When a Donegal professional services firm migrated to Microsoft 365 and a cloud-hosted CRM two years ago, the managing partner assumed that security came with the subscription. Microsoft would protect the data. The cloud provider would handle the rest. Eighteen months later, an attacker used a set of stolen credentials — obtained through a phishing email that the firm's legacy email filter had not caught — to access the CRM. Client contact details and financial information were exported over several days before the intrusion was discovered. Microsoft's infrastructure was secure throughout. The problem was in the customer's configuration: no MFA, no conditional access policies, no alerts for bulk data export. The cloud was secure. The tenant was not.
This story plays out repeatedly across Ireland. Cloud computing has transformed how Irish SMEs operate — enabling flexible working, reducing infrastructure costs, and providing access to tools that would have required enterprise-scale investment a decade ago. But the move to cloud has also introduced a set of security challenges that many business owners do not fully understand. The root cause is almost always the same: a misunderstanding of where the cloud provider's responsibility ends and where yours begins.
WHAT: The Shared Responsibility Model and Why It Matters
Every major cloud provider — Microsoft, Google, Amazon Web Services — operates under what is called the shared responsibility model. The provider is responsible for the security of the cloud: the physical infrastructure, the networking hardware, the underlying platform. You, the customer, are responsible for the security in the cloud: your data, your user identities, your configurations, your access controls.
In practice, this means that AWS securing its data centres in Dublin is not the same as your S3 storage buckets being configured to restrict access. Microsoft securing Azure's physical infrastructure is not the same as your Microsoft 365 tenant having MFA enabled and conditional access policies in place. Google protecting its network is not the same as your Google Workspace being configured to alert on unusual bulk data downloads.
Misconfiguration is the leading cause of cloud data breaches, not attacks on cloud providers. An Irish SME that migrates to the cloud and treats the migration as a security improvement — without reviewing the configuration of the services it has just adopted — is often in a worse security position than before the migration, because its data is now accessible from anywhere in the world to anyone with the right credentials.
Has your business moved to cloud services without a formal security configuration review? Book a free 20-minute strategy call — we help Irish SMEs identify and close the configuration gaps that put cloud-hosted data at risk.
WHAT NOW: Eight Controls That Make Cloud Environments Genuinely Secure
Strong identity and access management is the foundation. Every cloud account must require multi-factor authentication, especially administrative accounts. Apply the principle of least privilege: every user gets access only to what they need for their role, and no more. Review access permissions quarterly and revoke anything that is no longer necessary. NCSC Ireland consistently identifies credential compromise as the primary initial access vector for cloud breaches affecting Irish organisations.[^1]
Secure configuration management is the second priority. Do not rely on default settings. Cloud providers set defaults optimised for ease of use, not security. Storage buckets, database access policies, network security groups, and application permissions all need to be explicitly configured with security in mind. Audit your configurations regularly — many cloud providers offer native tools that flag common misconfigurations automatically.
Data encryption protects your information even if access controls fail. Encrypt sensitive data at rest using the encryption services provided by your cloud platform, and ensure all data in transit is protected by TLS 1.2 or higher. For regulated data — personal data subject to GDPR, payment data subject to PCI DSS — encryption is not optional. The Data Protection Commission expects it as a baseline technical measure.[^3]
Network security controls — cloud-native firewalls, virtual private clouds, and network segmentation — limit the blast radius if an attacker does gain access to part of your cloud environment. Isolate critical applications and databases from general-purpose services. Implement intrusion detection where your cloud platform offers it.
Regular backup and disaster recovery testing applies equally in cloud environments. Your cloud provider maintains high availability for their infrastructure — not for your data, and not in the configuration you have created. Back up your cloud-hosted data to a separate, isolated location. Test recovery regularly. The same principles that apply to on-premise backup — isolation, testing, documentation — apply in the cloud.
Security awareness training is as important for cloud-specific threats as for any other. Cloud credential phishing — emails that convincingly mimic Microsoft, Google, or your business application provider — is the most common attack vector against cloud-hosted Irish SME data. Your staff need to know how to recognise these attempts, what to do if they encounter one, and how to report suspicious activity. An Garda Síochána's National Cyber Crime Bureau investigates an increasing number of incidents that began with a single staff member entering credentials on a convincing fake login page.[^2]
Vendor due diligence for SaaS tools matters because you are trusting third-party providers with your data. Before adopting any new cloud service that will process client or staff data, review the provider's security certifications, understand their data processing terms, and ensure your contract includes appropriate data protection clauses. ISO 27001 certification and SOC 2 compliance reports are meaningful indicators of a provider's security maturity.
Cloud Security Posture Management tools continuously monitor your cloud environment for misconfiguration, compliance violations, and unusual activity. Many cloud providers offer native CSPM capabilities at no additional cost. For businesses managing multiple cloud services, a centralised CSPM tool provides visibility that manual review cannot match.
WHY IT MATTERS: Regulation Follows Your Data Into the Cloud
GDPR obligations apply to your data regardless of where it is stored. Moving client or staff data to a cloud service does not transfer your compliance obligations to the cloud provider — it extends them. You remain the data controller, responsible for ensuring the data is processed lawfully, securely, and with appropriate retention limits. The Data Protection Commission expects organisations to understand this and to have conducted due diligence on the providers to whom they delegate data processing.[^3]
NIS2, where it applies, adds obligations around the security of network and information systems that include cloud-hosted infrastructure. NCSC Ireland's guidance for organisations is explicit that cloud services form part of the infrastructure that must be secured under NIS2.[^1]
The cloud does not make data security easier. It makes the security decisions more complex, with higher stakes and higher consequences if those decisions are made poorly.
WHAT NEXT: Three Actions to Take This Month
Enable MFA on every cloud account your business uses, starting with email and any application that processes client data. This single control prevents the majority of credential-based cloud breaches. For Microsoft 365 and Google Workspace, it takes less than an hour to configure for an entire organisation.
Review your cloud storage and sharing settings. Check whether any cloud storage buckets, SharePoint sites, or Google Drive folders are set to "anyone with the link" or publicly accessible. If they are, restrict them immediately to authenticated users only.
Ask your IT provider or conduct a self-assessment: for each cloud service your business uses, who has administrative access, when was that access last reviewed, and is MFA enforced at the admin level? The answers to those three questions tell you whether your cloud environment is being actively managed or simply operating on its initial default configuration.
Related Reading
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
- Backup Basics: How Irish SMEs Can Survive a Ransomware Attack
- 12 Steps to Cyber Security: The Complete Guide for Irish Businesses
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.