Most cloud platforms ship configured for ease of use, not security. Microsoft 365, Google Workspace, and major cloud providers all prioritize getting users productive quickly — which often means default settings leave significant security gaps.
Here are five of the most common misconfigurations we find during cloud security assessments, and what you can do about them.
1. Weak or Missing Multi-Factor Authentication
MFA is the single most effective control against account compromise, yet many organizations either haven't enabled it or have configured it with significant gaps.
What we typically find:
- MFA not enforced for all users
- Admin accounts without MFA
- Legacy authentication protocols bypassing MFA entirely
- SMS-only MFA instead of authenticator apps or hardware keys
What to do: Enforce MFA for all accounts, prioritizing admin and privileged accounts first. Disable legacy authentication protocols. Use authenticator apps or FIDO2 keys instead of SMS where possible.
2. Overly Permissive External Sharing
Cloud platforms make it easy to share files and collaborate — sometimes too easy. Default sharing settings often allow users to share content externally with anyone, creating uncontrolled data exposure.
What we typically find:
- SharePoint and OneDrive configured for "anyone with the link" sharing
- No restrictions on external email forwarding rules
- Guest access enabled without expiration or review
- Sensitivity labels not configured or not enforced
What to do: Restrict default sharing to internal-only. Require approval for external sharing of sensitive content. Implement sensitivity labels for data classification. Review and expire guest access regularly.
3. Excessive Admin Privileges
Too many users with too much access is one of the most consistent findings in cloud assessments. Excessive privileges expand your attack surface and increase the blast radius of any compromise.
What we typically find:
- Multiple Global Administrators (often 5–10+ in small organizations)
- Admin accounts used for daily work
- No Privileged Access Management or time-limited elevation
- Service accounts with permanent admin rights
What to do: Limit Global Admin to 2–3 emergency-only accounts. Use role-based admin assignments for specific tasks. Implement time-limited privilege elevation where available. Audit admin role assignments quarterly.
4. Insufficient Email Security Configuration
Business email compromise (BEC) is the number one attack vector for small businesses. Yet many organizations run default email security settings that provide minimal protection against sophisticated phishing and impersonation attacks.
What we typically find:
- Anti-phishing policies not configured or using defaults
- DKIM and DMARC not implemented
- Safe Links and Safe Attachments not enabled
- No protection against internal-to-internal phishing
What to do: Configure anti-phishing policies with impersonation protection. Implement SPF, DKIM, and DMARC for your domains. Enable Safe Links and Safe Attachments. Configure alerts for suspicious email activity patterns.
5. Disabled or Insufficient Audit Logging
You cannot detect what you cannot see. Many organizations have critical audit logging disabled or set to retention periods too short to be useful during an investigation.
What we typically find:
- Unified audit logging not enabled
- Mailbox auditing gaps
- No alerting on high-risk activities (admin changes, mass file downloads, forwarding rules)
- Log retention set to minimum (90 days or less)
What to do: Enable unified audit logging across all services. Configure alerts for high-risk activities. Extend log retention to at least one year. Review logs regularly — or better yet, feed them into a monitoring platform.
The Bottom Line
None of these misconfigurations require advanced technical expertise to fix. The challenge is knowing they exist in the first place. A structured cloud security assessment identifies these gaps systematically and produces a prioritized remediation roadmap.
If you haven't reviewed your cloud security configuration in the last 12 months, it's worth doing — especially before your next cyber insurance renewal, where insurers increasingly ask about these exact controls.