On average, every company that has cloud data is at financial risk of 28 million euros in the event of a data breach. This is the conclusion of the new SaaS data risk report from Varonis Systems. This examines the challenges CISOs face in protecting data in a growing portfolio of SaaS applications and services such as Microsoft 365, Box or Okta.
The report highlights how hard-to-control collaboration, complex SaaS permissions, and dangerous misconfigurations (like admin accounts without multi-factor authentication/MFA) leave a significant amount of cloud data vulnerable to insider threats and cyberattacks. For the report, Varonis security researchers analyzed nearly 10 billion cloud objects with a data volume of more than 15 petabytes as part of data risk assessments at more than 700 companies worldwide.
Findings of the SaaS Data Risk Report
- Open flanks: 81 percent of companies have exposed sensitive data in the cloud.
- Cloud data risk of concern: In an average organization, 157.000 sensitive records are accessible to anyone on the internet through SaaS sharing capabilities. This corresponds to a data security risk of 28 million euros.
- Broad internal data exposure: One in 10 data sets in the cloud is accessible to all employees. This creates an enormous internal radius that greatly increases the potential damage in a ransomware attack.
- Missing multi-factor authentication: An average of 4.468 user accounts without MFA enabled make it easier for attackers to compromise internally exposed data.
- Insufficiently protected administrator accounts: Of the 33 super admin accounts in an average organization, well over half do not have MFA enabled. By compromising these privileged accounts, attackers can steal data, set up backdoors, and wreak havoc on a massive scale.
- Opaque authorization structures: An average organization has over 40 million unique entitlements to SaaS applications. As a result, those responsible for security are hardly able to monitor cloud data risks and reduce them accordingly.
“Cloud security should not be taken for granted. Unless security leaders have the visibility to manage and protect SaaS and IaaS applications and services, it is difficult to ensure sensitive data is not being stolen,” said Michael Scheffler, Varonis Country Manager DACH. “Our report is based on 700 risk assessments of enterprise SaaS environments, providing a realistic picture of the current situation. The results underscore the urgent need for CISOs to uncover and remediate their cloud risks as quickly as possible.”
More at Varonis.com
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,