Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

SaaS Risk Report Reveals Exposed Cloud Data is a $28M Risk for Typical Company

2 min read
Last updated June 12, 2023

Some people love taking risks — swimming with great white sharks, climbing El Capitan without a rope, camping in grizzly bear territory with an open jar of peanut butter, and scariest of all, assuming your SaaS data is secure and protected in the cloud.

Get a Free Data Risk Assessment

Did that last one send a chill down your spine? Maybe it should. If your company is like most, there’s a good chance that even your most sensitive SaaS data is overexposed and under-protected from both insider threats and malicious actors.

While cloud data doesn’t involve grappling with nature or razor-sharp teeth, SaaS does represent a significant risk. Your cloud apps offer attackers a vast attack surface, and hackers seemingly discover new ways to trick your users into sharing sensitive information daily.

To highlight the most common and pervasive issues around SaaS data security, Varonis compiled The Great SaaS Data Exposure report. Our new research dives into cloud risk associated with some of the most popular SaaS apps and services, such as Microsoft 365, Okta, Box, and Salesforce.

Rather than relying on subjective surveys to gauge today’s cloud data risk, we rolled up our sleeves and analyzed a sample of more than 700 Data Risk Assessments to uncover companies’ actual exposure. Our analysts examined nearly 10 billion — yes, billion — files for the report.

Below are just a few key findings from our research:

  • Most companies are sitting on exposed data in the cloud. A whopping 81 percent of organizations had sensitive SaaS data exposed.
  • Companies face dangerous cloud data risks. In the average company, 157,000 sensitive records are exposed to everyone on the internet through SaaS sharing features, representing $28 million* in data-breach risk.
  • Broad internal data exposure is a real problem. One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximizes damage during a ransomware attack. 
  • Missing MFA makes attackers' jobs easier. The average company has 4,468 user accounts without multi-factor authentication enabled, making it easier for attackers to compromise internally exposed data. 
  • Sitting-duck admin accounts leave companies vulnerable. Out of 33 super administrator accounts in the average organization, more than half did not have MFA enabled. This provides easier access to attackers, allowing them to compromise these accounts and steal data, create backdoors, and sow chaos. 
  • Untenable permission structures pose a big challenge. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.

Read the full report: The Great SaaS Data Exposure.

Most companies can’t easily see which SaaS data is at risk or how. Organizations rely on dozens or hundreds of cloud applications and services, with SaaS introducing new challenges with higher stakes — companies are just one misconfiguration away from sharing data with everyone on the internet.

👋 Want to see how your security posture stacks up? Request your own free Data Risk Assessment. We’ll give you a peek into your organization’s risk and provide you with actionable information to help you beef up your data security.

* IBM Security, Cost of a Data Breach Report, Page 5. The report found customer PII was the costliest record type, at $180 per lost or stolen record. We found the average company has 157,000 exposed records — and that adds up to $28 million in risk in the average company.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Varonis Named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023
Varonis Named a Leader in the Forrester Wave™: Data Security Platforms, Q1 2023, receiving the highest score in the strategy category.
Introducing Least Privilege Automation for Microsoft 365, Windows, Google Drive, and Box
Varonis announces least privilege automation for Microsoft 365, Google Drive, and Box.
SaaS Risk Report Reveals Exposed Cloud Data is a $28M Risk for Typical Company
The Great SaaS Data Exposure examines the challenge CISOs face in protecting data across a growing portfolio of SaaS apps and services such as Microsoft 365.
Spoofing SaaS Vanity URLs for Social Engineering Attacks
SaaS vanity URLs can be spoofed and used for phishing campaigns and other attacks. In this article, we’ll showcase two Box link types, two Zoom link types, and two Google Docs link type that we were able to spoof.