Many companies still believe that storing critical documents on-premises makes the most sense. The company controls both the hardware and the security.What could possibly go wrong?The recent SharePoint server attacks answered that question. Attackers exploited zero-days to bypass multi-factor authentication (MFA) and steal sensitive data from on-premises servers across thousands of organizations. The incident exposed that storing documents on-prem can in fact create more security problems than it solves.Most organizations can't patch fast enoughThere's always a gap between when vulnerabilities are discovered and when teams actually fix them. Microsoft releases patches on the second Tuesday every month, but most organizations don't apply them immediately. We need testing and change management approval, along with planned maintenance windows.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]During that gap, the organization’s sensitive documents are exposed.Industry research shows that 25% of CVEs are exploited the same day they're published and 75% within 19 days. Attackers move fast. Organizations move slowly. A large company takes weeks to develop a patch. Most organizations take between two weeks and four weeks to test and deploy them. That's 10 weeks of exposure. For attackers, that's plenty of time, and this inevitably increases chances of a breach.According to Verizon's 2025 Data Breach Investigations Report, exploitation of unpatched vulnerabilities has become the initial access vector in 20% of breaches, up 34% year-over-year. Even when organizations try to patch, only 54% of edge-device flaws were fully remediated, taking a median 32 days.Security researchers consistently find that most organizations run months or years behind on critical security updates. The control that makes on-premises appealing becomes a liability when threats move faster than the organizations change processes.Patching represents just the first stepOn-premises document storage requires constant attention. The teams needs access controls, network segmentation, backup integrity, insider threat monitoring, and compliance auditing. Each component demands specialized expertise and resources.In 2023, the MOVEit Transfer zero-day vulnerability caused mass data theft affecting Shell, British Airways, the U.S. Department of Energy and ultimately more than 62 million individuals. A single unpatched, self-hosted file transfer service became a supply-chain catastrophe.Many organizations discover their "secure" repositories have fundamental problems. Default passwords on admin accounts. Overly broad access permissions. Unencrypted backups stored next to production systems. Integration points that accidentally expose sensitive content.The SharePoint attacks succeeded partly because the platform integrates with Office, Teams, OneDrive, and Outlook. Compromise one system and it opens doors throughout the network. Modern productivity demands interconnectedness, but that creates an attack surface far beyond a document server.Most organizations can't deploy critical patches within 72 hours. They don't have 24/7 monitoring and incident response. Their backup and recovery processes aren't tested regularly. Yet, they still believe their documents are safer on-premises. And it comes at a cost.IBM's 2024 Cost of a Data Breach report pegs the global average breach cost at $4.88 million. In highly-regulated sectors the figure exceeds $6 million.Cloud providers invest billions in security infrastructure. They employ specialized teams focused solely on threat detection and response. Cloud providers such as Google, AWS, and Microsoft put custom security chips in every server and run purpose-built operating systems that patch themselves automatically. When a vulnerability surfaces, they can push fixes across millions of servers within hours using dedicated response teams working around the clock.Most organizations, meanwhile, are still wrestling with change management processes that may take weeks to deploy a single patch. The gap isn't just about money—it's about having infrastructure designed from the ground up for rapid security response rather than retrofitting security onto existing systems.What to do about itThe solution isn't to abandon document management entirely. It's to shift the security burden to organizations better equipped to handle it.Every minute the organization manages its own servers, it owns the patch gap. NIST estimates enterprise patch cycles can stretch into weeks while attackers exploit most CVEs within 19 days. Here’s how to overcome the gap:Also, validate the organization’s controls against recognized frameworks like NIST SP 800-40 for patch management and ISO 27001 for document security. Auditors can test maturity and spot gaps before attackers do.On-premises storage promises control, but often undermines security. The flexibility to delay updates, customize configurations, and integrate with legacy systems frequently works against the discipline that effective protection requires.Organizations serious about document security must honestly evaluate their capabilities. For many, it’s an uncomfortable answer. Keeping documents "in-house" has become dangerous when threats evolve faster than most IT teams can respond.These SharePoint attacks aren’t the last time we’ll see a zero-day bug targeting on-premises infrastructure. The question isn't whether companies will face similar threats. It's whether the team prepared properly when they ultimately do arrive.Julien Champreix, chief information security officer, AODocsSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Build on hardened, certified infrastructure: Use an environment that's already patched continuously. Look for ISO 27001 and SOC 2 certifications that deliver third-party verification of security controls. Make patch management a pillar of the team’s security management.
- Classify and govern content from Day 1: A breach hurts less when attackers only find well-labeled, access-controlled data with automatic retention rules. Regulators increasingly expect provable lifecycle controls.
- Make identity the new perimeter: Zero-trust guidance assumes every request is hostile until proven otherwise. Granular identity and access management with multi-factor authentication blunts lateral movement. Eighty-percent of post-breach investigations reveal over-privileged accounts.
- Instrument for continuous detection and response: Centralized logs and real-time analytics cut the mean-time-to-detect. Verizon's data shows breach costs rise 29% when detection takes more than 30 days.
- Keep content encrypted and redundant by default: Encryption at-rest plus multi-region replicas removes two common root causes of data loss. Disk theft and single-site outages.
