Moving to the Cloud? Here's the Security Setup Small Businesses Almost Always Miss
Moving to the Cloud? Here's the Security Setup Small Businesses Almost Always Miss
You signed up for Microsoft 365 or Google Workspace, your team is up and running, and everything feels secure. After all, Microsoft and Google spend billions on security. What could go wrong?
Quite a bit, actually. And it is not their fault.
The Part Nobody Tells You About Cloud Security
Both Microsoft and Google operate under what is called a shared responsibility model. In plain terms: the provider secures the infrastructure, these typically include the servers, the network, the physical data centers. You are responsible for securing what runs on top of it. That means your user accounts, your data, your configurations, and your access controls.
Most small businesses never hear this clearly explained before they migrate. They assume "cloud" means "protected." The result is a setup that looks functional on the surface but has significant gaps underneath.
Here are the settings and configurations that get missed most often.
What Gets Skipped Most Often
1. Multi-factor authentication is not turned on by default for everyone. MFA requires a second form of verification beyond a password in the form of a code from an app, a text message, or a hardware key. It is one of the most effective controls available. But on most platforms, it is not enforced automatically - Microsoft and Google are implenting this for most accounts. You have to turn it on and require it for every user, on all applications not just your primary email accounts.
2. Admin accounts are used for everyday work. Global administrator accounts have unrestricted access to your entire environment. When someone uses that account to send emails or edit documents, they are doing routine tasks with the highest-privilege credentials available. If that account is compromised, the attacker has the keys to everything. Admin accounts should be separate, used only when needed, and protected with strong MFA.
3. Former employees still have active accounts. This one is straightforward and surprisingly common. Someone leaves the company, their laptop gets returned, but their Microsoft or Google account stays active for weeks or months. An active account is an open door. Offboarding needs to include immediate account deactivation, every time.
4. External sharing is wide open. Cloud platforms make it easy to share files and folders with people outside your organization. They also make it easy to accidentally share too much. The default settings on both Microsoft 365 and Google Workspace often allow broader external sharing than most businesses realize. Review your sharing policies and restrict them to what your operations actually require.
5. Audit logging is not configured. Audit logs record who accessed what, when, and from where. If something goes wrong, that log is how you figure out what happened. Retention periods vary by plan and license tier. On some Microsoft 365 plans, logs are retained for 90 days by default. On others, that window is shorter or longer, and it can be extended if you configure it. The point is: do not assume logging is on and retention is sufficient. Check it before you need it.
6. No conditional access rules are in place. Conditional access lets you set rules around how and where your accounts can be used. A practical starting point for most small businesses: require MFA when someone logs in from an unrecognized device, or flag logins from locations you have never operated in. These rules can be simple or more involved depending on your setup, but even basic policies add meaningful protection. Without anything in place, a valid set of credentials is all someone needs to access your environment from anywhere.
7. Backup is assumed, not verified. Microsoft and Google back up their infrastructure to keep their services running. What that does not cover is your data in the event of accidental deletion, a ransomware infection, or an account compromise. Recovery options within the platforms are limited and time-bound. A separate, verified backup process is your responsibility. Many businesses discover this gap at the worst possible moment.
What to Do With This
You do not need to be a security expert to address these gaps, but you do need someone who knows where to look. Cloud platforms have extensive configuration options, and the right setup depends on how your business operates: your team size, how you share information, and what data you are protecting.
At Phylaxion, the Secure Cloud Architecture and Management service is built specifically for this. It covers a full review of your cloud configuration, closes the gaps listed above, and puts monitoring in place so problems get caught early. You work directly with one advisor throughout, so there is no handoff and no ambiguity about who is accountable for your environment.
If you are in the process of moving to the cloud, or you are already there and not confident your setup is right, get it reviewed now. A configuration problem is much easier to fix before something goes wrong than after.