SaaS Risk Report Reveals Exposed Cloud Data is a $28M Risk for Typical Company

The Great SaaS Data Exposure examines the challenge CISOs face in protecting data across a growing portfolio of SaaS apps and services such as Microsoft 365.
Rachel Hunt
2 min read
Last updated February 9, 2024

Some people love taking risks — swimming with great white sharks, climbing El Capitan without a rope, camping in grizzly bear territory with an open jar of peanut butter, and scariest of all, assuming your SaaS data is secure and protected in the cloud.

Get a Free Data Risk Assessment

Did that last one send a chill down your spine? Maybe it should. If your company is like most, there’s a good chance that even your most sensitive SaaS data is overexposed and under-protected from both insider threats and malicious actors.

While cloud data doesn’t involve grappling with nature or razor-sharp teeth, SaaS does represent a significant risk. Your cloud apps offer attackers a vast attack surface, and hackers seemingly discover new ways to trick your users into sharing sensitive information daily.

To highlight the most common and pervasive issues around SaaS data security, Varonis compiled The Great SaaS Data Exposure report. Our new research dives into cloud risk associated with some of the most popular SaaS apps and services, such as Microsoft 365, Okta, Box, and Salesforce.

Rather than relying on subjective surveys to gauge today’s cloud data risk, we rolled up our sleeves and analyzed a sample of more than 700 Data Risk Assessments to uncover companies’ actual exposure. Our analysts examined nearly 10 billion — yes, billion — files for the report.

Below are just a few key findings from our research:

  • Most companies are sitting on exposed data in the cloud. A whopping 81 percent of organizations had sensitive SaaS data exposed.
  • Companies face dangerous cloud data risks. In the average company, 157,000 sensitive records are exposed to everyone on the internet through SaaS sharing features, representing $28 million* in data-breach risk.
  • Broad internal data exposure is a real problem. One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximizes damage during a ransomware attack. 
  • Missing MFA makes attackers' jobs easier. The average company has 4,468 user accounts without multi-factor authentication enabled, making it easier for attackers to compromise internally exposed data. 
  • Sitting-duck admin accounts leave companies vulnerable. Out of 33 super administrator accounts in the average organization, more than half did not have MFA enabled. This provides easier access to attackers, allowing them to compromise these accounts and steal data, create backdoors, and sow chaos. 
  • Untenable permission structures pose a big challenge. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.

Read the full report: The Great SaaS Data Exposure.

Most companies can’t easily see which SaaS data is at risk or how. Organizations rely on dozens or hundreds of cloud applications and services, with SaaS introducing new challenges with higher stakes — companies are just one misconfiguration away from sharing data with everyone on the internet.

👋 Want to see how your security posture stacks up? Request your own free Data Risk Assessment. We’ll give you a peek into your organization’s risk and provide you with actionable information to help you beef up your data security.

* IBM Security, Cost of a Data Breach Report, Page 5. The report found customer PII was the costliest record type, at $180 per lost or stolen record. We found the average company has 157,000 exposed records — and that adds up to $28 million in risk in the average company.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

2019 Data Risk Report Stats and Tips You Won’t Want to Miss
Our data risk report analyzed over 54 billion files across 30+ industries for the latest insights, stats and tips to improve your data security practices
The 2021 Financial Data Risk Report Reveals Every Employee Can Access Nearly 11 Million Files
Financial services organizations must safeguard tons of highly sensitive information, but data is often left exposed to far too many people. If just one employee clicks on a phishing email,...
It’s Here! The 2019 Global Data Risk Report Reveals Every Employee has Access to 17 Million Files
If you could take the temperature of data security risk at more than 700 enterprises around the globe, what would you find? Every year, Varonis gives the world a behind-the-scenes...
Watch: Varonis ReConnect! Empowering Data Owners to Keep Risk Low
How do you get the right people access to the data they need faster, and still free up IT to focus on other mission-critical work? Kilian and David walk through...