Scenarios about the strategic importance of knocking out a rival nation's critical infrastructure in the early phases of any all-out cyber war have been widely discussed.

Now comes a report from insurance underwriting giant Lloyd's of London and risk modeling consultancy Air Worldwide that introduces some fresh granularity to what some call cybergeddon. The upshot is that Amazon Web Services, Google Cloud and Microsoft Azure may need to be included on the list of critical infrastructure targets, which includes utilities, transportation systems, financial markets and most recently election systems.

The Lloyd's/Air Worldwide study concludes that the complete failure of a top cloud services provider that extends for at least three days would cost the U.S. economy $15 billion. Small- and mid-sized businesses that have come to rely on cloud services would be hit more heavily than Fortune 1000 companies; SMBs would sustain some two-thirds of the economic losses, the report says.

Manufacturing companies would lose $8.6 billion, wholesaler and retailers $3.6 billion, finance and insurance firms $447 million and transportation and warehousing sectors $439 millions.

Cloud complexities

Cyberattack damage projections have become so common they're almost cliché. However, this one warrants a closer look. As a leading property insurer and reinsurer, Lloyd's has responded to countless business disruption events over decades and is in possession of rich historical data to support their assumptions.

Meanwhile, AIR Worldwide has been modeling damage losses from cyber and other events for many years.

"Any report that includes Lloyd's experience and AIR's modeling is a powerful combination that should be taken seriously," observes Inga Goddijn, executive vice president at Risk Based Security Inc., a Richmond, Virginia-based supplier of risk management services.

The potential for a devastating cloud outage is high because cloud computing has become so popular. Relieved of having to purchase, run and maintain data-centers, companies--especially smaller ones--now routinely tap AWS, Azure and Google Cloud for data storage and mission critical processing power.

However, making cloud computing as secure as it needs to be has turned out to be more complex and cumbersome than anyone anticipated. And the popularity of AWS, Azure and Google Cloud has made them prime targets.

"Major (cloud) infrastructure service providers are now also critical points for systemic failure, and any data breach or significant downtime can have a cascading effect impacting thousands of businesses, with a great potential for economic impacts," Goddjin observes.

Navigating risks

Credit goes to Microsoft, Amazon and Google for acknowledging that this looming exposure needs to be proactively addressed. The Big Three have begun to take pronounced steps to weave security components deeper into the fabric of their respective cloud services. The problem is, they've been doing so rather quietly.

A clarion call is in order. Company leaders need to disabuse themselves of the fallacy that subscribing to a cloud service equates to outsourcing security for that part of the business. Smaller organizations, in particular, can ill afford to assume this.

"As the saying goes, the cloud is just another word for someone else's computer." Goddjin says. "If you're entrusting critical business operations and sensitive data to these companies, it's important to include security in the evaluation process and fully understand what sort of recourse is available should the service fail."

The same principles holds true for large organizations, tenfold, she says. From a high level, it has become pivotal for all company leaders to continually educate themselves. Business networks are complex and continually changing. Cloud computing weaves together four fundamental layers around which data flows: the Internet cloud, web browsers, business applications and data bases.

"Most security issues happen because we are not continuously validating that these layers -- and the security around them -- are working as they should," says Brian Contos, Chief Information Security Officer at Verodin, a supplier of security instrumentation systems.