5 Key Lessons from the Snowflake Data Breach (and How Not to Get Burned)

It hasn’t taken long for Snowflake’s reputation to come crashing down – and the $2 billion cloud storage provider probably doesn’t completely deserve it.

A breach in late May that the company and Mandiant, a threat intelligence firm, blamed on a financially motivated group called UNC5537 may end up being the largest of the year. At least 165 companies have been victimized thus far, and names are still being added to the list. Some notable ones that disclosed they’d been hit include Advance Auto Parts, AT&T, Pure Storage, Santander Bank, and Ticketmaster. A wave of lawsuits and government scrutiny followed.

According to Snowflake and security experts, there was no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product or infrastructure. Instead, it’s believed that the hackers targeted Snowflake customers using compromised credentials from a former Snowflake employee or contractor (accounts vary). But the main reason UNC5537 was able to compromise so many accounts was because those customers hadn’t enforced multifactor authentication (MFA).

With AI-assisted cyberattacks on the rise, it’s essential to know how exposed your organization really is. Here’s how – get a comprehensive risk score in just 5 days.

While MFA may not always live up to the hype, Snowflake, Mandiant, and other security experts have said that if affected customers had had it, they likely wouldn’t have been compromised. So one big takeaway from this breach is to embrace MFA at all costs. But it’s not the only one.

Here are five key lessons executives and IT leaders should learn from this event:

1. Shared responsibility: It’s not all on Snowflake

Just because you’re parking your data in the cloud doesn’t mean you should expect Snowflake – or any cloud provider – to handle all related security. Sure, they have to protect the systems hosting your data and keep it encrypted. But if you don’t do your part to monitor who can access it, well then, that’s on you.

Steve Zalewski, former CISO for Levi Strauss, lays it out like this: “You buy a house, there’s a lock on the front door. We give you the key to the lock. But it’s up to you to decide how many copies to make and whether you put a deadbolt on top of that.” In other words, Snowflake sold you a place to store your data, and they secured the location, but it’s up to you to manage how it’s accessed. You leave the door open if you don’t enable MFA or impose secure access controls.

You buy a house, there’s a lock on the front door. We give you the key to the lock. But it’s up to you to decide how many copies to make and whether you put a deadbolt on top of that.

Snowflake could have done better, though: To extend the real estate analogy, realtors and lenders are legally required to provide pamphlets and disclosures to home buyers advising them about things in their homes or neighborhoods that might hurt them. Similarly, amid public relations pressures, Snowflake quickly said it would develop a plan to require customers to “implement advanced security controls, like multifactor authentication” or network policies, especially for privileged Snowflake customer accounts.

[Read also: Is your enterprise ‘cyber resilient’? Probably not. Here’s how boards used a scorecard to rate adaptability to emerging threats]

The lesson: Don’t wait until Snowflake forces you to do your part. Start enforcing MFA immediately and educate your broader team on the legitimate business and IT reasons for doing so.

2. IAM is a Snowflake customer’s new best friend (and it should be yours)

Identity and access management (IAM) isn’t just a buzzword – it’s your first line of defense. One of the biggest factors in the Snowflake breach was weak IAM. Simply put, companies weren’t locking down who could access what, and it came back to bite them.

Implement advanced security controls, like multifactor authentication.

Johannes Ullrich, dean of research at the SANS Technology Institute, says, “Make sure there are sufficient controls built around the data… including MFA or phishing-resistant authentication.” In other words, don’t rely on a flimsy username and password combo, he says. MFA isn’t just something nice to have – it’s a must. Hackers are getting smarter, but that extra layer of security still deters them.

The lesson: MFA for everyone. No exceptions. Ensure access controls are locked tighter than your Netflix account when a free trial ends.

3. Zero trust isn’t paranoia – it’s survival

You’ve probably heard of zero trust and have implemented it by now. If you haven’t, this strategic approach to cybersecurity basically says, “Don’t trust anyone or anything until they are proven to be who they are, even after they’ve been granted first-level network access.”

No person or machine goes anywhere without authorization. Users get access to network resources only if their job title or role dictates it. It’s not unlike the physical security systems for a major internet company. Not even the CEO can access the room containing extremely sensitive technological information; the top executive is only allowed access to rooms where he or she really needs to be.

Such approaches might seem extreme and difficult to enforce, but with breaches costing global businesses an average of $4.5 million per incident, according to a recent IBM-Ponemon Institute study, you can’t afford to bypass the common sense of zero trust.

[Read also: Setting up a zero trust environment? Smart move – and here’s why access control is critical]

Zero trust doesn’t mean locking everything down to the point of no functionality – it means continuous verification, making sure users and devices are who they say they are at every step.

The lesson: Get with the program. Implement zero trust principles so every access request is met with a raised eyebrow and a verification challenge.

4. Test, test, and test again

Nobody launches a new product without testing it, so why would anyone roll out a security system without regularly testing it? That’s where penetration testing (pen testing) and attack-surface monitoring come into play.

Even as a big company, having an external entity examine your security posture with a different lens than your internal people can be important.

These are not scams to bleed your budgets dry. They are state-of-the-art weapons in any smart security operations (SecOps) arsenal. Most pen testers – ethical hackers hired to simulate cyberattacks – are completely legitimate, and many of them did this kind of work for military and intelligence agencies in the United States, Israel, and other cybersecurity-conscious nations. They can also examine your identity and access controls to ensure they’re keeping bad actors at bay. Even if what they turn up isn’t significant, having that peace of mind is better than not knowing or not realizing there’s a severe vulnerability waiting to be exploited, which could cost you a great deal of time and money, as well as your reputation.

“Even as a big company, having an external entity examine your security posture with a different lens than your internal people can be important,” says Ullrich. Companies tend to trust their internal teams a little too much. Getting fresh eyes on your security setup is like getting a second opinion on a medical diagnosis. That’s called being practical, not paranoid.

The lesson: Frequent pen testing is your security stress test. Bring in the pros to find the cracks before it’s too late.

5. Be ready to clean up the mess (because the next Snowflake-like breach will happen)

Even with the best security measures in place, it’s pretty much a given that breaches will still happen. You’ve likely heard this before, but it can’t be repeated enough: It’s not if, it’s when. And when that day comes, how you respond can make or break your reputation.

Ullrich and Zalewski agree that having a solid incident response plan is non-negotiable.

“Know where your data is,” Ullrich advises. It sounds simple, he says, but in the case of a breach, knowing where your critical data lives – and who has access to it – can save valuable time. Zalewski adds that companies must be proactive in training their teams on responding: “Security is everybody’s responsibility.”

[Read also: In our “CISO Success Story” series, we explore how LA County trains (and retrains) its workers?]

In Snowflake’s case, having a quick and effective response saved them from a much worse PR disaster, but that doesn’t mean other companies should get complacent. Incident response is all about minimizing damage and communicating transparently with customers.

The lesson: Get your incident response plan together now, not when things go wrong. Remember, cyber hygiene (MFA, regular patches, training) is the key to avoiding major incidents.

The bottom line: Don’t wait for disaster to strike

The Snowflake breach is a wake-up call, but it’s also an opportunity. No cloud provider – no matter how big or secure – can completely protect your data for you. In fact, it’s not entirely their job. It’s a shared responsibility, and companies must step up their game.

So, take these five lessons to heart: Double down on IAM, embrace zero trust, test your defenses regularly, and make darned sure your team is ready to jump into action when things go wrong. Because in the world of cybersecurity, it’s not just about playing defense – it’s about staying ahead of the game.