The average company with data in the cloud has a data-breach risk of about $28 million, according to a new study by Varonis. (U.S. Immigration and Customs Enforcement)

The average company with data in the cloud has 157,000 sensitive records exposed to everyone on the internet by SaaS apps sharing features, representing $28 million in data-breach risk, according to a new report released Tuesday by Varonis.

The study, titled "the Great SaaS Data Exposure," examines the challenges CISOs face in securing platform such as Microsoft 365, Box, and Okta, also found that 81% of organizations had sensitive data exposed in the cloud.

Other findings: 1 out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximizes damage during a ransomware attack. And, the average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.

"Cloud security shouldn't be taken for granted,” said Brian Vecci, Field CTO at Varonis. “When security teams lack critical visibility to manage and protect SaaS [software-as-a-service] and IaaS [infrastructure-as-a-service] apps and services, it's nearly impossible to ensure your data isn't walking out the door.”

Matt Mullins, senior security researcher at Cybrary, said cloud technology offers great cost savings and security improvement if it’s implemented correctly. However, Mullins said the problem lies in that the vast majority of IT teams, including security teams, simply having no idea how to actually secure the cloud.

“In addition, there’s a constant pressure to understand the evolving and changing cloud services that are enabled or can be enabled based on roles,” Mullins said. “When you look at the majority of cloud breaches they fall into two categories; web application vulnerabilities that have overly permissive setups for the system running the application, or flat out exposed data to the greater untrusted web. We have seen the rise of web application attacks like server-side request forgeries (SSRFs) as a serious concern because of the ability to view things like metadata.”

Corey O’Connor, director of products at DoControl, said for organizations to scale security in line with SaaS adoption and utilization, they need to first gain visibility into their SaaS estate. O’Connor said this means every user, group, domain, third-party app, asset, and event so security teams can monitor and control activity.

“Security automation is so critical in this landscape to protect the business without slowing down users,” O’Connor said. “It also needs to be centralized given the wide range of disparate applications that exist. Implementing granular data access controls that are powered by any SaaS event that presents risk to the business is one foundational way to improve the security posture of the organization.” 

Scott Gerlach, co-founder and CSO at StackHawk, added that the challenge of managing complex permissions and security settings is not new, even in a non-SaaS world. But in the past, these services were easy to ignore because they were hiding behind a firewall.

“The move to SaaS increases the challenge because now all of those services are public,” Gerlach said. “Organizations have to understand how these technologies work and enable teams to be productive and have better security settings overall.”