Small businesses increasingly rely on cloud services for flexibility and cost savings, but the shift also comes with significant security challenges.
Many small businesses lack dedicated cybersecurity resources, leaving them vulnerable to threats such as ransomware, data breaches and supply-chain attacks. Misconfigured cloud settings, such as exposed storage or overly permissive access controls, are a major risk and can lead to sensitive data leaks or financial losses if malicious actors exploit them.
And, through a shared-responsibility model of cloud security, small business leaders must also navigate responsibilities to secure their data, identities and configurations, even when infrastructure is managed by a cloud provider.
Crystal Lister, security adviser for the Office of the CISO at Google Cloud, answers questions about these ongoing cloud security challenges for smaller organizations and how they can improve their strategies as they continue to rely on the cloud to keep their businesses running.
Click the banner below to learn more about optimizing your hybrid cloud environment.
Manage Who Has Access to Your Environment
Misconfigurations remain one of the biggest cloud security risks for small businesses. So, when it comes to common mistakes they can make when setting up their cloud environments, Lister says that permissive firewall rules (for example, 0.0.0.0/0 ingress) and overly broad identity and access management permissions top the list.
“To help, apply the least privilege principle. For example, in Google Cloud, IAM Recommender analyzes user permissions and makes suggestions for removing unused permissions, which can help, in case an attacker successfully phishes a user, by limiting the damage potential to only what the user needed to do their job,” Lister notes.
DISCOVER: Modernize your virtualization and hypervisor strategy.
Small business IT teams must also parse a shared responsibility model that can often be confusing. Some organizations believe that just because a cloud provider’s infrastructure is secure, the applications that run on top of it are automatically protected, Lister says, but that’s not the whole picture.
Google Cloud's latest Cloud Threat Horizons Report found that “threat actors are increasingly focusing on software-based entry over stolen credentials as a primary initial access vector into cloud environments,” Lister notes. In the latter half of 2025, 44.5% of observed initial access vectors exploited were through third-party software-based entry, while weak or absent credential entry accounted for 27.2% (a sharp drop compared with the beginning of the year.)
“To help block threat actors trying to exploit software vulnerabilities on any cloud platform, we recommend businesses pivot from manual security triaging to automated defenses, such as implementing identity-centric proxies, which can block threat actors at the proxy because they cannot provide a valid, authorized identity,” Lister adds.
The Rise of Cyberthreats Against Small Businesses
So, how can small business leaders prioritize their cloud security investments when they have limited budgets and staffing constraints amid threats such as phishing and ransomware?
GET THE DETAILS: How to deliver cyber resilience with expert partners.
With identity compromise making up the majority of recently analyzed cloud breaches, Lister recommends prioritizing phishing-resistant multifactor authentication. Replace static credentials with tamper-resistant logging to help ensure forensic readiness, she adds.
Because hybrid and multicloud environments can foster fragmented identity perimeters, Lister says organizations should adopt context-aware access controls that mandate device health verification before granting access to sensitive data. They should also work toward unified visibility and standardized forensics via the OSDFIR infrastructure framework, which is “essential for maintaining a consistent security posture and incident response capability across all platforms,” Lister says.
