Your Cloud Data Isn't as Protected as You Think

If your business runs on Microsoft 365, Google Workspace, or any major cloud platform, you might assume the vendor is handling your security. After all, these are billion-dollar companies with entire teams dedicated to protecting their infrastructure.

What could go wrong?

Quite a lot, it turns out.

The "cloud is secure" assumption is one of the most common and costly misconceptions business leaders carry into 2026. And it is not just a technology problem. It is a business risk problem. The distinction matters because the consequences of getting this wrong extend well beyond an IT headache: they include brand damage, regulatory fines, lost customers, and in many cases, the end of the business itself.

In the season 4 premiere of the One Step Beyond Cyber podcast, host Scott Kreisberg, Founder and CEO of One Step Secure IT, sat down with Greg Scasny, CTO of Blueshift Cybersecurity, and Tim Derrickson, Director of IT and Security Services at One Step Secure IT (CISSP), to break down exactly where this assumption fails and what leaders should be doing instead.

Here is what every business owner needs to hear.

What "Cloud Security" Actually Means and What It Does Not

When you sign up for Microsoft 365, Amazon Web Services, or Google Workspace, the provider protects its own infrastructure: the servers, the network, the data centers. That part is genuinely secure and reliable.

But here is what they do not protect by default: your configuration, your user accounts, your access settings, and your people.

Default settings in cloud environments are often inherently insecure, because making them secure by default makes it a little harder to get things done.

“People don't want that headache from an IT perspective,” Greg said.

They let it go and end up back in the same situation they were in when we used plain-text authentication on networks.

Greg explained it as similar to renting a commercial space for your business. The landlord maintains the building, the locks on the front door, and the fire suppression system. But it is your responsibility to decide who gets a key, who has access to the back office, and whether you leave the safe open overnight. Moving to the cloud does not change those responsibilities. It just moves them to a different environment.

Tim Derrickson reinforced the point:

"When we go in to get an environment in the cloud, it's now our environment. It's not the provider's environment, it's ours. So, it goes back to changing those default passwords if it's being backed up. Some of them guarantee that for 30 days they'll keep your data, but they don't say it. They just say that we back up your data. And then you find out something's missing. There you go. You no longer have the data that you thought you had."

The "I'm Fully Covered" Trap: A Real-World Example of an Identity-Based Attack

During the conversation, Greg shared a story from his penetration testing days that illustrates exactly how fast this can go wrong.

A banking client told him before the engagement, "All our important stuff is in Salesforce. They take care of all that. What do I have to worry about?"

Greg's team tested exactly that. In less than an hour, they accessed the company's entire Salesforce database, not by hacking Salesforce itself, but by compromising the CFO's account, leveraging the trust relationship between the CFO and the CEO, and then assuming the CEO's identity to log in and pull the data.

"Once you assume the identity of a legitimate user, the world is your oyster. You can sit and pull things off, and as long as you do it in a normal fashion, it's difficult to detect. I'm not hacking the system. I'm just acting like the CEO."

This technique, called identity-based attack or session hijacking, does not require sophisticated tools. It requires access to one person. And that access often starts with a phishing email, a deceptive phone call, or a simple password reuse. All very human problems that exist regardless of which cloud platform you use.

The Real Cost of a Cloud Security Incident

Here is a number worth pausing on: IBM’s Cost of a Data Breach Report 2024 found the global average cost of a data breach was $4.88 million. In IBM’s 2025 report, the average cost of a data breach in the United States rose to a record $10.22 million

For most small and mid-sized businesses, that is not a setback. That is a shutdown.

And the dollar amount is only part of the picture. Tim walked through what the full scope of a cyber attack looks like:

• Operational disruption: Your systems may go down for days or weeks while you investigate and recover.

• Brand damage: If the breach becomes public (and reporting requirements are expanding), customers and prospects notice.

• Regulatory exposure: Depending on your industry, violations of PCI DSS, FTC regulations, HIPAA, or other frameworks can result in significant fines on top of breach remediation costs.

• Customer loss: Who wants to do business with a company they cannot trust to protect their data?

• Supply chain liability: If your business is a vendor or supplier to others, a breach in your environment can cascade downstream, creating legal exposure for what happens to them.

And there is a human dimension that does not show up in the financial reports. When companies get breached, the fear of blame often slows response time, which is exactly the wrong reaction.

Greg emphasized that speed, transparency, and accountability are critical when a breach occurs. The faster an organization can detect and respond to an incident, the lower the remediation costs.

Early detection by catching the breach in its initial stages allows companies to prevent data exfiltration entirely. The financial impact drops exponentially when problems are identified and addressed quickly rather than discovered weeks or months later.

Why the Compliance Checkbox Is Not the Same as Being Secure

Many business leaders approach cybersecurity as a compliance exercise: get SOC 2 certified, meet CMMC requirements, pass the audit, move on. Greg acknowledged this is understandable, but warned it creates a dangerous blind spot.

"Business leaders understand the expense. They don't really understand the risk... It just means that you checked a box that says that you did something."

He offered a useful alternative to the typical thinking:

If you focus on being genuinely secure, compliance becomes much easier.

But if you only focus on compliance, you may pass every audit and still get breached.

The goal is not the certificate. The goal is a business environment that is actually hardened against the ways attackers operate today.

Where Modern Attacks Are Focused: Identity, Not Infrastructure

For years, endpoint security, meaning protecting laptops, desktops, and devices, was the primary focus of most business security programs. Firewalls, antivirus, and device management are still important controls as well, but attackers have shifted.

Endpoints have become the most monitored piece of infrastructure in modern IT, so adversaries have shifted their focus to identity-based attacks. By hijacking someone's tokens or session, attackers can impersonate legitimate users and extract data without raising suspicion. The key advantage is that when an attacker operates as a legitimate user performing normal actions, detection becomes extremely difficult.

This is why identity management, encompassing who has access to what, how they authenticate, and the privileges they hold, has become one of the most critical areas of cloud security. It is also one of the most commonly overlooked.

Tim illustrated the problem by suggesting that with poor default settings and inadequate authentication controls, a company might as well use an embarrassingly simple password, like "thank you123," and hand it directly to an attacker. That's how exposed default cloud configurations are.

Practical identity hygiene for cloud platforms includes:

• Requiring multi-factor authentication (MFA) for all users, especially administrators

• Auditing who has access to what and removing access that is no longer needed

• Reviewing authentication methods and ensuring legacy, less-secure options are disabled

• Monitoring for unusual login patterns, such as logins from unexpected locations or times

The Traditional Security Operations Model Is Changing

Historically, mid-to-large organizations have relied on a Security Operations Center (SOC), a team of analysts monitoring logs and alerts around the clock. It works. It is also expensive.

For most small and mid-sized businesses, that is not a realistic option. And the model has an inherent weakness: humans make mistakes. Humans miss things. Humans get tired.

Artificial intelligence is playing an increasingly meaningful supporting role in security operations, not as a replacement for human judgment but as a force multiplier.

Greg's company, Blueshift, developed IntelliThreat™ to handle the high-volume, repetitive work of alert triage and log correlation. AI excels at building context from disparate data points and connecting the dots, freeing human analysts to focus on the investigations that require deeper expertise.

Tim offered an analogy that cuts through the AI hype:

"If I'm not a doctor and AI tells me how to do surgery, you don't want me doing your surgery because I'm not a doctor. But if I were a doctor, it accentuates what I already know and helps me do what I need to do. So in security, it reduces noise, it accelerates our decision making, and it helps in multiplying what we can do as opposed to taking over for us."

The practical takeaway for business leaders: AI-augmented security monitoring is making enterprise-grade protection more accessible and affordable for smaller organizations. This is worth asking your IT provider about.

The Shadow AI Problem: A New and Growing Risk

One topic the group flagged as an immediate concern heading into 2026 is what Scott called "shadow AI," meaning employees using free, consumer-grade AI tools for work tasks without company approval or oversight.

Think about it this way: if an employee opens a free AI tool and pastes in a customer list, a financial summary, or internal strategy documents to get help drafting a message, that data may be stored, logged, and potentially used to train the AI model. It has now left your environment with no contract, no data protection agreement, and no way to get it back.

"People have let someone call and get access to your computer, but you'll put an AI agent on it that has access to all the data on your computer. That's the scary part of shadow AI, the expanded access of what those tools can get to."

Scott’s advice for evaluating AI tools and security providers:

Ask: Where are my security logs and data going when they interact with an AI model?

Ask: Are prompts stored? Are they used to train external models?

Ask: Is the AI system privately hosted, or does it communicate with broader public Language Learning Models (LLMs)?

Scott shared that One Step Secure IT has partnered with a provider for privately hosted AI models that are isolated from broader public systems, ensuring client data never touches an external AI platform.

A Practical Roadmap for Business Leaders: Where to Start

For business owners who are now wondering what to actually do, Greg's advice was direct and accessible:

1. Don't try to boil the ocean.
You do not have to go from minimal cybersecurity to enterprise-grade overnight. It is a building process. As Scott put it, you walk a block before you run a mile.

2. Pick a control framework.
A control framework is a standardized checklist of security practices created by independent authorities. It gives you a roadmap rather than requiring you to guess.

Two strong starting points:

NIST Cybersecurity Framework 2.0: Free, public, and designed to be accessible for organizations of all sizes. Updated in February 2024 with a new emphasis on governance and organizational risk management. You can download it directly from nist.gov.

NIST 800-171 / CMMC: If you do any work with the federal government or the defense supply chain, you will likely need to align to these frameworks.

3. Do a gap analysis.
Once you have a framework, compare your current environment against it. Identify what you have in place and what is missing. Prioritize the highest-risk gaps.

You can work with a trusted partner to help implement those things. "You can do a gap analysis to say ‘hey, listen, we don't have these things, these are the low-hanging fruit we can do right now, these are the high-level things we must get done and you can iterate over that over the period of a year to to get yourself on a trajectory to becoming more secure and more aware in your environment’," Greg explained.

4. Think in outcomes, not tools.
It is easy to get overwhelmed by the number of security products on the market. Start with the outcome you are trying to achieve.

"Do you know your riskiest identities? How do you detect misuse?" Greg asked. "Figure out what those outcomes are, and the right tools will follow."

5. Work with a trusted partner.
Cybersecurity is a specialized discipline. A qualified IT security partner can help you assess your current state, prioritize investments, implement controls, and monitor your environment so you can focus on running your business.

6. Treat security as a continuous journey, not a one-time project.
As Scott summed it up: "I view cybersecurity as well as compliance as a journey. It’s not a destination. Even after you hit CMMC compliance, you're not done. Continuous improvement matters, just like your sales process and back-end operations."

Key Takeaways

Cloud platforms secure their own infrastructure, not your configuration, your users, or your data access settings.

Default cloud settings are often insecure and need to be actively reviewed and hardened.

Identity-based attacks (session hijacking, account compromise) are now a primary attack vector, not just endpoint attacks.

Compliance checkboxes do not equal security. If you build security first, compliance follows.

AI is becoming an effective tool for making enterprise-grade monitoring more accessible and affordable, but shadow AI use by employees is a serious and immediate risk.

Take the Next Step

You do not have to figure this out alone. A straightforward security assessment can show you exactly where your environment stands and what actions will have the most impact.

Schedule a no-pressure conversation with the team at One Step Secure IT to talk through your current setup and where to start.

This article was adapted from the One Step Beyond Cyber podcast, Season 4, Episode 1, featuring Scott Kreisberg (Founder and CEO, One Step Secure IT), Greg Scasny (CTO, Blueshift Cybersecurity), and Tim Derrickson, CISSP (Director of IT and Security Services, One Step Secure IT).