Cloud security is a priority for most firms, but breaches aren’t always identified before they have caused substantial damage. In some cases, cloud breaches are going undetected for hours or days, according to research published earlier this year.
While nearly two-thirds of organizations suffered a cloud security incident in the past year, only 9% of breaches were detected within the first hour, according to Check Point’s 2025 Cloud Security Report. Researchers found just 6% of incidents were remediated within the first hour, with 62% of enterprises taking more than 24 hours to fully recover.
The speed at which firms are detecting and responding to cloud breaches is a concern because it could lead to data theft and further attacks, resulting in reputational damage and regulatory fines.
So what is causing companies to miss incidents involving cloud, and how can businesses recover more quickly?
Why cloud breaches are going undetected
Security teams are missing cloud breaches due to cybersecurity alert fatigue, fragmented tools, and clunky legacy applications, according to experts.
Gaps in security can happen because of misconfigured storage or overly permissive access controls, which end up exposing data without triggering alerts, says Andy Green, a partner at Avella Security.
Businesses often fail to enable or properly use logging services such as AWS CloudTrail or Azure Monitor, so suspicious activity goes unnoticed, which just adds to the problem.
“And when monitoring is in use, security teams face alert fatigue, while critical warnings are buried among low-priority notifications and don’t get actioned,” Green adds.
This is made more complex by fragmented, hybrid environments with legacy perimeter defences not designed for cloud scale, which can lead to visibility gaps, says Dray Agha, senior manager of security operations at Huntress.
Simon Driscoll, network and security specialist at ITGL, agrees. “For many organizations, the dispersal of information across multi-cloud means they don’t truly know where all of their data resides anymore,” he says.
“Inevitably, the chance of missing things, or the creation of gaps to exploit, magnifies significantly the more providers used, and the less control companies have.”
The consequences
It’s clear there are issues preventing cloud incidents from being detected and responded to in time. However, the consequences of this can be devastating, allowing criminals to retain access to internal systems, data, and accounts.
The longer an adversary can hide, the greater the impact, says Harlin Lipman, head of information security, Chronosphere. For example: “They can perform account takeovers, privilege escalation, and tactics such as command and control,” he warns.
Operationally, breaches may disrupt critical services, delay projects, or cause downtime – particularly if attackers exploit cloud resources for malicious purposes such as ransomware, according to Green.
Undetected breaches can also lead to regulatory consequences. A cloud security breach that involves customer data is likely to qualify as a personal data breach under the legislation, such as the UK General Data Protection Regulation (GDPR), says Olivia Mulvany, a senior associate at law firm Broadfield.
A personal data breach impacts a firm’s reputation and can result in substantial fines. “Time is of the essence: You need to act quickly,” Mulvany warns.
How to detect and mitigate cloud breaches quickly
The risk is real, but detecting cloud breaches and mitigating them before the damage is done is possible.
It’s important to understand the tools and applications you use on a daily basis and build a defence around the best native integrations, says Driscoll.
“Siloed tooling and poor visibility and control as a result of poor integration and overly complex analysis processes are the biggest blockers to improving detection and response,” he adds.
With this in mind, monitoring across all cloud services can help gain visibility, according to experts.
Depending on which cloud provider you are using, Green recommends tools such as AWS GuardDuty, Azure Defender, and Google Cloud Security Command Center, which “can detect threats early using behavioral analytics and threat intelligence”.
Regular cloud configuration audits using tools or penetration testers can identify and remediate misconfigurations before they’re exploited by attackers, Green adds.
Meanwhile, it’s a good idea to focus on a “zero trust principle” mindset, says Driscoll.
“Verify and validate everything, all the time – no exceptions. Adopt least privilege access rules for all users across data stores. Ensure you have segmentation across your private cloud networks and that conditional access is in place for your public cloud environments.”
In addition, investing in cloud security training ensures teams understand evolving threats and response tactics, according to Green.
He says: “Speed and efficiency come from combining the right tools, well-defined processes, and skilled personnel to act decisively — reducing breach dwell time and minimising potential damage.”
Incident response
As attackers continue to target the cloud, prevention of attacks is key. However, when detecting breaches, it’s important to ensure you can respond quickly, via a solid incident response strategy.
At the heart of this, Lipman advises firms to have “a well-documented incident response plan”.
Everyone in the business should be involved, so it’s a good idea to educate all employees who participate in incident response, according to Lipman.
“Everyone needs to have a clear understanding of their roles and responsibilities, including their position in the call tree to facilitate quick contact in case of an incident,” he says.
At the same time, incident response plans must be tailored to cloud environments.
“This includes identifying which cloud assets are in scope, who is responsible under the shared responsibility model, and how to isolate affected resources quickly,” adds Green.
“For example, removing identity and access management (IAM) roles, revoking API keys, and detaching instances from networks.”
Once the plan is in place and everyone knows their roles, it needs to be tested regularly. For cloud specifically, regular tabletop exercises focused on scenarios involving the technology are “essential”, Lipman says.
It requires investment, so senior management needs to know the importance of securing the cloud and the consequences of not being able to respond in time. Security teams must advocate for the software, hardware, and headcount resources they require to enable this preparation, Lipman advises.
“An organization cannot handle incidents if it is not well-equipped from both a software and personnel perspective, so having the necessary resources is imperative for success,” he concludes.
-
Real-World AI infrastructure: How PowerEdge air-cooled servers solve enterprise performance and cooling challengesIn the PowerEdge server lineup, innovative cooling methods and raw performance combine to meet enterprise AI needs at scale
-
F5 confirms hackers stole source code, bug details in disastrous security incidentNews CISA has warned the F5 security incident presents a serious threat to federal networks
