Is Your Cloud Configuration Quietly Exposing Your Business?

Cloud misconfiguration is now one of the leading causes of data breaches globally — and it's almost entirely preventable. Unlike a sophisticated zero-day exploit, a misconfigured storage bucket or an open management port doesn't require any attacker skill to find. It just requires someone to look. And someone is always looking.

The shift to cloud services — Microsoft 365, Google Workspace, AWS, Azure, Dropbox, and dozens of line-of-business tools — has made small businesses genuinely more capable. It has also created a much larger and more complex attack surface than most owners realise, one that grows every time a new service is added without a security review. This post explains where the most common problems live, how they get introduced, and how you can check your own exposure without specialist tools.

Why Misconfiguration Is So Common

Cloud platforms are designed for flexibility. The default settings that come out of the box are built to make services easy to start using — not to be maximally secure. Features are enabled by default that many businesses will never need. Sharing permissions are often set broadly to make collaboration easy, with the assumption that you'll tighten them later. "Later" rarely arrives.

The Verizon Data Breach Investigations Report consistently identifies misconfiguration as a top cause of breaches. In a recent edition, over 21% of breaches involved errors — the majority being misconfigured cloud storage or databases left publicly accessible without authentication.

The other driver is complexity. Most small businesses use a mix of services — a Microsoft 365 tenancy for email and documents, a separate cloud backup service, a project management tool, a CRM, accounting software, and several file-sharing services that accumulated over time. Each service has its own security settings, its own permissions model, and its own default configurations. Keeping track of who has access to what, across all of them, is genuinely difficult — and most businesses don't attempt it systematically.

The Most Common Misconfigurations

These are the categories that account for the majority of cloud-related incidents affecting small and medium businesses. None of them require advanced technical knowledge to understand — or to fix.

High Risk

Publicly Accessible Storage

Cloud storage buckets (AWS S3, Azure Blob, Google Cloud Storage) set to public access. Files intended for internal use — contracts, payroll records, customer data — become accessible to anyone on the internet with the URL. Often introduced when someone shares a link and doesn't realise the underlying bucket is public.

High Risk

Open Management Ports

Remote desktop (RDP on port 3389), SSH (port 22), and database ports left exposed to the internet. Automated scanners find these within minutes of a server being provisioned. Brute-force attacks against exposed RDP are continuous, persistent, and frequently successful against businesses using weak or default credentials.

High Risk

Over-Permissive User Accounts

Microsoft 365 or Google Workspace accounts with global admin rights assigned to users who don't need them. In the event of a phishing compromise, an attacker with admin access can read all email, disable MFA, create new accounts, and exfiltrate the entire tenancy. Admin rights should be exceptions, not defaults.

Medium Risk

Legacy Authentication Enabled

Older authentication protocols (Basic Auth, IMAP, POP3) left enabled in Microsoft 365. These protocols don't support MFA, meaning even if MFA is configured for your users, an attacker who obtains a password can authenticate using legacy protocols and bypass it entirely. Microsoft has disabled these by default in new tenancies, but older ones may still have them active.

Medium Risk

Overshared Documents

SharePoint, OneDrive, or Google Drive files shared with "anyone with a link" without expiry dates or password protection. Links circulate in email threads, get forwarded, end up in places you didn't intend. Sensitive documents — client proposals, financial information, personal data — become accessible without authentication.

Medium Risk

Inactive Accounts Left Open

Former employee accounts that remain active and licensed after someone leaves. Former staff, contractors, or supplier contacts who still have access to systems they no longer need. These accounts are frequently targeted — they're less likely to be monitored, and the legitimate user won't notice suspicious logins.

The Problem With "Someone Would Have Told Me"

One of the most common responses when misconfiguration risks are raised with small business owners is a version of: "We'd know if something was wrong — we'd have heard about it." This is a reasonable instinct, but it doesn't hold up.

Misconfigured storage buckets can be accessed silently. There's no alert, no notification, no visible sign that your files have been downloaded. Data exfiltration from a cloud tenancy via a compromised admin account looks, from the inside, identical to a legitimate user accessing files. Inactive accounts being used for persistent access often generate no alerts in default configurations.

The average time to identify a data breach in the UK is 194 days. Most businesses don't discover a misconfiguration-related exposure until a third party notifies them — a security researcher, a customer, or a regulator. By that point, the data has often been accessible for months.

The lack of visible symptoms is precisely what makes misconfiguration so dangerous. It sits in the gap between "we set this up" and "we checked that it's still configured correctly."

What You Can Check Right Now

You don't need specialist tools to audit the basics. Here's a practical starting point for the most common platforms.

Microsoft 365

Review who has Global Administrator rights. In the Microsoft 365 admin centre, go to Users → Active Users and filter by role. Global Admin should be held by no more than 2–3 people. Everyone else should have the minimum role required for their job.
Check that MFA is enforced for all users. In the Azure AD / Entra ID admin centre, review your Conditional Access policies. MFA should be required for all users, not just administrators. Security Defaults (free) or Conditional Access (requires at least Business Premium) enforce this.
Audit external sharing settings in SharePoint. In the SharePoint admin centre, check the global sharing settings. "Anyone" sharing (which creates links that work without sign-in) should be restricted or disabled. Set maximum link expiry periods for any external sharing that is permitted.
Disable legacy authentication protocols. In Entra ID under Security → Authentication methods, confirm that legacy authentication is blocked. If you're using Security Defaults, this is handled automatically.
Review and disable inactive accounts. Any account that hasn't logged in within 90 days should be reviewed. Former employees' accounts should be disabled immediately on departure and deleted after a retention period consistent with your policies.

Cloud Hosting (AWS, Azure, GCP)

Audit storage bucket permissions. In AWS, use S3's Block Public Access settings at the account level. In Azure, check blob container access levels — "Private" is correct for most use cases; "Container" or "Blob" public access should be deliberate, documented, and rare.
Review security groups and firewall rules. Any rule allowing inbound access from 0.0.0.0/0 (all internet traffic) to management ports (22, 3389, 1433, 3306) should be removed unless there is a specific documented reason. Use VPN or IP allowlisting for management access.
Check for unused or over-permissive API keys. API keys and service account credentials that are not rotated regularly, have administrator-level permissions, or are attached to services that no longer use them are a common source of exposure. AWS IAM Access Analyzer and Azure's Defender for Cloud highlight these.

The External View: What Attackers Actually See

Attackers don't typically start by probing your internal systems. They start with your external footprint — the domains, subdomains, IP addresses, and services that are visible from the internet. This is exactly the information that automated scanners collect continuously, cataloguing open ports, exposed services, outdated software versions, and misconfigured security headers.

Understanding your own external footprint — what's visible, what's exposed, and what that exposure looks like to someone probing it — is a meaningful first step. It surfaces problems that internal audits often miss, because internal reviews naturally focus on systems you know about. The most dangerous misconfigurations are frequently on systems that have been forgotten: an old marketing subdomain, a legacy server still running from a previous IT setup, a developer environment that was never properly secured.

Studies consistently show that the majority of exploited vulnerabilities in cloud environments were known and visible to automated scanners days or weeks before they were exploited. The attack surface you present to the internet is visible to attackers before it's visible to you — unless you make a point of looking at it yourself.

The Practical Takeaway

Cloud misconfiguration is not a sophisticated problem. It doesn't require a dedicated attacker or a novel exploit. It requires only that something is configured incorrectly, and that someone — or more likely, an automated scanner — finds it before you do.

The businesses that catch it first are the ones that make a habit of looking. A quarterly review of sharing permissions, user access levels, and external-facing services costs a few hours and regularly surfaces issues that would otherwise go unnoticed for months. The starting point is understanding what you're presenting to the internet — and the simplest way to do that is to look at it from the outside.

See What the Internet Sees About Your Business

Faradome Scan checks your domain and web presence for exposed services, security misconfigurations, and vulnerabilities visible from the outside — in minutes, with no setup required.

Run a Free Scan → Talk to Us