There is a comforting myth that moving to the cloud hands your security problem to Amazon, Microsoft or Google. It does not. The big platforms secure their infrastructure superbly — but how you configure access, who can reach what, and whether your accounts are protected is entirely on you. And that is where almost every breach actually happens.
The good news: the controls that prevent the overwhelming majority of incidents are well understood, mostly free, and within reach of any business. Here is the practical set we put in place for clients.
Understand the shared responsibility model
Every cloud platform works on shared responsibility: the provider is responsible for the security of the cloud (the data centres, the hardware, the core platform), and you are responsible for security in the cloud (your data, your access controls, your configuration).
Read that line carefully, because most breaches live entirely on the customer's side of it. The provider being secure does not make you secure.
Turn on multi-factor authentication everywhere
If you do one thing after reading this, do this. Multi-factor authentication (MFA) requires a second proof of identity — a code from a phone app, usually — on top of the password. It is free or near-free on every major platform, and it stops the great majority of account-takeover attacks, because a stolen password alone is no longer enough.
Enable it on:
- Every administrator account, without exception.
- Email accounts — email is the master key that resets every other password.
- Any service holding customer, financial or staff data.
Prefer an authenticator app over SMS codes where you can; SMS is better than nothing but can be intercepted.
Control access with least privilege
The principle is simple: give each person the minimum access they need to do their job, and no more. When everyone is an administrator, a single compromised account becomes a company-wide breach.
- Create roles, not blanket admin rights.
- Review who has access quarterly, and remove what is no longer needed.
- Remove access the day someone leaves — a former employee's live account is a standing risk.
Close the configuration gaps
Misconfiguration is the quiet cause of more breaches than any dramatic hack. The usual culprits:
- Storage left open to the public when it should be private. Check that file storage, buckets and shared drives are not world-readable.
- Default settings left unchanged on new services.
- Unused accounts and services still switched on, expanding your attack surface for no benefit.
A periodic configuration review catches these before someone else does.
Protect data in transit and at rest
Make sure data is encrypted both while it moves across the internet and while it sits in storage. On the major platforms this is largely a matter of enabling the right options rather than building anything — but it has to be switched on and confirmed, not assumed.
For sensitive data, also know where it is stored. As covered in our cloud computing guide, regional data residency can be a compliance requirement, and a hybrid setup may be needed.
Patch, monitor, and back up
Three ongoing habits that close the loop:
- Patch and update — automated where possible. Unpatched software is the doorway most attackers actually use.
- Monitor for unusual activity — logins from unexpected places, sudden permission changes, mass downloads. The major platforms provide alerting; the point is that someone is actually watching it.
- Back up, off-site and isolated — so that even a successful ransomware attack cannot destroy your ability to recover. See our backup and disaster recovery guide.
Train your people
Technology stops most attacks; people stop the rest. The most common entry point remains a convincing phishing email that persuades someone to hand over a password or approve a payment. A short, regular conversation with staff about how to spot phishing, why MFA matters, and what to do if they think they slipped up is one of the highest-value security investments a small business can make.
The short version
If you protect every account with MFA, enforce least-privilege access, check your configurations, encrypt your data, keep things patched and backed up, and train your people — you have closed the doors that the vast majority of real-world attacks walk through. None of it requires an enterprise budget. It requires doing it, and keeping it done.
If you would like a straight assessment of where your cloud setup stands against this list, we are glad to take a look.
Frequently asked questions
Is the cloud secure?
The major cloud platforms are built to a security standard almost no individual business could match. But security in the cloud is a shared responsibility: the provider secures the infrastructure, and you are responsible for how you configure access, share data and manage accounts. The overwhelming majority of breaches happen on the customer's side, through weak passwords, missing multi-factor authentication or misconfigured permissions.
What is the single most important cloud security control?
Multi-factor authentication (MFA) on every account, especially administrator accounts. It is free or near-free on most platforms and stops the great majority of account-takeover attacks, which typically rely on a stolen or guessed password alone.
Do small businesses really get targeted?
Yes. Most attacks are automated and opportunistic — they scan for weak configurations and reused passwords at scale, and they do not care how big you are. Small businesses are often hit precisely because they assume they are too small to be a target and skip basic controls.