Average total annual financial loss for companies from compromised cloud accounts is more than $500,000, according to new research.  (Sean Gallup/Getty Images)

Average total annual financial loss for companies from compromised cloud accounts is more than $500,000, according to new research. 

The findings came from a survey of 600 IT and security professionals in the U.S. jointly produced by Proofpoint and the Ponemon Institute.

The report also noted that 68% of respondents believe cloud account takeovers present a significant security risk to their organizations – and more than 50% indicated that the frequency and severity of cloud account compromises increased over the past year.

“This research illustrates that leaving SaaS security in the hands of end-users or lines-of-business can be quite costly,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Cloud account compromises and sensitive information loss can also disrupt business and damage brand reputation.”

Survey respondents also reported 64 cloud account compromises per year on average, with 30% exposing sensitive data. Another 50% or more say phishing has become the most frequent method attackers use to acquire legitimate cloud credentials, while 75% say the use of cloud apps and services as shadow IT, which was not properly vetted, is a serious security risk.

Even as proper security monitoring and controls on cloud services increases in importance, security teams aren’t immune from the transition that took place during the pandemic, said Tim Bach, vice president of engineering at AppOmni. Bach said security teams – like the rest of the business – are adjusting to remote operations as well, which can itself necessitate new or newly expanded cloud services.

Bach said most security teams are well suited for this, having relied upon similar capabilities to distribute operations teams in different geographies for a “follow-the-sun, always-on” model. But now they are shifting to an even more distributed approach.

“The core security challenges of a move to the cloud are the same for security teams as they are for the businesses they are securing,” Bach said. “More data and workloads in the cloud means additional systems with sensitive data to secure. Most notably, over the past 12-18 months, we’ve continued to see danger in the proliferation of third-party cloud-to-cloud connections and over-provisioned users and applications.” 

Businesses always need to be scoping the attack surface, said Marc Woolward, chief technology officer and chief information security officer at vArmour. Failure to understand inventory and interrelationships of applications and users across all the environments will undermine any sort of security architecture, he added, while recognizing those dependencies automatically — including when they change — goes a long way to address the speed of cloud adoption and risks of shadow IT.

“Breach notification and transparency is likely to become much more important, as evidenced by the recent executive order on cybersecurity,” Woolward said.  “Reputational impact is difficult to quantify, but the reputational cost in this case likely far exceeds the $500,000 cited in this report.”