Cloud or Local: The Pros and Cyber Security Considerations
June 12, 2025
•
By
Charles
•
X
min read
Introduction
At Yopla, cyber security isn’t just a technical issue — it’s a strategic one. It sits at the centre of how we align people and technology, and in many ways, it determines who gets to do their best work, and how safely they can do it.
But when we talk with clients about security, the conversation often turns into a binary:
Should we go cloud or stay local?
That framing makes sense on the surface. But dig deeper and you realise it’s really about values, culture, and control — not just infrastructure. The cloud vs. local conversation is also a conversation about power: who holds it, how it’s distributed, and what kind of flexibility or protection an organisation chooses to prioritise.
"The next security frontier is to empower everyone, organisations and individuals, to benefit from technology and the digital economy without having to become security experts." Satya Nadella, CEO of Microsoft
What are we really talking about?
To understand the real stakes, we need to move beyond buzzwords. So let’s get clear:
Cloud computing typically refers to tools like Google Workspace, Microsoft 365, or AWS-based systems, where infrastructure is hosted remotely and accessed via the internet.
Local computing means your data and applications are stored on servers or devices you own or manage directly.
These aren’t just technical distinctions. They influence how people work, collaborate, and access opportunity.
For instance, in a fully cloud-based environment, everyone accesses the same version of a document or dataset — there’s one shared source of truth. That reduces friction, improves real-time collaboration, and cuts down on version chaos. You can work across locations and devices with minimal setup — a massive enabler for flexible and inclusive teams.
Conversely, local infrastructure often reflects a culture of control — keeping sensitive data in-house, tailoring applications closely to operational needs, and retaining the ability to function in low-connectivity environments.
Reframing the Cloud: It’s About Access
Cloud infrastructure democratises access. It gives people the tools to contribute, wherever they are. At Yopla, we believe access to great tools — and secure, seamless workspaces — should be a right, not a privilege.
And yet, cloud systems do introduce new risks. They assume connectivity. They rely on third-party patching cycles. And they often mean you’re entrusting vast amounts of organisational data to platforms whose commercial models may not always align with your values.
But here’s the twist: cloud-first does not mean security-last. In fact, by removing local points of failure — unpatched devices, outdated apps, poorly secured file shares — cloud systems often reduce risk rather than amplify it.
Security is no longer just a perimeter. It’s a practice.
What does Local really offer?
Local computing often gets framed as old-fashioned, but that’s an oversimplification. For many organisations, especially those working in sensitive sectors or under specific regulations, local means control.
It offers:
Full visibility over where data sits and who can access it
Tailored security protocols that don’t rely on external vendors
High performance for data-heavy tasks, without reliance on internet speeds
A guarantee of continuity in environments where cloud is patchy or unavailable
There’s also a strategic comfort in knowing your critical infrastructure isn’t dependent on a SaaS platform’s roadmap — or pricing strategy.
But that control comes with overhead. Maintenance, updates, security patching — all sit on your shoulders. And collaboration? It’s rarely as smooth.
It’s Not Either/Or — It’s About Fit
The most effective organisations don’t treat this as a binary. They adopt a layered, hybrid model that flexes around need:
Cloud for collaboration, agility, and external engagement
Local for sovereignty, resilience, or specific performance demands
And they layer this with a strong security posture — not just locked-down networks, but confident teams who know how to work safely.
Cyber security isn’t just about stopping threats. It’s about enabling momentum — without compromising trust.
Yopla’s Perspective: Aligning People and Technology, Securely
At Yopla, our job isn’t to sell you a specific tool or route. It’s to help you think clearly about what your organisation needs, and what your future demands.
That means helping clients ask:
Where do you need speed, and where do you need control?
Where do your people need better access?
What would secure-by-default look like for your specific team?
How do you minimise waste — not just in tech spend, but in time, confusion, and duplicated effort?
Whether you lean into cloud, stay grounded in local, or blend both — the point is to build something that supports your mission, makes your people’s lives easier, and sustains over time.
Closing Thought
Infrastructure is never neutral. It shapes how people behave. It shapes who gets to participate. It shapes how safe we feel at work.
So if you’re rethinking where and how your organisation operates, make it a values conversation — not just a procurement one.
Secure systems should enable freedom, not restrict it.
That Gut Feeling? It’s Probably Right. Let’s Talk.
Still thinking about what you just read? That’s usually a sign. So don’t sit on it. Book a quick chat - no pressure.
We’ll help you make sense of the friction, share something genuinely useful, and maybe even turn that spark into real momentum. No jargon. No pitch. Just clarity - and the next right move.
It’s remarkable that today, at the height of the tech industry’s dominance, organisations across the globe continually fail to achieve their digital ambitions. But why? Despite massive investments in time and money, the same themes repeat. What our research show's is that digital transformation doesn’t fail because technology is lacking, it fails because organisations overlook the people who are expected to use that technology.
In this article, we’ll explore what we’ve learned, share our key insights, and explain how understanding what your team already does is essential to making a success of digital transformation.
McKinsey, Capgemini, and Deloitte studies show failure rates of 67-75%, at an average of 2.5 years in. One Deloitte study found that only 13% of transformation projects where a success!
The introduction of new software or systems often promises transformation: faster workflows, better collaboration, improved performance. But let’s be honest — most of these implementations underdeliver. Not because the tools are bad, but because we don’t truly understand the workflows they’re supposed to improve.
"Understanding people’s habits is absolutely critical. If you can see the habits, you see the real workflows. And it’s those habitual workflows that will make the biggest difference to your organisation. Because they’re a mirror to reality."
In other words, if you want change to stick - you need to understand how your people actually work, not just how you wish they worked.
As we delve deeper into the digital age, the intersection of artificial intelligence (AI) and cybersecurity presents both groundbreaking opportunities and unprecedented challenges. Among these challenges, social engineering stands out as a particularly insidious threat. Social engineering attacks exploit human psychology, rather than technological vulnerabilities, to gain unauthorised access to personal information, corporate data, or secure systems. With the advent of sophisticated AI technologies, these attacks have evolved, becoming increasingly sophisticated and difficult to detect.
"Only amateurs attack machines; professionals target people." Bruce Schneier, Security Expert and Author
Understanding social engineering
Social engineering is predicated on the manipulation of trust. Attackers impersonate individuals or entities that their victims trust, creating scenarios that compel the victims to voluntarily surrender sensitive information, access, or finances. Techniques such as phishing, pretexting, baiting, and quid pro quo are common, leveraging the human propensity to trust and to help. In the context of AI's rise, these tactics have been significantly enhanced. AI can now create convincingly fake videos (deepfakes), voice imitations, and personalised text communications, elevating the risk and potential impact of social engineering attacks.
The integration of AI into social engineering introduces a dual-edged sword. On the offensive side, attackers utilise AI to automate and refine their attacks. For example, AI algorithms can sift through social media and other online platforms to gather personal information, which is then used to craft highly personalised and convincing phishing emails. On the defensive front, AI and machine learning technologies offer promising tools for detecting and mitigating these threats. They can analyse communication patterns, identify anomalies, and flag potential social engineering attempts, often in real-time.
Examples of social engineering
Phishing emails
Emails that mimic legitimate organisations, such as banks or service providers, request urgent action, typically involving clicking a link or opening an attachment. Look out for misspellings, generic greetings (e.g., "Dear Customer" instead of your name), and email addresses that closely resemble but don't exactly match the official ones.
Attackers create a fabricated scenario (pretext) to obtain your personal information. They might pose as survey conductors, bank officials, or IT support, asking detailed questions under the guise of verification or support. Be wary of unsolicited calls asking for sensitive information or actions you didn't initiate.
Baiting
Baiting involves offering something enticing to trick someone into a security mistake, like malware hidden in downloadable content or USB drives left in public places labelled with intriguing titles. Always question the origin of unexpected or too-good-to-be-true offers, especially when they involve downloading or accessing something.
Quid pro quo
Similar to baiting but involves a direct offer of exchange. For example, attackers might offer assistance or free software in exchange for access to your computer or credentials. Be sceptical of unsolicited offers of help or services, particularly when they request access to personal or company systems.
"Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain: the people who use, administer, operate, and account for computer systems that contain protected information." Kevin Mitnick, Cybersecurity Consultant, Author, and Former Hacker
Tailgating
An attacker seeks to gain unauthorised access to restricted areas by following someone who has legitimate access. Common in office buildings or secure facilities, be alert for individuals who attempt to enter secure areas without the proper credentials, often by asking for the door to be held open.
Spear phishing
A more targeted version of phishing, where the attacker uses personal information to craft a convincing message, making it appear relevant and trustworthy. These emails might reference recent transactions, work projects, or personal interests. Always verify the authenticity of messages that request sensitive information, even if they seem to know about you or your activities.
Vishing (voice phishing)
Conducted over the phone, vishing often involves the caller pretending to be from a trusted company or institution, seeking personal or financial information. Common red flags include callers asking for passwords, PINs, or other sensitive information, often with a sense of urgency or threat.
Smishing (SMS phishing)
Similar to phishing but conducted via SMS. These messages might prompt you to click a suspicious link, claiming to be from a bank, courier, or tax office, often related to urgent issues requiring immediate action. Look out for messages from unknown numbers or that create unnecessary urgency to act.
Staying safe: advanced tips and best practices
Comprehensive education and training
Beyond basic awareness, individuals and organisations must engage in comprehensive education on the nuances of AI-enhanced social engineering attacks. This includes understanding the technology behind AI and the psychology of manipulation tactics.
Critical thinking and verification
Encourage a culture of critical thinking and verification. This means not just verifying suspicious emails, but also being sceptical of unusual requests via phone, social media, or even in person.
Privacy management
In an era where personal information is gold, managing one's digital footprint is crucial. This involves regularly auditing social media privacy settings and being cautious about the information shared on public platforms.
Advanced security protocols
Utilise AI-driven security solutions for enhanced detection capabilities. Additionally, organisations should implement robust security protocols, including secure VPNs, end-to-end encryption for sensitive communications, and advanced endpoint protection.
While MFA is essential, consider employing even more stringent authentication methods for accessing sensitive systems and information, such as biometric verification.
Incident response and reporting
Develop a sophisticated incident response plan that includes protocols for dealing with social engineering attacks. This should encompass immediate measures to contain and mitigate the attack, as well as long-term strategies for recovery and reinforcement of defences.
Regular updates and adaptation
The landscape of AI and social engineering is continually evolving. Regular updates to security protocols, software, and employee training are vital to keep pace with new threats.
Promote psychological safety
Encourage an environment where employees feel safe reporting potential social engineering attempts, without fear of blame or retribution. This can significantly enhance an organisation's ability to respond to and mitigate these threats promptly.
"Cybercrime is the greatest threat to every company in the world." Ginni Rometty, Former CEO of IBM
Conclusion
As AI continues to evolve, so do the tactics of social engineers. By staying informed and using the latest security technologies, we can protect ourselves and our organisations from these sophisticated attacks. Remember, it's not just about protecting data; it's about building a culture of cybersecurity awareness and resilience that can adapt to the ever-evolving digital landscape.
If you want to chat about how to encourage cyber awareness within your organisation, or talk about digital transformation generally, don't hesitate to get in touch!
