Visitors crowd the cloud computing services presentation at a technology trade fair. (Photo by Sean Gallup/Getty Images)

Sophos on Tuesday reported that among Infrastructure-as-a-Service (IaaS) users at small- and medium-sized businesses (SMBs), 56% experienced an increase in the volume of attacks on their organization when compared with last year — and 67% were hit by ransomware.

For many of these SMBs, a lack of visibility into their infrastructure, unpatched vulnerabilities, and resource misconfigurations make them susceptible to a variety of attacks, including ransomware.

The study found only 37% track and detect resource misconfigurations and only 43% routinely scan IaaS resources for software vulnerabilities. Some 65% of cloud users reported not having visibility of all resources and their configurations — and only 33% say their organization has the resources to continuously detect, investigate and remove threats in their IaaS infrastructure.

“Unpatched vulnerabilities and misconfigured resources are both preventable mistakes and avoidable risks that make life easier for attackers,” said John Shier, senior security advisor at Sophos. “Most attackers are not unstoppable criminal masterminds, but rather opportunistic cyberthugs looking for an easy payday.” 

The findings in the latest Sophos report underscore the potential dark side of cloud adoption on SMBs, said Dan Benjamin, co-founder and CEO at Dig Security. Benjamin said shifting to the cloud creates exponential growth in both the number and variety of data stores a typical organization owns.

“With this complexity, organizations can lose track of what data they own, how it's being used and how to protect it,” said Benjamin. “Complexity, the lack of visibility into IaaS resources, IT workforce gaps, and the growing volume and voracity of attacks have created a perfect storm that leaves many SMBs exposed. Additionally, attackers are targeting cloud infrastructure as it has a similar programmatic interface that allows attacking masses of organizations quickly and effectively. Finding a single way in to an organization's cloud allows for data exfiltration at mass scale, often due to a misconfiguration or some level of human error.”

Kevin Hanes, chief executive officer at Cybrary, said IaaS represents a tectonic shift in the organizational threatscape. Unfortunately, Hanes said too many SMBs operate with limited headcounts and outdated playbooks that disregard the vulnerabilities that IaaS presents, and outdated priorities that view security team training as a one-and-done intermittent exercise.

“Organizations must prioritize finding and closing both the vulnerabilities and team skills gaps that IaaS surfaces,” Hanes said. “The commitment to proactively upskilling teams at scale is essential to securing data and resources, protecting the organization’s compliance posture and reputation, and retaining cybersecurity talent.”

Clearly, this Sophos report offers additional evidence that ransomware has become the No. 1 threat to SMBs today, and at the same time, ransomware is the risk factor most easy to mitigate, said John Gunn, chief executive officer at Token.

“SMBs have a significantly stronger security posture with the resources of a major IaaS than what they could do on their own, but they still need to take additional measures such as protecting access with the strongest methods of MFA,” Gunn said. “It’s a fallacy that all MFA is created equal and failures in MFA are the leading cause of data breaches and losses to ransomware.”