At Shape, we spend most of our time designing, building and maintaining cloud systems that businesses rely on every day. Security failures and resilience gaps aren’t theoretical for us — they show up as outages, incident calls, and difficult conversations when something goes wrong.
That’s why attending techUK’s Cloud Security Conference resonated so strongly with what we see in practice. With cloud infrastructure now classed as Critical National Infrastructure (CNI), there has never been a more pressing need to ensure security and resilience are genuinely up to the challenge.
Shape recently had the privilege of attending the conference, listening to panels on Architectures, Threats and Trust and Building Resilience. What stood out wasn’t flashy new tooling, but how consistently the fundamentals came up — and how often organisations still get them wrong.
The biggest risks in cloud security are often the “unknown unknowns”: threats you didn’t realise were threats at all. In practice, these usually take the form of leaked API keys, misconfigured VPNs, shadow IT (unapproved tools used inside organisations), and excessive privileges.
A common example is making everyone in an organisation a global admin. It feels convenient, but a single mistake can threaten the entire system. That’s why the NCSC’s Security Principles emphasise least privilege — granting only the minimum permissions required to do a job.
As Sean Tickle from Littlefish put it:
“If everyone’s a global admin, something’s wrong.”
This aligns closely with what we see when reviewing client environments. Most serious incidents aren’t the result of sophisticated attacks — they stem from mismanagement or human error. Industry data suggests around 80% of discovered breaches fall into this category: private keys pushed to GitHub, unsecured S3 buckets, exposed EC2 instances, or credentials that were never rotated.
Building a strong security culture matters just as much as tooling. If security is treated as a tick-box exercise, it will never be as effective as it needs to be.
Preventing attacks is always the goal, but resilience is just as important. As Laura Wilson from Splunk explained:
“You are going to be hit.”
Accepting that reality — and planning accordingly — is what allows organisations to recover quickly. Preparing for worst-case scenarios means defining the impact of downtime, creating incident response plans, and testing recovery procedures regularly. These are the practices that minimise disruption when an attack inevitably happens.
Bad actors have always existed, but AI is now lowering the barrier to entry. Attackers who previously lacked the technical capability can now use AI tools to identify targets, automate exploits and probe vulnerabilities at scale.
While this has increased the volume of attacks more than their sophistication, unsecured systems remain easy targets. This makes strong fundamentals — identity management, patching, monitoring — more important than ever.
Many organisations are tempted to keep cyber security fully in-house for a sense of control. In reality, the UK faces a national shortage of cyber security skills, and maintaining dedicated red teams and blue teams internally is often impractical or prohibitively expensive.
Even strong internal teams rarely have the capacity to handle their worst cyber day alone. Outsourcing parts of security operations is no longer just viable — it’s increasingly essential.
Understanding attacker Tactics, Techniques and Procedures (TTPs) helps organisations anticipate how threats unfold. Frameworks like MITRE ATT&CK provide a structured way to map real-world attacker behaviour, identify gaps, and improve defences.
AWS provided an interesting example of this in practice. Despite being one of the world’s largest cloud providers, they operate a network of around 30,000 intentionally exposed machines. As David Perkins from AWS explained, this system — known as MadPot — acts as a large-scale honeypot. Attackers believe they are breaching real systems, but are instead providing AWS with valuable intelligence on emerging techniques.
Looking ahead to 2026, the message was clear: don’t neglect the basics. Many organisations rush forward to gain market advantage, unintentionally opening security holes. Trading a little speed for security is often the safer choice.
Organisations that prioritise least privilege, strong identity management, diligent logging and realistic resilience planning are far better positioned for what comes next. Security is not a one-off project — it’s an ongoing process that must be built in from the ground up.
Cloud services are no longer just a convenient place to store data. They are Critical National Infrastructure. Cloud outages can, and do, have real-world consequences.
Historically, resilience meant having a backup. Today, that’s not enough. Resilience now means survivability and rapid recovery after an event.
Cyber attacks are no longer abstract risks. The 2025 attacks on M&S, Co-op and other major UK retailers brought the question “what if it happens to us?” firmly into the mainstream.
Many organisations still treat resilience as a minimum requirement to win contracts. But effective resilience must be designed in from the start, not added later. Key considerations include:
Resilience is like an MOT. Passing doesn’t make your system invincible — it just confirms a baseline. Continuous testing and rehearsal are what ensure recovery when it matters.
Regulations such as NIS2, DORA, and the Cyber Security and Resilience Bill (CSRB) are increasingly shaping expectations. While they can feel restrictive, they often act as accelerators for overdue change, driving accountability across organisations and their suppliers.
Resilience isn’t only about cyber attacks. The most significant threat to cloud services is often power grid failure, whether caused by extreme weather or deliberate attack.
Data centres can rely on diesel generators temporarily, but prolonged disruption can still air-gap even the largest providers. True resilience requires planning for these common-mode failures, not just isolated incidents.
Cloud infrastructure underpins healthcare, finance, transport and public services. The ability to survive and recover from disruption is no longer optional — it’s a societal responsibility.
At Shape, what this conference reinforced is simple:
Resilience and security are architectural decisions, not bolt-ons. They require foresight, investment, testing and cultural change. That investment may feel high, but the cost of ignoring it is far higher.
