Insights

Cloud Security: 90% of Incidents Are Preventable

Written by Andrés Lozada | Jul 9, 2026 6:21:24 PM

Cloud security has a perception problem working against it. Some companies don't migrate to the cloud because they believe it's less secure than their own data center. And some companies do migrate but assume security is the provider's responsibility. Both positions are wrong, and both create exposure.

The reality is more nuanced: the cloud can be more secure than on-premise infrastructure — and frequently is — but only when the organization understands and acts on its share of the responsibility. That share is not small.

The shared responsibility model

The fundamental principle of cloud security is the shared responsibility model: the cloud provider is responsible for the security of the cloud (the physical infrastructure, the network, the hardware); the organization is responsible for security in the cloud (its data, its applications, its configurations, its access).

This principle seems clear on paper, but in practice it creates confusion — and that confusion is costly. Gartner estimated that 99% of cloud security failures would be the customer's responsibility, not the provider's. And the data confirms it: 23% of cloud security incidents originate from misconfigurations, and 82% of those misconfigurations are caused by human error, not software failures (Exabeam 2025).

Put another way: the AWS or Azure data center is probably more secure than your company's. But if you misconfigure access permissions, leave a storage bucket public, or reuse passwords across systems, the sophistication of the provider's infrastructure won't protect you.

The current state of cloud security — the numbers that matter

The 2024-2025 data on cloud security paints a picture that demands attention:

  • 61% of organizations reported significant cloud-related security incidents in 2024, up from 24% in 2023 — a 154% increase in a single year (SentinelOne).
  • 82% of the data compromised in 2023 breaches was stored in the cloud (Exabeam).
  • The average time to detect a cloud breach is 219 days, with another 80 days to contain it (datastackhub). That's 299 days of potential exposure before the problem is resolved.
  • The average cost of a data breach in 2025 is $4.44 million globally (IBM Cost of a Data Breach 2025), with ransomware incidents reaching $5.08 million.
  • Breaches in multi-cloud environments cost 26% more on average to contain.

But there's one data point that puts all of this in perspective: more than 90% of cloud security incidents are preventable with adequate controls (Gitnux). The problem isn't that the cloud is insecure. The problem is that most organizations don't implement the basic controls consistently.

The most common threats and why they're so hard to eliminate

Misconfigurations: The number-one threat. Publicly accessible storage buckets, overly broad IAM permissions, APIs exposed without authentication, networks without proper segmentation. These are errors that seem minor and that can expose critical data to the internet. The average of 43 misconfigurations per cloud account among organizations that used public cloud in 2024 shows the scale of the problem (SentinelOne).

Identity and access management (IAM): In the cloud, identity is the new security perimeter. Credential-stuffing attacks, phishing to steal credentials, and the exploitation of accounts with excessive permissions are priority attack vectors. 51% of cloud compromises in 2023 originated from weak password controls (Google). Only 50% of organizations have multi-factor authentication (MFA) implemented for cloud access (Gitnux).

Insecure APIs: APIs are the interface through which cloud services communicate with each other and with the outside world. Poorly designed APIs, those without proper authentication, or those exposing excessive information are one of the fastest-growing attack vectors, especially in multi-cloud environments and with generative AI integration.

Shadow cloud and unmonitored assets: 32% of cloud assets are unmonitored, with an average of 115 vulnerabilities each (Orca Security). Resources created without going through the IT approval process — the cloud equivalent of classic Shadow IT — create blind spots that security teams can't manage if they don't know they exist.

The controls with the greatest impact

Zero Trust as a security architecture: The Zero Trust principle — never trust, always verify — is the most robust response to identity threats in cloud environments. No user, device, or service is granted access by default, regardless of whether it's inside or outside the corporate network. The Zero Trust market is projected at $60 billion by 2027 (Exabeam), reflecting the accelerating adoption of this model.

Cloud Security Posture Management (CSPM): Tools that continuously monitor the configuration of cloud environments and identify deviations from security best practices. They are the most direct response to the misconfiguration problem. Only 26% of organizations currently use them (Exabeam) — which means 74% are managing configurations reactively, not proactively.

Consistent encryption: Encrypting data both in transit and at rest is a fundamental control. The problem is that fewer than 10% of organizations encrypt more than 80% of their sensitive data in the cloud (Exabeam). 47% of the data stored in the cloud is classified as sensitive — but that doesn't mean it's encrypted.

Vulnerability and patch management: In cloud environments that change constantly, vulnerability management requires automation. Manual processes don't have the speed or scale to keep pace with how quickly new vulnerabilities appear and how quickly the environment changes.

Cloud security as part of the culture, not just the technology

88% of cloud security incidents are linked to human error (Exabeam) — not software failures or sophisticated attacks that no control could have stopped. That says something important: investing in security technology without an equivalent investment in training, awareness, and processes has a limited return.

The organizations with the best cloud security results are those that treat security as a cross-functional responsibility, not as a problem exclusive to the IT team. 63% of organizations already conduct regular cloud security training for their staff (Gitnux). It's a number that should be higher, but it's moving in the right direction.

Moving to the cloud without simultaneously strengthening security capabilities is like moving into a bigger house without changing the locks. The space is better, but the protection doesn't improve on its own.

Sources: IBM Cost of a Data Breach Report 2025, Gartner, SentinelOne, Exabeam 2025, Orca Security 2025, Gitnux, datastackhub, Google Cloud Security


Andrés Lozada
Executive Director, SUMāTO Group · Cloud · Infrastructure · Cybersecurity · Digital Transformation
linkedin.com/in/andreslozada/

Keep exploring