The security of online-based infrastructures is essential for organisations to keep data safe and comply with strict regulations. So, how can you be confident in your cloud security, and what can you do to test its strength?

Author: Johnty Mongan


Online-based infrastructure, applications and platforms (otherwise known as ‘the cloud’) are widely used by organisations and individuals to store and back up data. The security of these services can depend on the individual cloud service provider, and each provider makes security recommendations for running workloads securely in their environment.

However, the implementation of security processes should be a joint responsibility between the cloud provider and the user.

Over 98% of organisations use some form of cloud-based infrastructure.1

In 2022, 57% of businesses moved their work to the cloud.2

85% of organisations with large cloud footprints said their sensitive data has been exposed in the cloud.3

How does cloud security work?

Cloud security consists of a set of policies, procedures, controls and technologies that work together to protect cloud-based systems and the data held within them. These security measures support regulatory compliance, with data stored in the cloud typically encrypted, and authentication rules set for individual users and devices. Cloud security can be configured to the specific needs of the business in order to ensure data and applications are readily available only to authorised users with a ‘digital key’.

Common cloud security risks

According to a report by software provider, Check Point, in the last 12 months, 27% of organisations have experienced a security incident in their public cloud infrastructure.4

This demonstrates that while cloud-based systems are designed for robust data security, there is still potential for the risk of data breaches if security is compromised. Some of the main threats include:

  • Data loss and breaches: The loss of data due to cyber incidents (such as ransomware attacks) or human error, or the leaking of sensitive data caused by security misconfigurations.
  • Distributed Denial of Service (DDoS) attacks: An attack by a threat actor to disrupt the online systems and services of the organisation, overwhelming the systems to destroy its ability to function.
  • System vulnerabilities: If an organisation’s cloud deployment shares a physical server with other cloud resources that are not trusted/secure, it could result in potential software vulnerabilities being exploited if sensitive data is held within a shared physical memory.
  • Access management issues: Mismanagement of access credentials can enable threat actors to access user accounts with malicious intent.
  • Insider threats: A disgruntled employee with system administrator access could potentially compromise an organisation’s cloud security.
  • Insecure Application Programming Interfaces (APIs): Cloud security providers allow API access to their product for automation of a cloud deployment. If these APIs are not secure, cloud security can be compromised.

However it happens, experiencing a cyber incident or data breach due to vulnerabilities in your cloud security systems can have serious implications for your organisation. In the UK, companies who breach UK GDPR and/or the Data Protection Act can find themselves facing substantial fines on top of potential breach response/remediation costs and reputational damage.

How Gallagher can help

Gallagher Cyber Risk Management team works with businesses of all sizes to strengthen their cybersecurity, including in cloud-based environments. We can carry out a cloud security audit for your organisation, which is a non-intrusive review of your cloud computing systems. Through this process, we can help to identify risks, weaknesses and vulnerabilities—allowing us to provide remediation advice in order to strengthen your cloud security posture.

We can perform the audit for a number of products, namely Amazon Web Service (AWS), Microsoft Azure and Microsoft Office 365. To find out more about what the audit involves and how it works, please get in touch.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.