Cloud Services: 10 tips for Small Businesses

The use of Cloud services in businesses is growing every day - file storage, e-mail, account management or customer engagement. With organisations employing external companies to set up and run these applications it is vital to ensure these run with security in mind.

This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.


The tips below will help make sure these services are as secure as they can be.

Securing users’ accounts

With Cloud Services designed to allow access from anywhere, this causes potential security implications. The below tips will drastically reduce the risk of having unwanted access to the service. Information about protecting your data with passwords from the NCSC here.

Tip 1: Use Multi-Factor Authentication

Multifactor authentication (MFA) adds a layer of protection to the sign-in process. When accessing accounts or apps, users are asked to provide additional verification. This may include biometric scan or additional code received by other device. More than one can be applied on more sensitive applications. NCSC guidance on the use of MFA, gives more information on the different options.

Older application may rely on older less secure methods and these applications can be made more secure by using an ‘App Password’. This will allow the addition of MFA when connecting remotely.

Tip 2: Avoid using guessable passwords

NCSC recommend using three random words, making a naturally lengthy password. This can be hardened further using UPPER and lower case, symbols/special characters and numbers.

Tip 3: Use unique passwords for each accounts

To reduce the impact of a compromised password, use a different password for each account to avoid attackers from having access to all linked accounts or applications using that same password.

Further detailed advice on passwords for organisations can be found on the NCSC website here.

Protecting you most sensitive accounts

Accounts for different services have different levels of security. Administrator accounts have wide access and should be the most securely protected by employing the highest standard of security.

Tip 4: Limit the use of administrative accounts

The impact of a compromised admin account could be the same as breaching all accounts allowing access to all users. Admin accounts should only be used for administrative tasks, once complete, they should be logged off. Remove assigned accounts when employees leave.

Tip 5: Keeping recovery information to administrative accounts up to date

Recovering a lost password for an administrator account is usually done through the Cloud Service provider. By ensuring all recovery information is completed and updated regularly this will reduce potential security vulnerabilities.

Tip 6: Protect the account used to manage your custom domain name

When using custom domain names for email and website follow Tips 1-4 above to protect the admin account and limit access.

Defending your online accounts from malware

Certain malware can be used to steal passwords to online services. This risk can be reduced by only using trusted devices to access your businesses Cloud Services.

Tip 7: Keep your devices healthy

Ensure that all devices used to connect to the Cloud Service are updated.

For all IT devices any new updates/patches should be installed as soon as possible. This will improve security and limit the possibility of zero day attacks. Most updates can be automatically done by simply enabling this setting.

Anti-virus should be used on all devices and consider the level of protection required and meets your security requirements. More information on protecting from malware can be found here.

Tip 8: Using a VPN (Virtual Private Network) for remote connections

If your business requires remote access to any data within your business infrastructure, then using a VPN is essential. A VPN can be used to encrypt traffic and secure end to end communication.

Use the security features built into the service

Cloud Service providers have security features implemented to help avoid cyber-attacks. These features are not automatically enabled and it is crucial to check these settings with your provider.

Tip 9: Prefer the apps provided by the cloud provider

Using third-party applications may require adjustments to any security configurations. Check legacy modes are disabled for protocols such as POP3 and IMAP. Using applications developed by the Cloud Service provider, designed with security in mind is recommended.

Tip 10: Back up data that is critical to your business

Cloud Service providers backups allow for a level of recovery after attacks. Some will even store deleted files for a period. Using these backups can reduce the impact of a ransomware attack. These recovery systems should not be relied upon as they may not always be available. To help mitigate this, use an internal backup system for crucial data which can be stored off line.

Further Information

Office 365: Top 10 ways to secure Office 365 and Microsoft 365 Business plans

G Suite: Security checklist for small businesses (1-100 users)



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.