December 12, 2025 Best Practices 8 min read

Cloud Security Basics for Canadian Small Businesses

By Cybersecurity Canada Editorial Team | Published December 12, 2025

Most Canadian small businesses are already in the cloud — whether they think of it that way or not. If your team uses Microsoft 365, Google Workspace, Dropbox, QuickBooks Online, Salesforce, or any web-based application, your business data lives on servers managed by someone else.

The cloud offers real benefits for small businesses: lower upfront costs, automatic updates, accessibility from anywhere, and infrastructure maintained by teams far larger than any SMB could afford. But it also introduces a risk that many business owners misunderstand: the shared responsibility model.

Your cloud provider is responsible for securing the infrastructure — the physical data centres, the servers, the network. But you are responsible for securing your data, your accounts, and your configuration. If an attacker accesses your Microsoft 365 tenant because an employee's account wasn't protected by MFA, that's not Microsoft's breach. It's yours.

The Shared Responsibility Model

Every major cloud provider operates under a shared responsibility model. The specifics vary, but the division is consistent:

The cloud provider handles:

• Physical security of data centres
• Infrastructure availability and uptime
• Patching of the underlying platform
• Network-level protections

You handle:

• User account security (passwords, MFA, access controls)
• Data classification and protection
• Configuration of security settings
• Who has access to what
• Compliance with applicable laws (including PIPEDA)

This means that a misconfigured cloud environment is your responsibility, even if the platform itself is secure. And misconfigurations are common — research from cloud security firms consistently finds that the majority of cloud security incidents stem from customer-side configuration errors, not provider-side vulnerabilities.

Microsoft 365 Security Essentials

Microsoft 365 is the most widely used business cloud platform in Canada. If your organization uses it, these settings should be reviewed and configured:

Enable Security Defaults (or Conditional Access)

Microsoft 365 offers Security Defaults — a free, one-click setting that enables a set of baseline security policies for all users, including:

• Requiring MFA for all users
• Blocking legacy authentication protocols (which can't support MFA)
• Requiring MFA for administrative actions

Security Defaults are available on all Microsoft 365 plans at no additional cost. For organizations on higher-tier plans (Business Premium or Enterprise), Conditional Access policies offer more granular control.

Action: In the Azure Active Directory admin centre, navigate to Properties > Security Defaults and enable them. This single action addresses the most common attack vector against Microsoft 365 tenants.

Review Administrative Accounts

Administrative accounts in Microsoft 365 have broad access to your organization's data and settings. They are prime targets for attackers.

• Minimize the number of Global Administrators. Most SMBs need two to three — a primary and a backup. Having more increases the attack surface.
• Use dedicated admin accounts. Administrators should have a separate account for admin tasks and use their regular account for daily work. Admin accounts should not be used for email or web browsing.
• Require MFA on all admin accounts without exception. This is non-negotiable.
• Review admin accounts quarterly and remove any that are no longer needed.

Configure Email Security

Email is the primary attack vector for business email compromise, phishing, and malware delivery. Microsoft 365 includes several email security features that are not always enabled by default:

• Anti-phishing policies — Configure in Microsoft Defender for Office 365 (included in Business Premium) or Exchange Online Protection (included in all plans)
• External email tagging — Add a visual indicator to emails from outside your organization so employees can distinguish internal from external messages
• DMARC, DKIM, and SPF — Email authentication protocols that prevent domain spoofing. Your IT provider can configure these for your domain through DNS records.
• Audit mailbox forwarding rules — Attackers who compromise an account often set up forwarding rules to exfiltrate data. Review these regularly.

Manage Sharing Settings

Microsoft 365 makes it easy to share files and folders — sometimes too easy. Review these settings:

• SharePoint and OneDrive external sharing — Determine whether users can share files with people outside your organization. If external sharing is enabled, restrict it to specific domains or require authentication.
• Guest access in Teams — Review whether external guests can access your Teams channels and what they can see.
• Default link permissions — When users create sharing links, ensure the default is "specific people" rather than "anyone with the link."

Google Workspace Security Essentials

For businesses using Google Workspace, the core security principles are the same:

Enforce 2-Step Verification

In the Google Admin console, enable and enforce 2-Step Verification for all users. Like Microsoft's Security Defaults, this is the single highest-impact security setting.

Review Super Admin Accounts

• Limit the number of Super Admin accounts to two or three
• Require hardware security keys for Super Admin accounts if possible
• Never use Super Admin accounts for daily tasks

Configure Gmail Security

• Enable the advanced phishing and malware protection settings in the Admin console
• Enable external email warnings
• Configure DMARC, DKIM, and SPF for your domain

Control Sharing and Third-Party Access

• Review Drive sharing defaults — restrict external sharing to authenticated users
• Audit third-party app access — review which third-party applications have been granted access to your organization's data through OAuth
• Revoke access for apps that are no longer needed or weren't explicitly approved

Cloud Data Storage: Where Is Your Data?

For Canadian businesses subject to PIPEDA, the location of your data matters. Both Microsoft and Google offer data residency options for Canadian organizations:

• Microsoft 365: For organizations with a Canadian billing address, core customer data (Exchange Online mailbox data, SharePoint Online site content, and files uploaded to OneDrive for Business) is stored at rest in Canadian data centres (Toronto and Quebec City regions).
• Google Workspace: Google offers a data region policy that allows organizations to choose where specific data is stored at rest, including a Canada option for eligible plans.

However, some services and features within these platforms may process data outside of Canada. If data residency is a compliance requirement for your organization, review the provider's documentation carefully and consult with your privacy obligations under PIPEDA and any applicable provincial legislation.

Shadow IT and Unauthorized Cloud Services

One of the most significant cloud security risks for SMBs isn't about the platforms you've chosen — it's about the platforms your employees are using without your knowledge.

Shadow IT refers to cloud services, applications, and tools adopted by employees without organizational approval. Common examples include:

• Personal file-sharing accounts (personal Dropbox, Google Drive) used for work files
• AI tools like ChatGPT, Gemini, or Copilot used with business data
• Project management tools signed up for with personal email addresses
• Messaging apps used for work communications

Each unauthorized cloud service represents a data flow you don't control, can't audit, and may not be able to recover data from if the employee leaves. It also means business data may be stored in jurisdictions and under terms of service you haven't reviewed.

To manage shadow IT:

• Maintain a list of approved cloud services and communicate it to all employees
• Make the process for requesting a new tool simple — if employees need to go through a weeks-long approval process, they'll bypass it
• Periodically ask your team what tools they're using, especially for newer categories like AI assistants
• Consider using cloud access security tools if your organization's scale warrants it

Backup Your Cloud Data

A common misconception is that data stored in cloud platforms is automatically backed up. While cloud providers maintain their own infrastructure backups (for disaster recovery), they don't typically protect against:

• Accidental deletion by users
• Malicious deletion by a compromised account
• Ransomware that encrypts synced files
• Data loss from a terminated employee's account

Both Microsoft and Google offer retention policies and recovery tools, but they have time limits and don't cover all scenarios. For critical business data, consider a third-party cloud-to-cloud backup solution that maintains independent copies of your email, documents, and other data.

Cloud Security Checklist for Canadian SMBs

Whether you use Microsoft 365, Google Workspace, or another platform, run through this checklist:

1. MFA enabled and enforced for all users, especially administrators
2. Admin accounts minimized — two to three maximum, with dedicated admin accounts separate from daily-use accounts
3. Email authentication configured — DMARC, DKIM, and SPF records in place
4. External email tagging enabled — visual indicator on emails from outside your organization
5. Sharing defaults reviewed — files should not be shareable to "anyone with the link" by default
6. Third-party app access audited — revoke access for apps that aren't approved or no longer needed
7. Mailbox forwarding rules reviewed — check for unauthorized forwarding, especially on accounts that handle financial or sensitive data
8. Data residency confirmed — know where your data is stored and whether it meets your compliance needs
9. Cloud backup solution in place — independent backup of critical cloud data
10. Shadow IT addressed — approved services list communicated to all staff

The Baseline Controls Connection

Cloud security maps directly to several areas of the Canadian Centre for Cyber Security's Baseline Controls:

• BC.5 (Authentication) — MFA and strong passwords for all cloud accounts
• BC.7 (Data Backup) — Ensuring cloud data is independently backed up
• BC.10 (Cloud Services) — Evaluating and configuring cloud platforms securely
• BC.12 (Access Control) — Managing who has access to what in your cloud environment

Our free assessment evaluates your organization's cloud service security alongside the other Baseline Control areas. It takes under 10 minutes and identifies the configuration gaps that may be leaving your cloud data exposed.