When the cloud crashes

With recent high-profile attacks on cloud services, most headlines focused on disrupted services and frozen dashboards. But beneath the surface of failed logins, something more consequential was happening. The outages created uncertainty, and uncertainty remains one of the most valuable tools in a cyber-criminal’s arsenal. It’s therefore time we recognise that major cloud outages should no longer be viewed as solely technical events, but rather potential cyber-security incidents. 

 

Why outages attract attackers 

Cloud platforms sit at the centre of modern business, supporting authentication flows, data processing, and entire digital supply chains. So, when major cloud providers experience failures, the impact ripples far beyond inconvenience. Processes break, communication slows, and people become disoriented, and that is exactly when attackers move. 

 

During periods of recent disruption, threat actors did what they have learned to do well: imitate authority. Fraudulent messages urging users to re-authenticate or restore access circulated widely. Emails that would normally appear suspicious suddenly felt plausible. Messages framed as “service restoration requires reauthentication” or “upload credentials to re-establish continuity” exploit the moment perfectly. In an outage, the threshold for normal shifts, and attackers exploit that psychological reset. 

 

Outages create a mindset in which people expect irregular behaviour, and their guard drops. Confusion is not a byproduct of disruption. It is the opening that adversaries rely on. When services are unstable, users are more likely to click, comply, and act quickly, believing they are helping to resolve the issue. At scale, this turns a technical failure into an ideal environment for phishing, credential harvesting, and social engineering campaigns. 

 

The risks we do not see 

One reason the ripple effect is so strong is that few organisations truly understand the depth of their cloud dependencies. Most can name their primary provider, but far fewer appreciate the layers of secondary services, automation tools, and integrations operating behind the scenes. These hidden dependencies mean a single supplier disruption can cascade rapidly into customer-facing risk. When even a single element fails, processes that seem unrelated can collapse. For businesses, this feels like chaos. For attackers, it is an environment full of opportunity. 

 

Communication gaps amplify this risk. Outage updates are often slow, cautious, or buried on a status page users must actively seek out. In that silence, attackers become the louder and more convincing voice. Spoofed updates land faster than official ones, and in a moment where clarity is scarce, people latch onto the first explanation they receive. 

 

Where responsibility really lies 

This raises a fair question: should cloud providers communicate more clearly and more frequently during disruptions? Almost certainly. A consistent and direct communication model would help close the information gap that attackers exploit.  

 

Placing all responsibility on providers passes over an uncomfortable truth. Organisations cannot outsource resilience. The shared responsibility model is not theoretical, and it becomes very real whenever services fail. Vendors cannot own all the risk, particularly when outages and cyber-threats increasingly overlap. 

 

The organisations that navigate outages most effectively are not those with the most sophisticated technology stack, but those that treat continuity planning as a critical security discipline by preparing teams for outages, rehearsing alternative workflows, and establishing direct communication channels with customers rather than waiting for the provider to speak first. Above all, they recognise that during an outage, identity security becomes the primary battleground. 

 

Lessons from a predictable future 

Regulators have been signalling this shift for years. Frameworks such as NIST 800-161 (Cyber Supply Chain Risk Management); ISO 27036 (Supplier Security); NIST CSF 2.0 (with the expanded supply chain controls); and DORA (EU) all emphasise resilience, visibility, and operational readiness. Yet many organisations still reference these frameworks rather than embed them into practice. Outages reveal how wide that gap can be. Periodic questionnaires and SLA reviews are no longer sufficient; continuous oversight is now required. 

 

The future will only underscore this. As more critical processes consolidate onto fewer cloud platforms, outages will become more impactful and more tempting for attackers to exploit. Threat actors already monitor vendor disruptions in real time, timing phishing, and credential harvesting campaigns to coincide with instability. We are also likely to see attackers targeting the automation and orchestration layers organisations rely on during outages. 

 

The real takeaway 

The lesson from recent outages is straightforward: resilience is no longer a technical ambition but a strategic necessity. The question is not whether outages will happen. They will. The real question is how securely and confidently organisations move through them. 

 

Those that continue treating cloud failures as unfortunate interruptions will continue to be surprised, whereas those that treat them as potential cyber-security events, will be properly prepared.  

 

---

 

Lorri Janssen-Anessi is Director of External Cybersecurity Assessments at BlueVoyant 

 

Main image courtesy of iStockPhoto.com and napong rattanaraktiya