SaaS Risk Report Reveals Exposed Cloud Data is a $28M Risk for Typical Company

Some people love taking risks — swimming with great white sharks, climbing El Capitan without a rope, camping in grizzly bear territory with an open jar of peanut butter, and scariest of all, assuming your SaaS data is secure and protected in the cloud.

Did that last one send a chill down your spine? Maybe it should. If your company is like most, there’s a good chance that even your most sensitive SaaS data is overexposed and under-protected from both insider threats and malicious actors.

While cloud data doesn’t involve grappling with nature or razor-sharp teeth, SaaS does represent a significant risk. Your cloud apps offer attackers a vast attack surface, and hackers seemingly discover new ways to trick your users into sharing sensitive information daily.

To highlight the most common and pervasive issues around SaaS data security, Varonis compiled The Great SaaS Data Exposure report. Our new research dives into cloud risk associated with some of the most popular SaaS apps and services, such as Microsoft 365, Okta, Box, and Salesforce.

Rather than relying on subjective surveys to gauge today’s cloud data risk, we rolled up our sleeves and analyzed a sample of more than 700 Data Risk Assessments to uncover companies’ actual exposure. Our analysts examined nearly 10 billion — yes, billion — files for the report.

Below are just a few key findings from our research:

• Most companies are sitting on exposed data in the cloud. A whopping 81 percent of organizations had sensitive SaaS data exposed.
• Companies face dangerous cloud data risks. In the average company, 157,000 sensitive records are exposed to everyone on the internet through SaaS sharing features, representing $28 million* in data-breach risk.

• Broad internal data exposure is a real problem. One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximizes damage during a ransomware attack. 

• Missing MFA makes attackers' jobs easier. The average company has 4,468 user accounts without multi-factor authentication enabled, making it easier for attackers to compromise internally exposed data. 
• Sitting-duck admin accounts leave companies vulnerable. Out of 33 super administrator accounts in the average organization, more than half did not have MFA enabled. This provides easier access to attackers, allowing them to compromise these accounts and steal data, create backdoors, and sow chaos. 

• Untenable permission structures pose a big challenge. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.

Read the full report: The Great SaaS Data Exposure.

Most companies can’t easily see which SaaS data is at risk or how. Organizations rely on dozens or hundreds of cloud applications and services, with SaaS introducing new challenges with higher stakes — companies are just one misconfiguration away from sharing data with everyone on the internet.

👋 Want to see how your security posture stacks up? Request your own free Data Risk Assessment. We’ll give you a peek into your organization’s risk and provide you with actionable information to help you beef up your data security.

* IBM Security, Cost of a Data Breach Report, Page 5. The report found customer PII was the costliest record type, at $180 per lost or stolen record. We found the average company has 157,000 exposed records — and that adds up to $28 million in risk in the average company.