UnHacked 83 Summary: Why Moving to the Cloud May Have Just Opened the Door to Hackers
Featuring: Mario Zaki (Mazteck IT) & Bryan Lachapelle (B4 Networks)
The Dangerous Myth About the Cloud
Ask most business owners why they moved — or want to move — to the cloud, and you'll hear the same answers: "It's cheaper. It's easier. It's more secure."
In Episode 83 of UnHacked, Justin Shelley, Mario Zaki, and Bryan Lachapelle dismantle all three of those assumptions — live, candidly, and with real-world examples that may make you stop and rethink how your business is set up right now.
This is Episode 9 of the show's ongoing Cybersecurity Basics series, and the hosts are the first to admit: there's nothing basic about this.
What's Actually Happening When You "Move to the Cloud"
Justin opens with a real client scenario: a small business, 15+ years in operation, wants to decommission their on-premise server and move everything to the cloud to "simplify things." What follows is a masterclass in cloud misconceptions.
The truth? Moving to the cloud doesn't simplify your infrastructure — it moves it to an environment you don't own or control. You're still paying for management. You're still responsible for security. You're still on the hook for backups. And in many cases, you're paying more than you were before while gaining a false sense of security.
As Mario puts it: "By being on the cloud does not mean you can relax on the security. If anything, you need to ramp up the security."
The Risks That Are Probably Living in Your Business Right Now
The hosts walk through a set of real, practical cloud and SaaS security risks that Justin, Mario, and Bryan encounter in businesses every single week:
🔓 Over-Privileged Admin Accounts
Business owners who love control often insist on global admin access — on the very same account they use for daily email. This is one of the single biggest vulnerabilities in any Microsoft 365 or cloud environment. If that account gets compromised, the attacker has the keys to your entire kingdom. The fix? Keep admin credentials on a completely separate account — one that's never used for day-to-day work.
👤 Former Employees Who Still Have Access
It sounds almost too simple to be dangerous — but it's one of the most common issues the team finds when auditing new clients. When employees leave and their accounts aren't immediately disabled across every platform, those credentials remain a live door into your business. Not every platform is tied to single sign-on, which means even the best offboarding process can miss something.
🔗 Shared Links That Never Expire
You create a link to share a document. You send it. You forget about it. That link? Still active. Still accessible. Still editable — potentially by anyone who has it, or anyone it was forwarded to. Bryan's practical advice: always set an expiry date on shared links, no exceptions. In many cases, you can enforce this as a global setting in Microsoft 365.
📱 Shadow IT — The Apps You Don't Know Your Team Is Using
When employees can't get the tools they need through official channels, they find them on their own. A personal Gmail account. A free Dropbox. A random AI tool. The problem? You have zero control or visibility over data that lives in those apps. Mario shares a real story of a business that lost access to critical company data permanently when an employee quit — because that data lived in a personal Gmail account the company never knew about. Getting it back would have required going to court.
☁️ Not All Cloud Backups Are Created Equal
Some SaaS platforms don't allow you to create your own backups. If you need to restore a deleted file, the vendor may tell you the only option is a full environment restore — or that it's simply not possible. You are at the mercy of their backup policies, whether you know it or not.
🔑 Single Sign-On: Powerful Tool, High-Value Target
SSO is a fantastic tool for managing access across multiple platforms from one place. But it also means a single compromised account can unlock everything at once. The solution isn't to avoid SSO — it's to protect that primary account with rigorous two-factor authentication, behavioral monitoring tools (like Huntress), and strict device management policies.
What a Secure Cloud Setup Actually Looks Like
The hosts don't just identify problems — they walk through concrete steps every business owner can take:
✅ Know where your data lives — every application, every platform, every service
✅ Maintain a master list of who has access to what, and update it every time someone joins or leaves
✅ Use single sign-on with a strongly secured primary account and MFA enforced
✅ Restrict logins to approved devices using Azure/Entra conditional access policies
✅ Set expiry dates on all shared links — no exceptions
✅ Separate admin accounts from daily-use accounts for every person with elevated privileges
✅ Provide employees the tools they need through official channels — or they'll find their own
✅ Get a security monitoring tool that watches your Microsoft 365 environment for suspicious logins and activity
✅ Have a documented policy — and actually train your team on it
As Justin summarizes: "If you don't know that you have it, you cannot protect it."
Why This Episode Matters for Your Business
The cloud has fundamentally changed how small and mid-size businesses operate. But the rules of security haven't changed — they've gotten more complex, more critical, and more urgent. Business owners who set up their systems 5, 10, or 15 years ago and haven't revisited how those systems are secured are running on borrowed time.
The question isn't if a threat will find its way to your business. The question is whether your setup will stop it before it causes financial damage, regulatory penalties, or a lawsuit.
🔐 Is Your Cloud Environment Actually Secure?
There's only one way to know for sure — and it's not guesswork.
Phoenix IT Advisors offers a free cybersecurity risk assessment specifically designed for business owners who want to know exactly where they stand. We'll look at your current cloud setup, identify the gaps, and give you a clear, honest picture of your risk — no jargon, no upsell pressure, just answers.
Schedule Your Free Security Assessment - and mention UnHacked.