The cloud doesn’t make your business automatically more secure. In many ways, it shifts the security responsibilities — and the mistakes — to different places. The misconfiguration that leaves a filing cabinet unlocked has become the misconfiguration that leaves a cloud storage bucket publicly accessible.
Based on W3IT’s security reviews across small business environments, these are the cloud security mistakes that come up most consistently.
1. Former Employees Still Have Active Accounts
This is the most common finding, and it’s often the most alarming. Staff leave. New people join. The process for deactivating departed employees’ accounts — email, cloud tools, business applications — is inconsistently followed, if it exists at all.
A former employee’s active account is an unnecessary access point. Even if they left on good terms, their account may be compromised without anyone knowing, giving an attacker access to all the systems they could reach.
Fix: Conduct a full audit of active accounts across all your cloud services. Match them against current staff. Deactivate everything that doesn’t have a current legitimate owner. Make account deactivation part of your offboarding process, with a checklist.
2. Over-Privileged Accounts
Many small business cloud environments have been set up pragmatically — everyone gets admin access because it was easier at the time, or because the person who set it up didn’t think to limit permissions.
The result is that everyone has access to everything. If any account is compromised, the attacker has the same broad access. And staff can accidentally (or intentionally) access or modify things they shouldn’t.
Fix: Apply the principle of least privilege. Each person should have access only to what they need for their role. Admin rights should be limited to the few people who genuinely need them. Review and tighten permissions regularly.
3. MFA Not Enforced
Many businesses have MFA available but haven’t made it mandatory. A few staff members have enabled it; most haven’t. The ones who haven’t are the vulnerability.
If MFA is optional, it’s effectively unavailable as a defence — because an attacker will target the accounts without it.
Fix: Enforce MFA as a policy, not a preference. Both Microsoft 365 and Google Workspace support conditional access policies that require MFA for all users. Enable them.
4. Cloud Storage Left Open
Shared drives in Google Workspace or Microsoft 365, Dropbox folders, or cloud storage buckets may be shared broadly when first created and never reviewed. Documents shared with “anyone with the link” may be publicly accessible if that link is discovered.
A business’s Google Drive folder shared with the internet is not a theoretical risk — it’s a regular occurrence.
Fix: Audit your cloud storage sharing settings. Review any files or folders shared with “anyone” or with external access. Implement a policy that external sharing requires explicit approval. Google Workspace and Microsoft 365 both provide admin tools to review and restrict sharing settings.
5. No Admin Activity Monitoring
Who is logging into your Microsoft 365 admin console? From where? When? Who made changes to your Google Workspace settings last Tuesday?
Most small businesses have no logging or monitoring of administrative activity in their cloud platforms. This means that a compromised admin account can operate undetected for extended periods.
Fix: Enable audit logging in your cloud platforms. Set up alerts for high-risk administrative actions — creating new admin accounts, changes to authentication settings, bulk data access. Both Microsoft 365 and Google Workspace provide audit logs; they just need to be enabled and reviewed.
6. Third-Party App Access Not Reviewed
Over time, staff connect third-party applications to your business cloud accounts — Slack to Google Calendar, a project tool to Microsoft 365 email, various marketing tools to the CRM. Each connection is a granted permission that persists until revoked.
Old integrations that are no longer used remain connected. An application that was legitimate when installed may have changed ownership or practices. Each connection is a potential security dependency you may not know about.
Fix: Review the connected applications in your Google Workspace and Microsoft 365 admin consoles. Revoke access for anything that isn’t actively used or that you don’t recognise. Implement a policy that new integrations require review before connection.
7. No Tested Backup of Cloud Data
A persistent misconception: because your data is in the cloud, it’s backed up. It isn’t necessarily. Microsoft 365 and Google Workspace retain data for some periods following deletion, but these are not proper backups — they don’t protect against mass deletion, ransomware that spreads through cloud sync, or accidental or malicious account actions that exceed the retention window.
Several businesses have lost significant amounts of cloud data to ransomware that encrypted local files and synced the encrypted versions to the cloud, overwriting the originals.
Fix: Implement a dedicated cloud backup solution for your Microsoft 365 or Google Workspace data. Services designed for this purpose create isolated, versioned copies of your cloud data that are recoverable even in worst-case scenarios.
Several of these mistakes are easy to make and easy to fix once identified. The challenge is knowing they exist. A cloud security audit — reviewing account access, permissions, MFA configuration, sharing settings, and backup status — typically takes a few hours and almost always uncovers something worth addressing.
W3IT includes cloud environment assessment in our security review service. If your Microsoft 365 or Google Workspace environment has never been formally reviewed, there’s a reasonable chance at least a few of these issues are present.