Cyber Threats in the Cloud: How to Design Resilience Before the Next Disruption

The migration to the cloud and the accelerated adoption of artificial intelligence are transforming businesses with visible gains in speed and efficiency. But that same momentum has expanded the attack surface and increased the sophistication of cybercriminals: they combine new tools with old tactics to find the weak entry point, move laterally, and cause disruptions that hurt operations and reputation. The real question is no longer whether an incident will happen, but whether the organization will be able to absorb it and keep operating. The key, as highlighted in the report “Cloud Cyber Threats: Strategies Against Digital Disruption,” is to integrate risk management from the design phase, not tack it on at the end as a patch.

Three core ideas to understand the problem

1) Efficiency with a double edge. Cloud and AI enable doing more with less, but they also concentrate valuable assets and credentials on platforms exposed to the Internet by design. The higher the concentration and connectivity, the more attractive the target for attackers.

2) Evolving adversaries. Ransomware gangs, state-supported groups, and corporate fraudsters have modernized their arsenal: they employ AI-driven social engineering, deepfakes, and man-in-the-middle adversary kits, but they keep what works (phishing, credential abuse, exploiting weak configurations).

3) Resilience by design. Business continuity isn’t just certified; it’s built. Strong identities, segmentation, encryption with proper key management, useful telemetry, immutable backups, and exercised crisis plans are foundations—not adornments.

Cloud and AI: efficiency at the cost of exposure

Moving workloads and data to public, private, and hybrid clouds isn’t a frictionless transfer: it changes the threat model. Nearly half of corporate data residing in cloud services is sensitive, and corporate email in SaaS suites continues to be a preferred entry point through account compromise campaigns (BEC). Generative AI, for its part, reduces costs for both defenders and attackers: defenders gain speed in detection and response; attackers produce tailored phishing campaigns, more convincing voice and image impersonations, and adaptable malware scripts. The result is an increasing incident curve and, most notably, a higher rate of attacks ending in operational disruption.

Ransomware + Phishing: the dual exposure of the cloud model

Ransomware has refined its “business.” It no longer just encrypts: it first exfiltrates data and threatens to publish it. Now, it deliberately seeks cloud storage and collaboration to increase its impact. Meanwhile, phishing remains the most profitable vector. The Adversary-in-the-Middle (AITM) variant steals session tokens and bypasses weak or inherited authentication, allowing intruders to evade even traditional two-factor authentication. The pattern repeats: compromised credentials, silent lateral movement, exfiltration to external buckets, and encryption triggered at the worst moment for the victim.

Third parties and supply chains: from point failures to systemic impact

Outsourcing accelerates projects but adds correlated risk: thousands of companies depend on a few providers of software, identity, CDN, or security services. An incident in one third party can escalate to tens of thousands of systems, and a critical update error can cause global outages—even if it wasn’t a cyberattack. The hard lesson: protecting only your perimeter isn’t enough; it’s necessary to understand and manage technical and operational dependencies, demand transparency, and ensure escape routes when a chain link breaks.

Recent cases best not forgotten

• Okta (2023): Unauthorized access to support systems and exfiltration of session tokens affected dozens of clients. It made clear that technical support and third-party access are critical vectors, and that minimum privilege must also apply outside core IT.
• DDoS on perimeter services (2024): Several hours of outages on cloud platforms reminded us that without multi-region traffic engineering and alternative routes, availability can collapse like dominoes.
• Misconfigured AI agents (2025): Proof-of-concept tests showed that an agent with excessive permissions can execute destructive actions without malware. The message: AI security must be serious; it demands identity and authorization controls as strict as any microservice.
• Ransomware on email and hosting providers (2022–2024): Credentials + exploited vulnerability + lack of segmentation led to prolonged downtimes, costly litigation, and loss of trust. Segmentation and function isolation are not optional.

From “comply” to “resist”: resilience by design

The cloud and AI require moving from a checklist to a resilience design approach:

1. Clear risk appetite. Leadership must define which services cannot fail and for how long. Without this framework, security becomes vague, and spending disperses.
2. Shielded identities. Phishing-resistant MFA (FIDO2/WebAuthn), JIT (just-in-time) privileges for admins, PAM for high-risk accounts, and vaults for secrets. Avoid MFA via SMS unless as a last resort.
3. Segmentation and least privilege in the cloud. Separate accounts by environments (production, pre, dev), deny-by-default policies, network microsegmentation, egress filtering, and fine-grained permission control in storage, queues, and serverless functions.
4. Encryption and key control. Encrypt during transit and at rest as basic, but what matters most is who controls the keys (KMS) and where they reside. Local custody can reduce regulatory and extraterritorial risks in certain sectors and jurisdictions.
5. Continuous configuration hygiene. Regular audits, patching windows, immutable images, infrastructure as code with guardrails, and pre-deployment validations. Configuration is code and must be treated as such.
6. Integrated detection and response. Useful telemetry (logs, metrics, traces), AI-enabled analytics to detect session and privilege anomalies, and rehearsed runbooks. Theory without exercises doesn’t prepare anyone.
7. Backups 3-2-1-1-0. Three copies, two supports, one off-site, one immutable/offline, and verified error-free recovery. Measure and test RTO and RPO as if a rescue depends on it (because it does).
8. Third-party governance. Maintain a live inventory of SaaS/PaaS dependencies, require telemetry and SLA notifications, review subprocessors and jurisdictions, request evidence of immutable backups and continuity plans, and define operational escape routes (export, degraded mode).
9. Crisis testing. Run scenarios such as provider outages, identity loss, DDoS, and email compromise. Measure MTTD/MTTR, switch-over times, and the effectiveness of internal and external communications.
10. Cyber insurance aligned with reality. It doesn’t replace controls but complements them. Many policies require strong MFA, EDR, immutable backups, and segmentation to be covered.

Key metrics for executive oversight

Resilience is demonstrated with data, not presentations. Some actionable metrics:

• MTTD/MTTR by incident type and affected provider.
• Patch compliance for criticality levels within defined windows.
• Percentage of JIT privileged sessions and their average duration.
• Encryption coverage according to data classification.
• Successful recovery rate against RTO/RPO guarantees.
• Critical dependency map with verified contingency plan (including manual or degraded route).

Ten actions to start tomorrow

• Activate phishing-resistant MFA and remove legacy methods.
• Inventory SaaS apps, close orphaned connectors, and review excessive permissions.
• Apply conditional access based on risk, blocking by geography/device when appropriate.
• Enforce JIT for administrators and audit elevated sessions.
• Isolate backups with immutability and test recovery monthly.
• Review mail rules and domain typosquatting related to your brand.
• Simulate an AITM attack on productivity suites and tune detection tools.
• Practice a continuity plan in case a critical SaaS goes down.
• Require third parties to specify notification times, share telemetry, and establish emergency channels.
• Train executives in pressure decision-making and communication protocols.

Culture and governance: the difference between stumbling and falling

Technology sets the pace, but culture shapes the rhythm. Organizations that withstand best have clear roles and responsibilities, committees speaking the same language (risk, business, technology), budgets prioritized by impact, and a healthy obsession with learning from incidents. The goal isn’t to eliminate risk—impossible in hyperconnected environments—but to manage exposure and reduce recovery time when something inevitably goes wrong.

Frequently Asked Questions

What are the best practices to stop ransomware in multicloud environments by 2025?
Use phishing-resistant MFA, segmentation by environment and separated accounts, least privilege, patching with criticality SLAs, immutable backups (3-2-1-1-0), unified telemetry, and tested runbooks. Also, add exfiltration controls (egress), short sessions, and token revocation.

What is an Adversary-in-the-Middle (AITM) attack, and how can it be mitigated in productivity suites?
It’s session interception between user and service to steal tokens and bypass authentication. It’s mitigated with FIDO2/WebAuthn, conditional access based on risk, session anomaly detection, re-authentication for sensitive actions, and good application hygiene (registered apps/OAuth).

How can one assess SaaS third-party risks without falling into the “checklist” trap?
Map real dependencies (data, identities, processes), demand telemetry and SLA notifications, review subprocessors and jurisdictions, request evidence of immutable backups and continuity plans, and define operational escape routes (export, degraded mode).

What resilience metrics should an executive committee monitor?
Track MTTD/MTTR, success rate of restorations versus RTO/RPO, data encryption coverage by data classification, percentage of JIT admins, multiregional failover times, and results from crisis tests (frequency, findings, corrective actions).

via: QBE España