5 tips to improve your cloud security

Cloud computing is everywhere. You probably don’t think about it all that much, but most of the platforms and software you use will be hosted in the cloud. However, while cloud-based platforms are generally the safest around, there are extra steps you can take to protect your business. Here are our top 5 tips for improving your cloud security.

1. Use Multi-factor authentication 

Multi-factor authentication (MFA) is an authentication tool that requires you to provide two or more verification methods to sign into an application. Rather than just asking for a username and password, MFA adds some extras. For example,  a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information only you know.

You’ve probably already used MFA plenty in your day-to-day life. Many applications now require it and we’re well on the way to it being a near-universal security tool.

This is happening for a very good reason. Strong passwords are important, but they aren’t infallible. A well-orchestrated brute force attack could still find a way through. In contrast, MFA is incredibly difficult for a cybercriminal to crack without access to your phone, fingerprints or deeply personal information.

Moreover, under the new Cyber Essentials requirements, MFA should always be used for accounts connecting to cloud services. 

Want to know more about the cyber threats small businesses face? Check out our guide.

2. Manage user access carefully

It’s likely you’re already doing this with some of the cloud-based software you use. After all, who pays for licences they don’t need? However, as a general rule, it’s important to give your staff access to all the resources and data necessary for their roles, and no more.

There are two key reasons for this. Firstly, it reduces the risk of someone editing or deleting important information by accident. But, more importantly, it protects you from hackers who have stolen an employee’s credentials.

Practising proper segregation of user accounts limits the damage any successful breach can cause. To learn more about how to do that, check out our blog on admin users

3. Create a comprehensive off-boarding process

It’s never nice when a colleague leaves, especially if it’s not on good terms. But however staff leave, you need to make sure they no longer have access to cloud platforms, systems, data and customer information.

Of course, it’s unusual for employee off-boarding to go dramatically wrong, but that doesn’t mean you shouldn’t take precautions. Too many businesses leave the process weeks or even months after an employee has left, or forget altogether. 

This is a big security risk. By failing to cull access permissions for former employees, you’re losing control over who can access your systems and data, and potentially giving cybercriminals an easy route into your business.

To prevent the worst, you’ll need a systematic process for ensuring all access rights are revoked. This can be tricky as most employees will have access to a range of applications and platforms. So, to make it a simpler process, keep an up-to-date list of who has access to what. And, if you don’t have the bandwidth to do so in-house, there are plenty of tools available to automate the process.

4. Consider a cloud-to-cloud backup service

As we’ve mentioned, a direct breach of any cloud platform you use is unlikely (though not impossible). Nevertheless, the risk to your data from human error is high. Some 90% of all breaches start with some form of human error.

The problem is, should a cybercriminal corrupt your data or an employee delete something, most cloud platforms will only keep backups of deleted data for a specific period. This can range from days to months. So as well as checking with the provider what its policy is, it could be worth having a reserve option.

Many providers offer regular cloud-to-cloud backup services. And, it’s an option well worth considering for particularly important or sensitive data. 

5. Provide regular security training for employees

If you’ve read any of our blogs before, you’ll know we really hammer home the importance of staff training. Cloud platforms typically have very good defences, meaning the most likely way a hacker will bypass them is by stealing employees’ login credentials. This will usually happen through a social engineering attack, such as phishing.

The best way to counter this is with regular security training. That way, your people will be able to recognise potential threats and avoid them. There’s no such thing as one-size-fits-all security training. What the training looks like will depend on your staff and their knowledge gaps. 

However you do it, keep it regular, useful, and engaging. For more on how to get started, we recommend reading our blog on security training.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity

Mythbusting: is your data really safe in the cloud?

Cloud storage has become an indispensable part of modern business. Yet despite the cost savings, ease-of-access, and reliable data backup it offers, some people still don’t trust the Cloud. Why not? And, do they have a point?

Why are people concerned about cloud security?

It comes down to control. When you upload files to a cloud, you aren’t saving them locally to an internal server. Instead, you’re sending potentially sensitive data to another company, one that could be hundreds or even thousands of miles away, and entrusting them to keep it safe. This might sound obvious, but for some businesses, this loss of direct control is a real concern.

Looking to better protect your business? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity. 

What are the risks?

Are businesses right to be worried about losing direct control of their data? What are the risks associated with using cloud storage?


The big cloud providers – Microsoft, Google, Apple, and Amazon – spend billions of dollars on their security each year and have some of the best defences around as a result. However, that doesn’t mean they’re infallible.

The most determined cybercriminals find a way around even the tightest defences, whether that’s through guessing security questions or cracking passwords. Even the biggest providers aren’t immune to these approaches as the infamous Apple iCloud hack of 2014 and 2019’s Facebook data breach revealed.

Alongside potential breaches of cloud providers’ infrastructure, there’s some risk involved in the process of just getting your data up into the cloud. For example, let’s say you’re using Google Docs as part of your cloud package. A hacker could potentially intercept your data as it moves between your device and the cloud. Provided you’re working with a reputable cloud provider it’s unlikely, but the risk remains.


The other major cybersecurity risk involved in using the cloud is privacy. Even if your data isn’t stolen it could still be viewed both by employees of the cloud provider and government agencies. Governments can legally request data stored by cloud providers and it’s up to each company as to whether they comply.

Although you’ll often hear people trot out the old adage ‘if you’ve got nothing to hide, there’s nothing to worry about’, the possibility of sensitive documents being read by third parties is a valid concern. 

Do the risks outweigh the benefits?

So, do the risks of storing your data in the cloud outweigh the benefits?

In short, no. To illustrate why, ask yourself whether sensitive documents and information would be safer stored locally on company-owned servers or devices? Invariably, the answer is no. 

Consider the typical IT infrastructure within a small business. It’s often housed in the same building employees work and is accessible by anyone who works for the company. This not only makes the job of cybercriminals far easier but it also increases the likelihood of a data breach due to human error.

Now contrast that with a large cloud provider. Cloud servers are housed in huge, well-guarded data centres, often far off the beaten track and a long way from providers’ central offices and staff. What’s more, the data in those servers is usually protected with complex encryption, making hacking it extremely difficult.

As for privacy, it’s again worth asking yourself a couple of questions. Firstly, would your company object to a cloud provider’s staff viewing sensitive data for troubleshooting purposes? If the answer is ‘no’, then there is little to fear. Cloud providers generally won’t view the data they store for any other reason.

Secondly, were a government agency to request access to business data would you be likely to refuse? Again, if not, there’s little difference in privacy between storing your data onsite or in the cloud. 

The verdict 

The cloud isn’t perfect. It’s far from completely secure and it’s increasingly becoming the number one target for cybercriminals who realise this. However, it is by far the best data storage option available to businesses. 

It offers a level of security sophistication streets ahead of anything a small business could afford. It’s cost-effective, allowing you to store masses of data for very little money. And, it allows your people anytime, anywhere access to the files and applications they need.

Of course, if you are concerned about the security of your cloud storage, there are extra precautions you can take. Consider setting up encryption (more on which here), two-factor authentication and implementing a strict password policy for an extra layer of protection.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Encryption explained: how does it work and why do SMEs need it?

Most of us have heard of encryption. It’s that recipe for secrecy that techy types talk about all the time. But for many of us, that’s where the knowledge ends.

However, for small businesses looking to improve cybersecurity, encryption can be a vital weapon in your arsenal- and one that isn’t so hard to understand. Here’s a simple explanation of what encryption is, why you need it, and when to use it.

What is encryption?

Although encryption, much like ‘the blockchain’, can seem like another one of those unfathomable technical terms, it’s actually pretty simple.

Encryption is most commonly used to protect data in transit and at rest. Ever sent a Facebook Messenger or WhatsApp message? That uses encryption. Or, a payment using online banking? Also encryption. How about buying something from a web store? You guessed it, encryption again.

You get the picture. Encryption is used everywhere in our daily lives, but how does it work?

In non-technical terms, encryption is a way of randomising data so that only an authorised recipient can understand the information. Encryption converts plaintext – for example, the text in an email between you and a colleague – and converts it into ciphertext, a string of random numbers and letters. To unlock the real message or data, you need an encryption key, which is a set of mathematical values that only the sender and the recipient of the message know, like so:


Photo PixelPrivacy

The principle is much the same as a password, but better (as we’ll see).

Why does your business need it?

So we’ve covered, in very simple terms, what encryption is. The next question is why should SMEs be using it? It’s easy to assume that if you’re not a huge multinational, processing reams of sensitive information, that your standard security tools such as firewalls and secure passwords are enough to protect your data. However, there are three key reasons why this isn’t the case.

Cyber attacks are on the rise

It’s likely not news to you that cybersecurity threats to SMEs are on the rise. Barely a week goes by without another news story or set of figures released to that effect. Indeed, the Federation of Small Businesses estimates that SMEs are collectively subject to almost 10,000 cyber-attacks a day.

A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year.

A big part of the problem is the ever-increasing volume and variety of malware out there. A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year. This might not sound like much, but when we’re talking about detections in the tens of millions, it soon adds up.

In this environment, it’s getting harder and harder to stay ahead of the threat. However, adopting encryption can act as a strong second line of defence. For instance, someone in your organisation accidentally clicks on a malware link in an email (something we’ve all done at least once), potentially exposing your data to an attacker. Using encryption means that they won’t be able to read whatever they find without a key, meaning your data is safe.

You’re using a cloud service

Cloud computing is now a vital part of the daily operations of most SMEs. And if you’re doing business entirely in the cloud, and don’t store any sensitive data on employees’ devices, you’re safe, right? After all, the likes of Amazon, Google, and Microsoft spend billions of dollars a year on the security of their cloud services.

Unfortunately, this is only partly true. Obviously storing your data in a cloud is far better than having everything on vulnerable systems, but that doesn’t mean it’s entirely safe.

To give an example, let’s say you use a cloud-based platform like Office 365 for your everyday operations. A would-be hacker can still intercept your data as it moves between your device and the cloud. As we’ve already mentioned, this is unlikely if you’re working with a reputable cloud provider, but it’s not impossible or even that uncommon. Using strong encryption can help protect you against this by adding another layer of defence.

Passwords aren’t the be-all and end-all

Now, you may be thinking ‘but my business has a clear password protection policy and we regularly change our passwords for laptops and devices, surely that’s enough?’
Not quite. While it’s true that a strong security policy can help protect your business against regular theft and even less sophisticated cyberattacks, it’s not enough to protect you from the really harmful stuff.

Hackers are always finding a way around even the strictest security policies and new methods for cracking passwords appear all the time. To be totally sure, you need an a solution that allows you to completely encode everything on your device. This means that even in the event someone does manage to break in, all they’ll be able to extract is random gobbledegook that’s little use to anyone without the right encryption key.

How do you use encryption?

Finally, let’s take a look at how you can use encryption to protect your business. Encryption can take many forms. How you use it will depend on what you need it for, but some common uses include:

End-to-end encryption – This guarantees data sent between two parties cannot be viewed by anyone else. Most of the internal communication tools such as Slack or Google Hangouts will come with this as standard, but it’s worth checking whichever messaging tool you use.

Cloud storage encryption – A service offered by cloud storage providers that transforms your data or text using an algorithm and stores it safely in the cloud.

Encryption as a Service (EaaS) – EaaS represents the next step up from cloud storage encryption. It’s the perfect tool for small businesses who want to use encryption but lack the resources to do manage it themselves. EaaS subscription models typically include full-disk, database, and file encryption.

Of course, these are far from the only uses of encryption. You can also use it to protect certain fields on your website, encrypt everything leaving or entering your web server and a hundred other things besides. The above are just the most common applications for SMEs.

Data is more important than ever to SMEs. In fact, in our data-driven economy, it’s often the most valuable asset a business possesses. Basic cyber-hygiene such as encryption can go a long way towards helping you protect it.

Show your customers you value their data by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Get started