If your cyber “strategy” is “we’re in the cloud, Microsoft handles security”,
you don’t have a strategy. You have hope. In 2025, that’s not good enough for Canadian regulators,
insurers, or attackers who live off misconfigured SaaS.
The Cloud Myth That’s Putting Canadian SMBs in the Crosshairs
Canadian leaders got two uncomfortable reminders this year that cyber risk is no longer about kids in hoodies
hammering firewalls. A former Royal Bank of Canada employee was charged with using internal systems to access
banking profiles of senior political figures, including the Prime Minister. At the same time, U.S. and Canadian
agencies warned that Chinese‑linked hackers were using “Brickstorm” malware to sit inside virtual infrastructure
for well over a year, quietly stealing credentials and maintaining access.
Neither incident was about some magical “cloud hack.” Both were about
credentials, misconfigurations and weak monitoring; the same pattern we see every week inside
Microsoft 365, Google Workspace and “plug‑and‑play” SaaS used by Canadian small and mid‑sized businesses.
At 010grp, we’ve built and run cyber protection programs for organizations across Canada. The most dangerous sentence
we hear from owners and executives is still:
“We moved to the cloud, so security is mostly handled.”
Here’s the reality: every major SaaS platform runs on a shared responsibility model.
The provider secures the underlying platform; you are responsible for identity, configuration,
data and monitoring. The Canadian Centre for Cyber Security’s are explicit: Canadian SMBs should assume they will suffer an incident, and be ready to detect,
respond and recover, not just trust the default settings. Their National Cyber Threat Assessment 2025–2026
describes a “new era of cyber vulnerability” for Canada, where cybercrime and
state‑sponsored activity converge on the same targets: cloud‑based services, remote access and identity systems.
In the latest data, roughly 1 in 6 Canadian businesses reported a cybersecurity incident- the majority driven by criminal activity, not movie‑style spies.
So no, your cloud is not “secure by default.” It’s a powerful platform that’s only as secure as you configure it.
And attackers are betting you leave the defaults alone.
Where Cloud Security Actually Fails
When we’re brought in after a breach or a close call, the pattern is depressingly familiar. It rarely starts with some
hyper‑sophisticated zero‑day. It starts with things like:
- Global admins with no enforced MFA- shared admin logins, weak passwords and long‑lived sessions
in Microsoft 365 or Azure. - Privilege sprawl- everyone is an “owner” of something, and far too many people have tenant‑wide
or domain admin rights, with no Privileged Access Management (PAM) in place. - Wild external sharing- OneDrive, SharePoint and Google Drive links set to “Anyone with the link”
for HR files, financials and client data. - Shadow AI and OAuth sprawl- users pasting client lists into random chatbots, installing browser
plug‑ins that read their mailbox, or granting third‑party SaaS apps full access to their Microsoft 365 tenant.
(We break this down in“Shadow AI Is Leaking Your Data; Lock It Down in 30 Days”.) - Logs that exist but nobody watches- audit logging is off, retention is 90 days or less, and there’s
no SIEM/SOC doing 24/7 triage. Incidents get noticed when the ransom note appears, not when the first token looks odd. - “Backups” that aren’t backups- leaders assume Microsoft or Google keep everything forever,
when in reality they have limited retention and no isolated backup. One mis‑click, sync error or account compromise,
and critical data is gone.
You don’t need to be a bank or a federal department to end up in the same situation. The idea that “we’re too small to be a target” is already costing Canadian SMBs six‑ and seven‑figure losses. Attackers don’t care about your size; they care that your cloud tenant is misconfigured, your logs are dark and your backups are imaginary.
The 5‑Step Cloud Lockdown Plan We Deploy for Canadian SMBs
The good news: you don’t need Fortune‑500 budget to get serious about cloud security. You need
clarity, discipline and a repeatable operating rhythm. Here’s the five‑step approach we at 010grp
use when we harden Microsoft 365 and other cloud environments for Canadian organizations.
1. Get Ruthless Visibility: Identities, Apps, Data
You can’t secure what you can’t see. Start by building an honest inventory of:
- All cloud tenants (Microsoft 365, Google Workspace, line‑of‑business SaaS, remote access portals).
- All identities (employees, contractors, service accounts, vendors) and what they can access.
- Where sensitive data lives (HR, finance, client records, IP) and which apps can touch it.
This lines up directly with the CCCS baseline, which tells SMBs to identify which information systems are in scope
and understand the potential “injury” if data is exposed, altered or unavailable. That’s not a paperwork exercise;
it’s the foundation of risk‑driven security.
We typically kick this off with a cyber risk assessment plus configuration review of Microsoft 365 / Azure and your critical SaaS apps. If you want to see how we think about this
in more detail, read “The Importance of Proper Cyber Risk Assessment”.
2. Make Identity Your Perimeter (MFA, PAM, Zero Trust)
The National Cyber Threat Assessment is clear: identity‑based intrusions are faster, stealthier and increasingly the
first move for serious attackers. Treat identity as your new firewall:
- Enforce MFA everywhere, not just for VPN. That includes admin accounts, remote access portals,
finance systems and any app carrying personal or payment data. Our Multi‑Factor Authentication (MFA) service
is built exactly for this. - Kill standing admin rights and move to Privileged Access Management (PAM). If someone compromises an account, they shouldn’t automatically own the kingdom.
- Use conditional access (location, device health, risk level) to block impossible logins and risky access patterns.
If you’re in finance or insurance, this also aligns with OSFI’s Guideline B‑13 on technology and cyber risk which expects tight control over access, authentication and change management.For a deeper dive on how identity and logging work together, see “Your MFA Isn’t Enough: The 7 SIEM Moves Canadian SMBs Must Make Now”.
3. Lock Down Sharing, Shadow AI and Data Leakage
Next, fix the places where data quietly leaks out:
- Change defaults so links in Microsoft 365 / Google Drive are internal by default, not “Anyone with the link.”
- Use built‑in or third‑party Data Loss Prevention (DLP) to flag uploads of SINs, credit card data and health info.
- Audit and control OAuth apps and AI tools connected to mailboxes and documents.
4. Turn On Logs- Then Let Someone Watch Them 24/7
You will not catch a modern intrusion in the inbox alone. You need logs that are:
centralized, retained and actively monitored.
- Enable the unified audit log in Microsoft 365 and increase retention as far as your licence allows.
- Send those logs (and key firewall / VPN / endpoint logs) into a SIEM. Then make sure there’s an actual SOC watching,
tuning and responding- not just dashboards nobody opens. - Focus on identity‑driven detections: unusual admin actions, impossible travel, mass file downloads, suspicious OAuth grants.
The CCCS baseline explicitly recommends having solutions to detect, monitor and respond to incidents, often through
Security Information and Event Management (SIEM) and outsourced expertise for smaller organizations.
That’s exactly what our SIEM/SOC‑as‑a‑Service provides, and we’ve written about it in “Don’t Be a Sitting Duck: Why Your Canadian Business Needs Managed SIEM Now”.
How 010grp Fits In
We’re not neutral observers in this story. At 010grp, our entire model is built around managed cyber protection services for Canadian organizations: risk assessment, cloud hardening, 24/7 monitoring, backup and recovery, cyber threat intelligence and security awareness training.
What makes the difference isn’t a single tool; it’s the operating rhythm:
- Baseline review against CCCS controls and your insurer’s questionnaire.
- Monthly access and admin rights reviews across cloud tenants.
- Continuous tuning of SIEM/SOC detections as your environment changes.
- Regular restore tests of your backup and disaster recovery plan.
With our headquarters and support centre in Ontario and SOC2‑certified Canadian datacentres, Your logs and backups stay under Canadian jurisdiction, aligned with privacy expectations and cyber‑insurance requirements, a detail that starts to matter when something goes wrong.
