Analysis of cyber risk in relation to SaaS applications.

Varonis released a report today detailing Software-as-a-Service (SaaS) applications and the cyber risks associated with them. The researchers analyzed 15 petabytes of data across 717 organizations across a number of industries.

It was found that about 81% of companies analyzed had sensitive SaaS data exposed to the whole internet. The average company has 10% of cloud data exposed to every employee, 157 sensitive records exposed to the open internet through SaaS sharing features, 33 super administrator accounts (with over half of those accounts not utilizing multi-factor authentication), and 4,468 user accounts without multi-factor authentication. It was also discovered that there are over 40 million unique permissions across SaaS applications and over 12,000 Microsoft 365 sharing links. The most alarming statistic discovered was that 6% of an organization’s cloud data was exposed to the entire internet.

It was found that, on average, each terabyte of data in an organization’s cloud contains more than 6,000 sensitive files, with nearly 4,000 folders shared with contacts outside of the organizations, with more than 2.1 million permissions. Microsoft 365 was also found to be a treasure trove of exposure, with 7% of companies having more than 10,000 exposed files. Alarmingly, there were 10 analyzed companies that had over 100,000 exposed files. Even more startling, one company had more than 1.5 million files exposed from Microsoft 365.