Your files, your email, your accounts, your client records: almost all of it now lives in the cloud. So when something goes wrong, whose problem is it to fix?
Most New Zealand owners assume the answer is Microsoft, Google, or their IT provider. The real answer splits the job in two, and the half you are accountable for is where nearly every avoidable cloud security breach begins. This article maps that dividing line, shows the gaps NZ businesses most often leave open on their side of it, and sets out how to close them.
Get that line clear and most cloud security decisions become straightforward. Miss it, and you can be exposed without ever realising the gap was yours to close.
What Is the Shared Responsibility Model?
The shared responsibility model is the agreement, spelled out by every major cloud provider, that splits security duties between the provider and the customer. The provider secures the underlying platform. The customer secures everything they put on it and everyone they let in.
Providers such as Microsoft, Google, and Amazon invest heavily in protecting their data centres, hardware, and core services. In their own words, they handle security of the cloud, while you are responsible for security in the cloud. That covers physical security, network infrastructure, and platform uptime on their side. What it does not cover is how you configure your tenant, which staff hold admin rights, whether accounts use multi-factor authentication, and who can reach your data.
In practical terms, the provider hands you a secure building. Locking the doors, deciding who gets keys, and choosing what goes in the safe remain your job. When a cloud breach hits an NZ small business, the cause almost always sits on the customer side of that line: a reused password, an over-shared file, a setting left on default.
Cloud Security Responsibilities: Provider vs You
The table below shows how cloud security responsibilities divide under the shared model for a typical Microsoft 365 or Google Workspace setup. The provider owns the platform layer, and your business owns everything that sits on top of it.
| Cloud security area | Your provider secures | Your business secures |
|---|---|---|
| Physical and platform | Data centres, hardware, network, service uptime | Nothing – fully provider-side |
| User accounts and access | Login infrastructure availability | Passwords, multi-factor authentication, who has access |
| Configuration and settings | Secure defaults offered | How the tenant is actually configured |
| Data and files | Storage resilience | Classification, sharing, and access to your data |
| Backup and recovery | Short-term platform recovery only | Independent, tested backups of your data |
Read down the right-hand column and you have a working definition of your cloud security job. Every row in it is an area where a lapse becomes your incident, not the provider’s, which is why customer-side cloud security deserves the same attention businesses once gave their on-site servers.
Why Does the Divide Catch NZ Businesses Out?
The divide catches businesses out because cloud platforms feel finished the moment they are switched on, so cloud security is treated as complete before anyone has checked it. Email flows, files sync, and staff get to work, so the security settings underneath rarely get a second look.
Cloud adoption across New Zealand has climbed steadily, with file storage, accounting, communication, and line-of-business software all moving off local servers. Each service added expands the surface an attacker can probe, and each one ships with defaults chosen for easy setup rather than tight security. The gap between what feels secure and what actually is secure widens with every new subscription.
Attackers know this. They follow the data, and they count on the fact that a growing business rarely has anyone reviewing tenant settings, dormant accounts, or sharing permissions. They almost never break the platform. They walk in through the small, unmanaged decisions on your side of it that nobody circled back to check.
New Zealand’s regulatory environment raises the stakes further. Under the Privacy Act 2020, a business that loses personal information through poor cloud security can face a mandatory breach notification and reputational fallout, regardless of which provider hosts the data. New Zealand’s National Cyber Security Centre makes the same point: the organisation always owns the risk of the information it holds in a cloud service, even when day-to-day security is shared. That responsibility does not transfer to the platform. It stays with the business that collected the information, which makes the customer side of the shared model a legal concern as much as a technical one.

What Does the Divide Look Like in Practice?
In practice, the divide shows up most clearly the moment something goes wrong. A worked example makes the split concrete.
Picture a Canterbury business running on Microsoft 365. A staff member reuses their work password on a personal site that is later breached, and an attacker tries it against the company tenant. Multi-factor authentication was never switched on, so the login succeeds. The attacker reads the mailbox, finds an invoice thread, and sends a convincing payment-redirection email to a client.
At no point did Microsoft’s platform fail. The data centre stayed secure, the service stayed online, and the software worked as designed. Every gap the attacker used sat on the customer side of the shared model: the reused password, the missing MFA, the mailbox rules no one was monitoring. The platform did its job perfectly well while the setup around it sat wide open, which is exactly why cloud security cannot be treated as something the provider simply hands you.
The same pattern repeats across most cloud incidents affecting NZ small businesses. The provider holds up its end, and the breach happens in the space the business was responsible for but never actively managed.
What Are the Biggest Gaps on the Customer Side?
The biggest cloud security gaps sit in four areas the provider will never manage for you: how accounts are secured, how the tenant is configured, how data is shared, and what happens when it is lost. Each is squarely your responsibility under the shared model.
Weak Account and Login Security
Stolen and reused passwords remain the simplest way into a cloud account, and account security is the first pillar of any cloud security programme. Without multi-factor authentication switched on across the business, one leaked password can open the whole tenant. Turning on MFA for every user, not just administrators, closes the single largest gap most NZ businesses leave open.
Misconfigured Tenant Settings
Default settings favour convenience. External sharing is often wide open, guest access is permissive, and legacy sign-in methods that bypass MFA are frequently left enabled. A short configuration review finds these quickly, and correcting them is usually a matter of policy changes rather than new spend.
Misconfiguration is common because no one owns it. Industry research attributes the majority of cloud breaches to misconfigured settings, not sophisticated attacks, with widely cited estimates putting the figure around 75 to 80 percent. The provider sets sensible defaults for the broadest range of customers, not for your specific risk profile, and the business assumes those defaults are already secure. Neither party is watching the settings drift as new features arrive and staff make ad hoc changes. Reviewing configuration against a known good baseline is one of the highest-value cloud security tasks a business can carry out, and one of the most commonly skipped.
Over-Shared and Over-Permissioned Data
Files shared with anyone who has the link, folders open to the entire company, and staff holding access they no longer need all leak data slowly. Role-based access, where each person can reach only what their job requires, keeps sensitive information contained. Permissions should be reviewed whenever someone changes role or leaves.
No Independent Backup
Cloud providers protect their platform, but they do not guarantee recovery of your data after accidental deletion, a ransomware event, or a mistaken sync. Microsoft and Google both recommend a separate backup for this reason.
A dedicated Microsoft 365 backup keeps recoverable copies of your email and files outside the platform, so a bad day does not become a permanent loss.
How Do You Close the Gaps You Are Accountable For?
You close them by treating your side of the cloud as something that needs ongoing attention, not a subscription you set up once and forget. The good news is that most of the risk comes down to five practical measures, and none of them requires a big budget or a technical background to understand.
Enforce Multi-Factor Authentication Everywhere
Require a second verification step for every account. This one control stops the large majority of password-driven intrusions and costs nothing to enable.
Tighten Identity and Access
Who can reach what, and under which conditions, is the core of modern cloud defence. Strong identity and access management grants least privilege by default and removes access the moment a role changes, shrinking what any single compromised account can touch.
Review Your Configuration Regularly
Cloud platforms change, and so does your business. A periodic review, often part of a cyber security assessment, checks sharing settings, admin rights, and sign-in policies against how attackers actually operate, then prioritises the fixes that matter most.
Bring Unsanctioned Apps Into the Open
Staff often adopt cloud tools without telling anyone, moving company data into services no one is watching. Getting a handle on shadow IT restores visibility, so approved services carry the work and unmonitored ones stop collecting sensitive files unnoticed.
Keep Recoverable Backups
Back up your cloud data to a separate, tested copy as a core part of your cloud security. Automated backups with a proven restore process turn accidental deletion, ransomware, or an outage into an inconvenience rather than a crisis.
Your Customer-Side Cloud Security Checklist
Use this cloud security checklist to confirm the essentials on your side of the shared model are covered. If any item is unchecked, it is a gap worth closing before it becomes an incident.
- Multi-factor authentication is switched on for every user, not just administrators.
- External sharing and guest access settings have been reviewed and tightened.
- Legacy sign-in methods that bypass MFA are disabled.
- Each staff member has only the access their role genuinely needs.
- Access is removed the day someone changes role or leaves.
- An independent, tested backup of your cloud data is in place.
- Login and file activity is monitored for unusual behaviour.
- Cloud security settings are reviewed at least once or twice a year.
Working through this cloud security checklist once will surface most of the common gaps. Keeping it current as your business changes stops those gaps reopening later.

Where Do Monitoring and Detection Fit In?
Monitoring and detection sit on top of good cloud security configuration, catching the threats that slip past your controls. Tight settings keep the number of openings low. Monitoring gives you a chance to catch anyone who finds one before real damage is done.
Continuous monitoring flags unusual logins, large downloads, and permission changes as they happen. Dedicated cloud detection and response tooling takes this further, analysing activity across your cloud services and responding automatically. Detection complements the configuration work covered here without replacing it. Tight settings reduce the number of openings an attacker can find, and monitoring catches whoever manages to find one regardless.
How Can a Managed IT Partner Take This Off Your Plate?
A managed IT partner takes on the ongoing work of your cloud security so your team does not have to. Managed IT services fold configuration, access reviews, monitoring, and backup into one fixed-cost arrangement, run by specialists who do this every day.
For most small and medium businesses, keeping pace with cloud settings, staff changes, and evolving threats alongside normal operations is not realistic. A cloud security partner configures your environment correctly from the start, watches it continuously, keeps recoverable backups, and reviews permissions as your business changes. Exodesk builds this into its cloud solutions, so you keep the benefits of the cloud without carrying the cloud security overhead yourself.
A managed arrangement also brings consistency that in-house effort rarely sustains. Access reviews happen on schedule rather than when someone remembers, new staff are onboarded against a set policy, and departing staff lose access the same day. Applied month after month, that steady discipline keeps a cloud security posture holding up as the business grows and attention moves elsewhere.
Secure the Half of the Cloud That Is Yours to Protect
Exodesk helps businesses across Christchurch, Dunedin, and the wider South Island close the cloud security gaps their provider will never cover. We review your setup, lock down access, and keep your data recoverable, so the responsibility on your side is properly handled.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
Who is responsible for security in the cloud?
Responsibility is split under the shared responsibility model. The provider protects the platform, data centres, and core infrastructure. The business handles its own accounts, permissions, configuration, and the information it stores, and most breaches trace back to that customer half of the divide.
What does the shared responsibility model actually mean for a small business?
The shared responsibility model means a small business cannot assume its provider handles everything. Practical duties such as enabling multi-factor authentication, controlling who can access files, and backing up data all fall to the business. The provider keeps the platform running securely, but the day-to-day configuration is yours.
Is data in Microsoft 365 automatically backed up?
Microsoft 365 is not a backup. The platform protects its own infrastructure and offers limited, short-term recovery options, but it does not guarantee restoration of data lost to accidental deletion, ransomware, or a bad sync. A separate, tested backup is needed to recover that data reliably.
What is the most common cause of a cloud security breach?
Weak or reused account credentials are the most common cause. An attacker who obtains a password can sign straight into a cloud account unless multi-factor authentication blocks them. Enabling MFA across every account removes the largest single risk on the customer side.
Does moving to the cloud make my business more or less secure?
Cloud platforms can be more secure than ageing on-site servers, but only when the customer configures and manages their side properly. The infrastructure is well protected by the provider. Security depends on access controls, settings, and monitoring, which remain the customer’s responsibility.
What is a cloud misconfiguration?
A cloud misconfiguration is a setting left in an unsafe state, such as files open to external sharing, guest access left wide, or legacy sign-in methods that bypass multi-factor authentication. These defaults favour convenience and are a leading cause of accidental data exposure. A configuration review finds and corrects them.
How often should cloud security settings be reviewed?
Cloud security settings should be reviewed at least once or twice a year, and whenever the business changes significantly, such as adding staff, adopting new tools, or losing an employee. Regular reviews keep access rights, sharing settings, and sign-in policies aligned with current risk.
What is the difference between cloud security and cloud detection and response?
Cloud security covers the controls that prevent problems, including configuration, access management, and backup. Cloud detection and response is a monitoring layer that watches activity and reacts to threats that get past those controls. Prevention reduces the openings, and detection deals with anything that gets through them.
Can staff using unapproved cloud apps create a security risk?
Unapproved cloud apps, known as shadow IT, create real risk because company data ends up in services no one is monitoring or securing. Staff usually adopt them to work faster, not to cause harm. Visibility over which apps are in use lets a business bring that data back under proper control.
Do I need an IT provider to secure my cloud systems?
An IT provider is not strictly required, but for most small and medium businesses it is the practical choice. A managed provider configures the environment correctly, monitors it continuously, maintains recoverable backups, and reviews access as the business changes, covering duties that are hard to keep up with in-house.

