What is cloud security?
Learn how cloud security protects your business data and the practical steps to keep it safe.

Written by Lena Hanna—Trusted CPA Guidance on Accounting and Tax. Read Lena's full bio
Written by Lena Hanna—Trusted CPA Guidance on Accounting and Tax. Read Lena's full bio
Published Wednesday 27 May 2026
Table of contents
Key takeaways
- Cloud security is the set of practices, tools, and policies that protect your data, applications, and systems stored on remote servers accessed over the internet. It's a shared responsibility between you and your cloud provider.
- New Zealand's NCSC 2023/24 Cyber Threat Report recorded 7,122 incident reports and $21.6 million in financial losses, making cloud security a priority for every small business.
- Simple steps like enabling multi-factor authentication (MFA), using strong passwords, and training your team can significantly reduce your risk of a cyber incident.
- Choosing cloud software with built-in security features, such as encryption and automatic backups, helps you protect your business without needing specialist IT knowledge.
What is cloud security?
Cloud security is the collection of technologies, policies, and best practices designed to protect data, applications, and infrastructure hosted on remote servers you access over the internet. Rather than storing files on a physical hard drive or local server, cloud computing keeps your data on secure servers managed by a provider, so you can access it from anywhere with an internet connection.
Protecting that data is a shared responsibility. Your cloud provider secures the underlying infrastructure, while you're responsible for managing access, choosing strong passwords, and following good security habits. The National Institute of Standards and Technology (NIST) Cybersecurity Framework outlines five core functions for managing cyber risk: identify, protect, detect, respond, and recover. These principles apply just as much to small businesses using cloud software as they do to larger organisations.
For small business owners, cloud security means making sure only the right people can access your financial records, customer information, and business files. You don't need to be a tech expert to get it right; understanding the basics goes a long way.
Types of cloud environments
Not all cloud services work the same way. The type of cloud environment you use affects how much security responsibility falls on you versus your provider.
There are three main types of cloud service:
- Infrastructure as a Service (IaaS): provides virtual servers, storage, and networking. You manage the operating system, applications, and data. Examples include Amazon Web Services and Microsoft Azure
- Platform as a Service (PaaS): provides a platform for building and running applications without managing the underlying infrastructure. You focus on your app and data, while the provider handles the rest
- Software as a Service (SaaS): delivers ready-to-use applications over the internet. The provider manages almost everything, from infrastructure to software updates. Examples include cloud accounting tools, email platforms, and project management apps
Most small businesses rely on SaaS products for everyday tasks like accounting, invoicing, and file storage. With SaaS, your provider handles the bulk of the technical security, but you still play a key role in protecting your account and data through good habits like strong passwords and access controls.
Why cloud security matters for your business
Cyber threats are growing in New Zealand, and small businesses are a frequent target. Understanding the scale of the problem helps you take the right precautions.
According to the NCSC 2023/24 Cyber Threat Report, New Zealand recorded 7,122 cyber incident reports in the 2023/24 period. Of those, 343 were incidents of potential national significance, up 8.5% from the previous year. The total financial loss reported was $21.6 million, while the average direct financial loss per incident increased from $14,000 to $25,500.
The good news is that strong security practices make a real difference. The same report noted $38.8 million worth of harm was prevented. Small businesses that take cloud security seriously are far better placed to avoid disruption, protect customer trust, and keep their finances safe.
As more of your business moves online, from cloud accounting to file storage and communication, a proactive approach to security becomes part of running a healthy business.
Common cloud security threats
Knowing what threats exist helps you spot risks before they become problems. Here are the most common cloud security threats facing small businesses in New Zealand.
- Phishing and social engineering: attackers impersonate trusted contacts or services to trick you into sharing login details or clicking malicious links. This remains one of the most common ways criminals gain access to business accounts
- Ransomware: malicious software that locks your files and demands payment to release them. Even small businesses can be targeted, and paying the ransom doesn't guarantee you'll get your data back
- Weak or reused passwords: using the same password across multiple accounts makes it easier for attackers to break in. One compromised password can give access to several systems
- Misconfigurations: incorrectly set up cloud services can leave data exposed to the public internet. This often happens when default settings aren't reviewed or access permissions are too broad
- Insider threats: current or former employees with access to your systems can accidentally or deliberately cause security incidents. Clear access controls and offboarding processes reduce this risk
- Malware: software designed to damage or gain unauthorised access to your systems. It can spread through email attachments, downloads, or compromised websites
The NCSC 2023/24 data highlights that public administration and safety recorded the highest percentage of incidents by sector. But small businesses across all industries face similar threats, particularly phishing and credential theft.
The shared responsibility model
One of the most important concepts in cloud security is the shared responsibility model. It defines what your cloud provider is responsible for and what falls on you as the customer.
Your cloud provider typically handles the security of the cloud itself. This includes physical data centres, network infrastructure, server hardware, and the core software platform. They invest heavily in encryption, monitoring, and compliance to keep these systems safe.
Your responsibility covers security in the cloud. This means managing who can access your account, setting strong passwords, enabling multi-factor authentication, and making sure your team follows good security practices. You also control what data you store and how you share it.
Think of it like renting an office. The building owner secures the structure, installs locks, and maintains the fire alarms. But you're responsible for locking your own door, keeping your keys safe, and not leaving sensitive documents on the reception desk.
For SaaS tools like cloud accounting software, the provider takes on a larger share of the technical security. But you still need to manage access, review login activity, and train your team. Understanding this split helps you focus your effort where it matters most.
How cloud providers protect your data
Reputable cloud providers invest significantly in keeping your data safe. Understanding what they do behind the scenes can give you confidence in the tools you use.
Here are the key ways cloud providers protect your information:
- Encryption: your data is encrypted both in transit (while being sent) and at rest (while stored). This means even if someone intercepts it, they can't read it without the encryption key
- Automatic backups: providers regularly back up your data to multiple secure locations, so you can recover information if something goes wrong
- Multi-factor authentication: many providers offer or require MFA, adding an extra layer of security beyond just a password
- 24/7 monitoring: cloud platforms use automated systems to detect unusual activity and respond to threats in real time
- Compliance and certifications: leading providers meet international security standards such as ISO 27001 and SOC 2, giving you assurance that their systems are regularly audited
When you're choosing cloud software for your business, look for providers that clearly communicate their security practices. Features like encryption, automatic backups, and MFA are strong indicators that a provider takes data protection seriously.
Benefits of cloud security for small businesses
Investing in cloud security doesn't just protect you from threats. It offers real benefits that help your business run more smoothly.
- Access your data anywhere: cloud security keeps your information safe whether you're working from the office, home, or on the go
- Reduce the risk of data loss: automatic backups and secure storage mean you're less likely to lose important files to hardware failure, theft, or accidents
- Build customer trust: protecting customer data shows you take their privacy seriously, which strengthens your reputation
- Save time on IT management: with your provider handling infrastructure security, you can focus on running your business instead of managing servers
- Scale with confidence: as your business grows, cloud security scales with you. You don't need to invest in new hardware or hire specialist IT staff
Moving to the cloud also supports your broader digital transformation journey. Secure cloud tools let you automate tasks, collaborate with your team, and access real-time financial data without compromising on safety.
5 ways to protect your data in the cloud
You don't need a big budget or technical expertise to strengthen your cloud security. These five practical steps can make a significant difference.
1. Use strong, unique passwords
A strong password is your first line of defence against unauthorised access. Use a unique password for every account, and make each one at least 12 characters long with a mix of uppercase letters, lowercase letters, numbers, and symbols.
Avoid using personal details like your name, birthday, or business name. A password manager can generate and store complex passwords for you, so you don't need to remember them all. This is one of the simplest and most effective ways to protect your accounts.
2. Enable multi-factor authentication
Multi-factor authentication (MFA) adds a second step when you log in, typically a code sent to your phone or generated by an app. Even if someone guesses or steals your password, they can't access your account without that second factor.
Turn on MFA for every business tool that offers it, including your cloud accounting software, email, and file storage. It takes just a few minutes to set up and significantly reduces your risk of a breach.
3. Monitor login activity and alerts
Many cloud tools let you review who has logged in, when, and from where. Make it a habit to check this activity regularly, especially if you have multiple team members with access.
Set up alerts for unusual login attempts, such as logins from unfamiliar locations or devices. Catching suspicious activity early gives you time to respond before any damage is done.
4. Install anti-malware software
Anti-malware software scans your devices for malicious programs that could compromise your cloud accounts. Keep it updated and run regular scans on all devices used for business.
Even if your cloud provider has strong server-side security, your own computer or phone can be a weak link. Protecting your devices closes that gap. If you're unsure about a file, you can check it using a free tool like VirusTotal.
5. Recognise phishing and social engineering
Phishing emails and messages are designed to look legitimate, often impersonating banks, software providers, or even colleagues. They typically create urgency, asking you to click a link or share login details immediately.
Before clicking any link, check the sender's email address carefully and hover over links to see where they actually lead. If something feels off, contact the sender directly through a known channel. Training yourself and your team to spot these tactics is one of the most valuable security investments you can make.
Train your team on cloud security
Your team is one of your strongest defences against cyber threats, but only if they know what to look for. Regular security training helps everyone recognise risks and respond appropriately.
Start with the basics: how to spot phishing emails, why strong passwords matter, and what to do if something looks suspicious. Building a workplace digitisation strategy that includes security training helps your team adopt new tools with confidence. Keep training sessions short and practical, and revisit them at least once a year.
The New Zealand government's Own Your Online resource provides free, practical guidance on staying safe online. It's a helpful starting point for building your team's awareness.
You should also create a simple security policy that covers password requirements, acceptable use of business devices, and who to contact in case of a suspected incident. When everyone knows their role, your business is better protected.
Cloud security tools and solutions
The right tools can make cloud security much easier to manage, even without a dedicated IT team. Here are the key categories worth considering for your business.
- Password managers: store and generate strong, unique passwords for all your accounts. Options like 1Password and Bitwarden are popular with small businesses
- MFA apps: authenticator apps such as Google Authenticator or Microsoft Authenticator provide time-based codes for an extra layer of login security
- Anti-malware software: protects your devices from viruses, ransomware, and other malicious software. Look for products that offer real-time protection and automatic updates
- Cloud backup solutions: provide an additional copy of your data in case of accidental deletion, hardware failure, or a cyber incident. Many cloud providers include built-in backup features
- Virtual private networks (VPNs): encrypt your internet connection when working on public or shared networks, keeping your data private while you work remotely
You don't need every tool at once. Start with a password manager and MFA, then add layers as your business grows. Many cloud software providers, including accounting platforms, already bundle security features like encryption and automatic backups into their products.
Protect your business with Xero cloud security
Cloud security is a team effort between you and the tools you choose. By following the steps in this guide, from strong passwords and MFA to team training and the right software, you can protect your business data with confidence.
Xero's cloud accounting software is built with security at its core, including data encryption, automatic backups, and multi-factor authentication. Your financial data is protected by multiple layers of security and accessible only to the people you authorise. You can learn more about how cloud computing works for your business.
Ready to see how secure cloud accounting can simplify your finances? Get one month free and experience it for yourself.
FAQs on cloud security
Here are answers to some frequently asked questions about cloud security.
What are the main types of cloud security?
Cloud security covers several areas, including data encryption, identity and access management, network security, and threat detection. Together, these layers protect your information at every stage, from storage to transmission to access.
Do small businesses really need cloud security?
Yes. Small businesses are frequent targets because attackers assume they have weaker defences. The NCSC 2023/24 report shows average financial losses per incident reached $25,500, which can be devastating for a smaller operation. Basic security measures like MFA and strong passwords go a long way.
How is cloud security different from traditional security?
Traditional security focuses on protecting physical hardware and on-site networks. Cloud security protects data and applications hosted on remote servers accessed over the internet. The key difference is the shared responsibility model, where your provider secures the infrastructure and you manage access and user behaviour.
What security features should I look for in cloud software?
Look for data encryption (both in transit and at rest), multi-factor authentication, automatic backups, role-based access controls, and compliance with recognised standards like ISO 27001. A provider that's transparent about their security practices is a positive sign.
What is the shared responsibility model in cloud security?
The shared responsibility model splits security duties between you and your cloud provider. The provider secures the underlying infrastructure, servers, and network. You're responsible for managing user access, setting strong passwords, enabling MFA, and training your team to follow good security practices.
Is cloud accounting secure?
Cloud accounting platforms use the same enterprise-grade security measures as major banks and technology companies, including encryption, multi-factor authentication, and continuous monitoring. When you choose a reputable provider and follow good security habits on your end, cloud accounting can be more secure than managing spreadsheets or files on a local computer.
Disclaimer
Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.
Get one month free
Purchase any Xero plan, and we will give you the first month free.