Cloud security breaches can cost companies more than $50,000 in less than an hour, according to a new IBM Security report.

The Cloud Threat Landscape Report 2020, which includes data from the IBM Institute for Business Value and IBM X-Force Incident Response and Intelligence Services, found that basic security oversight issues, including governance, vulnerabilities, and misconfigurations, remain the top risk factors. And it puts a hefty price tag on the cost of a security breach.

Depending on the organization and the type of application running in the cloud, that unauthorized access to cloud assets can generate losses of more than $50,000 in less than an hour, the report says.

“To me it seems very low,” said Limor Kessem, executive security advisor at IBM Security, about the $50,000 price tag. “We’re talking about business continuity here. Depending on the industry, depending on the company and what kind of workloads they’re actually running in the cloud, and what production environments, any interruption can cause losses much higher than $50,000 per hour.”

Plus, she added, an attacker could also grab as much company data as possible and then demand payment for it. “They can ask for [money] later, and it can be millions [of dollars],” Kessem said. “So $50,00 is more of a conservative estimate of how much could be lost in one hour.”

In fact, attackers took advantage of misconfigured cloud servers to steal more than 1 billion records in 2019, according to IBM’s 2020 X-Force Threat Intelligence Index. This report and others including the Cloud Security Alliance maintain that misconfiguration of cloud environments and subsequent data leaks remains one of the greatest sources of record loss across organizations.

Similarly, cloud applications are the most common entry point for attackers, and they account for 45% of the cases examined in this report between January 2019 and May 2020. Attackers use tactics including brute-forcing and exploiting vulnerabilities and misconfigurations to gain access to these cloud apps.

So who is targeting these cloud systems? IBM’s incident response team working with DarkOwl, a security company that claims it has the world’s largest index of darknet content, found that financially motivated criminals are the top threat group. Nation state actors, however, also pose a persistent risk.

“The biggest attribute in cloud is the scale and interconnectivity of it, and so there’s a lot more data than you’d find somewhere else,” Kessem said. “Nation state attackers are going to be looking for something very, very specific and so they might go for operational environments. They are not necessarily going to go after a certain cloud or just go look for data in these environments. Whereas with financially motivated criminals, all they need to do is find a way in to steal data and to encrypt data. And once they find a platform with a vulnerability, then they are going to try to breach all the websites that use that platform.”

Despite being deep in the weeds with security threats on a daily basis, Kessem said she was “alarmed” by one of the statistics. The report found the majority of respondents (73%) believed public cloud providers were the main party responsible for securing software-as-a-service (SaaS), while only 42% believed providers were primarily responsible for securing cloud infrastructure-as-a-service (IaaS).

In fact, it’s reversed: a company is responsible for securing its workloads including SaaS deployed in public clouds. Meanwhile, the cloud provider is responsible for securing the IaaS. This is called a shared responsibility model of security, and it’s still a pretty hazy concept for many customers.

“That’s the bare metal,” Kessem said. “This is what you’re buying when you go to a cloud provider — you buy the infrastructure. So that is the part that gets secured across the board by the providers, but only 42% of people believed that. It gives us an idea again of how this shared responsibility is still not clear enough for a lot of people.”

The report ends with a series of recommendations to help companies improve their cloud security posture. These include building security controls into the conception process, using simulation to test and improve readiness and security response, and robust cloud monitoring and event logging, among several others.

“First and foremost is the establishing of governance and culture, and also the mindset that securing a cloud is completely different from securing other IT environments,” Kessem said. “And so making sure your employees understand a lot more about the cloud is essential here. It also connects things like incident response, and how that’s done in the cloud and so on.

Privileged account management is another important security concept, she added. This restricts accounts to least-required privileges along the lines of a zero-trust model to restrict what users can access. “And in the cloud, it’s not only users, it could be something as small as a process that has a certain privilege and can be taken advantage of by an attacker,” Kessem said.

Because of this, companies must automate incident response in cloud environment, which can improve detection and response capabilities rather than relying on manually reacting to events, she said. “We have to see a lot more automation and really just a lot better management in the cloud because of the extensive interconnectivity.”