Field CTO, Varonis.
"This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments," he says.
"The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible."
Last month. Varonis announced new data discovery capabilities that uncover exposed secrets that unlock access to mission-critical resources. It is part of the company’s Data Classification Cloud solution.
According to Varonis, exposed secrets are increasingly responsible for devastating data breaches. With soaring cloud adoption and rapid app development, secrets can end up almost anywhere, exposing intellectual property, source code, and critical infrastructure.
Varonis can now accurately and automatically discover secrets where least expected, remediate exposure, and detect anomalous access behaviour.
It works by continually scanning source code files and other locations where an organisation's secrets can spread, including Windows, Microsoft 365, Box, AWS, Google Drive, Salesforce, and other leading apps and services. It scans for secrets in Varonis-supported on-prem and cloud data stores. It finds secrets stored in plain-text documents, source code files, scripts, and configuration files.