The Cloud, Shared Responsibility, and You

The vast majority of small and midsize businesses (SMBs) understand — or have learned the hard way — that the ability to recover lost or damaged data is critical to your IT services and business resiliency.  You need to be able to recover and restore files, databases, servers, and workstations from loss due to disasters, hardware failures, software errors, or human action. In the cloud, it is your shared responsibility to protect your data.

The Cloud

As we move data, services, and servers, we rely on infrastructure and security built into the services.  Google and Microsoft operate industry-leading, sophisticated services designed for security as well as performance, features, and functions.  The capabilities do three things:

  1. Continuity: Ensure the clouds run with little or no disruption
  2. Recovery: Enable the restoration of services without loss of failure do to hardware, network, or other issues
  3. Capability: Provide us with the ability to secure and protect our data based on our usage

Microsoft, Google, and other cloud services do not, however, protect us from how we use their services.


Microsoft and Google do not control how we use Microsoft 365 or Google Workspace services.  We, as subscribers, control how we manage and protect our data, including:

  • Who can access the services
  • Which applications can connect and integrate
  • Which other applications and services will share user identities
  • Which users can manage, edit, suggest, or view files and folders
  • Which users can access various services within each of the productivity suites

With these controls comes great responsibility.  You are responsible for how your data is stored and used.  You are responsible if that use causes data loss or damage.

Shared Responsibility

Microsoft and Google  both use a “Shared Responsibility” model for security and data protection. The model defines which aspects of the cloud service security and data protection are your responsibility and which are the responsibility of the service provider.


Microsoft Shared Responsibility ModelMicrosoft discusses Shared Responsibility as a component of its terms of service.  A recent Microsoft Learning article notes the following:

“In an on-premises datacenter, you own the whole stack. As you move to the cloud some responsibilities transfer to Microsoft. The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.”

For Microsoft 365, a “Software as a Service” (SaaS) offering, Microsoft expects you to take responsibility for protecting and recovery of your information and data; devices; accounts and identities; and portions of your identity and directory infrastructure. Microsoft has a detailed white paper covering shared responsibility for Azure services.


Google Shared Responsibility ModelThe Google Workspace Data Protection Guide includes a section dedicated to the Shared Responsibility model. Google states:

“Data protection is not only the responsibility of the business using Google Workspace services; nor is it only that of Google in providing those services. Data protection on the cloud is instead a shared responsibility; a collaboration between the customer and the Cloud service provider (CSP).”

“As a Google Workspace customer, you are responsible for the security of components that you provide or control, such as the content you put in Google Workspace services, and establishing access control for your users.”

As a SaaS offering, Google warns that you are responsible for the access control, security, and protection of any and all content you place in the Google Workspace service. The Google Cloud Platform: Shared Responsibility Matrix provides a detailed overview of shared responsibility for Google Cloud Platform.

Back to You

Understanding your shared responsibility, you can meet your data security and protection obligations.

First and foremost, configure and use the security and data protection features included within your Microsoft 365 or Google Workspace subscription. These services range from multi-factor authentication to secure user identities and access to advanced data loss prevention services in enterprise level subscriptions.

Your next step is to add additional services to cover aspects of data protection not provided with your Microsoft 365 or Google Workspace subscriptions.  These services may include:

  • Advanced threat protection for inbound email
  • Backup/recovery of all user content in Google Workspace (including shared drives) and Microsoft 365 (including Teams)
  • Archive/eDiscovery services to meet internal data policy, industry guidelines, or regulatory requirements
  • Backup/recovery for data located on end user devices and on-premise or hosted servers
  • Continuity services for mission-critical servers and end user device
  • Message-level and file-level encryption for compliance with industry or regulatory requirements

Your business may or may not need all of the services listed.  Which services you deploy should be part of a larger assessment of your cyber security and data protection needs.

Call To Action

Contact us or schedule time with one of our Cloud Advisors to discuss how you are meeting your shared responsibility and/or your broader security needs, priorities, and solutions.

For a broader look at your cyber security, complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

Understanding a Third Party Data Breach & How to Prevent One

Understanding Third Party Breach AlertsWhat is a Third Party Data Breach?

A third party data breach occurs when an individual’s login identity and/or personally identifiable information (PII) has been disclosed by a third party system or service. A third party system or service is one that is unrelated to your business.

Third party data breaches are a security risk to your business and your employees. To understand this risk, we look at human behavior and the nature of modern cyber attacks. Knowing the risks, we look at ways to identify and respond. We discuss methods to ensure you are properly protecting your employees and your business.

The Risks of Third Party Data Breaches

The Risk of Human Nature

Multiple studies show that between 65% and 70% of humans will use identical or similar passwords across systems. The practices of “patterning” and “mimicking” passwords is more common across accounts using the email address or username as the account identity, whether or not the login is for a business system or some other system or service.

Think about employees using their work email for business-related services, such as video conferencing services, LinkedIn, or file sharing services. Some employees may have accounts to online stores for purchasing materials or supplies.  A breach in any of these systems, which are out of your control, poses a risk to your business.

A second aspect of human nature that works against us: humans are social creatures.  People, at different levels, want and need to interact with others.  In general, humans are trusting and we want to be helpful.  We will share information if and when it fits within typical interactions and when we think we are helping ourselves or others.

The Risk of Cyber Attack Methods

Currently, sophisticated criminal organizations (sometimes backed by hostile nation-states or terrorist groups) execute the vast majority of cyber attacks. They often sell and trade methods, malware, and data on the dark web, as different organizations build specialized expertise. Modern cyber attacks reflect the sophistication and expertise of the cyber criminals. Most cyber attacks involve indirect and direct methods.

Indirect Attacks

We define indirect attacks as those intending to gather information. Cyber criminals collect useful information in order to conduct direct attacks and to sell to other criminals. Phishing, social media “clickbait”, and third party data breaches are three common examples of indirect attacks that provide personal information for further attacks.

Direct Attacks

We define direct attacks as those intending to gain access to your systems and information. These include compromised user identities or credentials, ransomware, activity/keystroke monitoring, business email compromise attacks, and other attacks where your data is exposed or altered.

Direct attacks are more successful if they use data gathered from previous, indirect attacks.  And while cyber attackers may manage the complete attack, it is more common for those interested in direct attacks to buy data from those that specialize in conducting indirect attacks.  Your answers to quizzes and games on Facebook are being sold to cyber criminals that will use that information against you in a future attack. Indirect attacks also gather information that allow the attackers to impersonate you, organizations, or those around you.

Maybe the information lets them craft a surprisingly real-looking email asking you to log into a fake website, or to transfer money to a vendor using incorrect banking information.  Or, you are asked to share the MFA code you received by text. And with enough information, the attackers pretend to be you and ask your customers to make a payment by wire or ACH transfer using their banking information, not yours.

Tracking Third Party Data Breaches

The best method of tracking third party data breaches is subscribing to a monitoring and alert service.  Use the service to scan and monitor the dark web for data breaches related to any email address from your business domain(s).  The service should send you alerts that include:

  • Email address of the breached account
  • Origin of the breach, if known and disclosed
  • The Source of the breached data (where was the data posted/visible)
  • The type of the compromise
  • When the data was found
  • If a password was compromised, and if the password is visible or encrypted
  • Any PII disclosed in the breach

Using this information, you can assess the risk and take appropriate actions in response.

At Cumulus Global, we partner with DarkWeb ID for third party data breach monitoring and alerts.  Our eBook, Understanding Third Party Breach Alerts, covers how to analyze alerts, assess risks, and respond accordingly.

Protecting Your Business From a Third Party Data Breach

To fully protect your business from a third party data breach, your security strategy needs to ensure you have three things in place:

  1. You and your team should understand your security risks and how your behaviors can help or prevent an attack.
  2. Have procedures and technologies in place to protect you from successful attacks
  3. Have security services in place to prevent the disclosure or loss of data and/or system access.
  4. Capabilities and services in place to respond should an attack be successful, and to help your business recover.

We developed our Security CPR Model specifically to help small and midsize businesses create, deploy, and manage an appropriate security strategy. If you follow this model in addition to other cyber security best practices, you’ll be well positioned to prevent a third party data breach.

Communicate & Educate

    • Communicate with your team that Cyber Security is a priority and educate them on cyber security risks, the need for everybody to be vigilant, and the behaviors/actions they can use to help prevent successful attacks.
    • Develop policies and procedures to establish clear expectations for how your organization will maintain cyber security and how your team will use security technologies and services

Protect & Prevent

      • Select, deploy, and maintain security technologies and services that match and support your cyber protection needs and priorities.
      • You can simplify your security services by focusing on the most likely threats and those that would have the greatest impact if successful (see: How Can SMBs Streamline IT Security?)

Respond & Recover

    • Put systems in place to recover lost or damaged data and systems; consider business continuity solutions that enable you to continue operating your business while restoring your primary systems.
    • Pre-arrange resources to help you respond to the technical, regulatory, legal, reputation, and customer service impacts of a successful cyber attack

You can learn cyber security tips and key information about third party data breach prevention by viewing Security CPR, our 3T@3 Webcast from January 2023.

Call To Action

Complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Or, contact us or schedule time with one of our Cloud Advisors to discuss your security needs, priorities, and solutions.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.



Cumulus Global Recognized on the 2022 CRN® MSP 500 List

2022 CRN MSP 500Company Celebrates 5th Consecutive Year of Recognition as an Industry Leader

For the fifth consecutive year, Cumulus Global proudly shares that CRN®, a brand of The Channel Company®, has named Cumulus Global to its Managed Service Provider (MSP) 500 list in the Pioneer 250 category for 2022. CRN’s annual MSP 500 list identifies leading North American service providers with forward-thinking approaches to managed services. Cumulus Global’s inclusion on the 2022 MSP 500 recognizes the company’s through leadership on managed cloud services and the company’s ability to help its customers increase productivity, simplify IT solutions, secure their business, and maximize their return on investment.

“The continued recognition by CRN as a Pioneer on the 2022 MSP 500 List is an incredible honor,” stated Cumulus Global CEO Allen Falcon. “We appreciate CRN recognizing the differentiation we bring to the market, and our clients, with our managed cloud services offerings.”

Cumulus Global innovates in ways that help small and midsize businesses (SMBs) adapt to changing business conditions. Many SMBs continue recovering from, and adjusting to, the impact of the COVID-19 pandemic. Cumulus Global leverages cloud services that more effectively and efficiently support remote and hybrid work environments. The company’s Security CPR model provides SMBs with an understandable method of assessing security risks, prioritizing needs, and deploying effective, budget-friendly solutions.

“In addition to having to adjust their own business operations to account for the changed conditions during the pandemic, MSPs have also seen increased demand for their managed communications, collaboration and security services,” said Blaine Raddon, CEO of The Channel Company. “The solution providers on our 2022 MSP 500 list deserve credit for their innovative and game-changing approaches to managed services in these unpredictable times, as well as their ability to optimize operational efficiencies and systems without straining IT budgets.”

The economy, markets, supply chains, expectations for work environments, and other business factors remain in flux post-pandemic.  Cumulus Global managed cloud services blend the best aspects of traditional MSP services with a “cloud first” perspective. Leveraging the economies of cloud computing, Cumulus Global offers these robust, secure services at costs below traditional IT services for small and midsize businesses.

The MSP 500 list is featured in the February 2022 issue of CRN and online at

About Cumulus Global

Cumulus Global is an industry-leading managed cloud service provider with a mission to deliver solutions with tangible value.

  • What We Do: We translate your business goals and objectives into solutions and services.
  • How We Do It: We start with your business needs and priorities. Planning and migration includes guidance to help your team adopt and utilize new services. Your team benefits from co-managed services, on-going support, and client success services that help you adapt as your business changes and grows.
  • What We Offer: Managed cloud solutions featuring Google, Microsoft, and more than three dozen providers.
About The Channel Company

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers, and end-users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace.  

Follow The Channel Company: Twitter, LinkedIn, and Facebook.

The Channel Company Contact:

  • Jennifer Hogan
  • The Channel Company

Google Workspace Fee Increase Effective April 11, 2023

Google WorkspaceOn February 11, 2023, Google provided sixty (60) days notice of a Google Workspace fee increase across most licenses.  For many customers, this increase is coming immediately after increased fees related to the transition from G Suite to Google Workspace.

The Google Workspace Fee Increase in Summary

The Google Workspace fee increase primarily impacts subscriptions on the “Flex Plan”, or month to month service.  Flex Plan fees will increase by 20%. This includes all Google Workspace Business, Enterprise, Front Line Worker, Archived User, and Appsheet licenses. The 20% increase also impacts Google Cloud Identity Premium licenses.

Additionally, the underlying annual commitment plan fees for Google Workspace Enterprise Standard is increasing by 15%.  Enterprise Standard Flex Plan licenses will be charged the 20% increase on top of the 15% increase.

Google Workspace Fee Increase Details

For all Google Workspace Business plans, the per-user fees for Flex Plan subscriptions are increasing by 20%. The per user monthly fees will change as follows:

  • Business Starter: from $6 to $7.20 per user per month
  • Business Standard: from $12 to $14.40 per user per month
  • Business Plus: from $18 to $21.60 per user per month

For all Google Workspace Enterprise plans, the per-user fees for Flex Plan subscriptions are increasing by 20%. There is also an increase in the underlying Annual Commit pricing for Google Workspace Enterprise Standard. The per user monthly fees will change as follows:

  • Enterprise Essentials – Flex Plan: from $10 to $12 per user per month
  • Enterprise Starter – Flex Plan: from $10 to $12 per user per month
  • Enterprise Standard – Annual Commit Plan: from $20 to $23 per user per month
  • Enterprise Standard – Flex Plan: from $20 to $27.60 per user per month
  • Enterprise Plus – Flex Plan: from $30 to $36 per user per month

Similar 20% increases will impact Flex Plan pricing across the following licenses:

  • Google Vault
  • Google Workspace Front Line Worker
  • Google Workspace Archived User (all Business and Enterprise licenses)
  • Cloud Identity Premium
  • Google Workspace Appsheet (all Business and Premium licenses)

Impact on G Suite to Google Workspace Transition

If you are still using G Suite licensing, these changes will be in effect as of April 11, 2023 or as of your transition date if your transition occurs after this date. If you are using G Suite on an Annual Commitment Plan, Google will automatically move you to Google Workspace on your annual (or contract) renewal date.  If you are using G suite on a Flex Plan, Google should provide your with 60 days notice of your automatic transition. Google began automatic (forced) transitions earlier this month and will continue until all customers are moved to Google Workspace.

As a reminder: When Google automatically transitions your service from G Suite to Google Workspace, Google will select the licensing that maintains your current feature set even if the transition will double or triple your monthly per user fees. Cumulus Global can manage your transition can discuss options to avoid or mitigate these increases. 

Avoid the Fee Increase

You can avoid this fee increase by converting your service from the Flex Plan to an Annual Commitment Plan.

Flex Plan subscriptions are month-to-month. As such, you can adjust the number of licenses up or down, as needed, each month. Your invoices are in arrears and reflect any changes.

Annual Commitment Plan subscriptions, as the name implies, commit you to one year (or multiple years) of service.  During your Commitment Plan term, you may added licenses at a prorated fee through the end of your term.  Any added licenses increase your commitment. You cannot reduce the number licenses (you can reuse them as employees leave and new employees join your business) and you cannot cancel service until your contract renewal date.

Given the fee increase on Flex Plan subscriptions, most small businesses will NOT save money by remaining on the Flex Plan, even if your license count fluctuates over the year.

  • For the Flex Plan to be less expensive, you would need to reduce your license count by more than the equivalent of 20% of your users for a full 12 months.
  • Example 1:
    • A seasonal business that reduces its staff for 6 months each year would need to reduce their license count by more than 40% to save money on the Flex Plan.
  • Example 2:
    • A business that reduces staffing for the 3 primary winter months would need to reduce their number of licenses by more than 70% to save money on the Flex Plan.

Most small businesses do not have staffing changes this large. Please evaluate your projected costs and consider switching to an Annual Commitment Plan.

Call To Action

Contact us or schedule time with one of our Cloud Advisors to discuss your options. We are here to assist you and to ensure you are getting the best value from your Google Workspace services.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Founded in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions, Allen has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America.  Having started his first business at age 12, Allen is a serial entrepreneur having started strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.