Large cloud service providers reduced their high-level risk exposure over the last two years, while smaller CSPs saw their vulnerability increase, according to a study by Coalfire. (Photo by Sean Gallup/Getty Images)

The fourth annual Penetration Risk Report released on Wednesday by Coalfire found that over the last two years, the large cloud service providers (CSPs) reduced high-level risk exposure by more than one-third.

In contrast, Coalfire found that smaller cloud companies saw a 15% increase in the number of vulnerabilities, primarily because of continuing misconfigurations and out-of-date software problems.

“CSPs operate in an industry that acutely depends on strong cybersecurity posture,” said Jason Rowland, vice president of penetration testing and cloud services at Coalfire. “As CSPs build the enterprise digital backbone with prioritized risk management, we're seeing significant cyber improvements across not just the tech industry, but the overall economy."

Coalfire’s findings show that large CSPs have more high risks than midsize and small CSPs, said Davis McCarthy, principal security researcher at Valtix. However, McCarthy said Coalfire's data showed that high risks are trending down for large CSPs, moving from 72% in 2021 to 55% in 2022. And, high risks for small CSPs are increasing from 22% in 2021 to 37% in 2022.

“Often, large CSPs have more complex tools and services, leading to bigger teams with an increased variability in the technical skill sets needed to support the product,” McCarthy said. “With small CSPs, a lack of funds to grow the team or the inability to attract industry talent, leads to a small team of highly skilled workers supporting a product capable of growing rapidly. In both scenarios, small CSPs are slow to address security challenges because of team size, while large CSPs are slow to address security challenges because of their large attack surface.”