Twenty years ago, a business owner asking about “the cloud” got a nervous look from their IT person. Is it safe? Where does the data actually live? What happens if the line goes down? Putting your accounts, your emails and your customer list on somebody else’s computer, in a building you’d never visited, felt — frankly — like a leap of faith.
That argument is over, and the cloud won. The kit that used to sit humming in the cupboard down the hall has largely moved out: businesses keeping their servers in-house now account for under a third of the world’s data-centre capacity, down from well over half in 2018, and the overwhelming majority of businesses — somewhere around nine in ten — run a meaningful chunk of their operation in the cloud. Microsoft 365, Google Workspace, Xero, the lot. Most of you reading this made that move somewhere between 2015 and 2020, and on the whole it’s been good: fewer servers to babysit, fewer 6am phone calls, an email system that doesn’t fall over the moment the office floods.
But lately there’s a mood. You can feel it in the room. A creeping sense that maybe we handed over a bit too much — that between the cloud holding all our secrets and AI now reading them, it might be time to pull the drawbridge up and keep the data in our own building again. Own it. See it. Switch it off if we don’t like the look of it.
So: is there a storm brewing? And if there is, should you head for the bunker?
Short answer — there’s weather, yes. But the storm you keep watching the sky for probably isn’t the one that’ll catch you.
The breach you’re picturing
The fear is a clean one. One morning Microsoft, or Google, or one of the big AI firms has The Big One — a breach so enormous that everyone’s data spills out at once, and the only people left standing are the ones who kept their servers in the stockroom.
It isn’t a silly fear, because breaches are real and they’re expensive. The average data breach last year cost a business around $4.4 million — though, interestingly, that figure actually fell for the first time in five years, and we’ll come back to why. And it’s not theoretical or far away, either. Last spring, Marks & Spencer, the Co-op and Harrods were all hit in the space of a few weeks — M&S worst of all, knocked sideways for the better part of a month, with customer details walking out the door. The way in wasn’t some Hollywood super-hack; it was a phone call that fooled a staff member into resetting a password. And yes, the AI companies leak too: one well-known AI firm was found to have left an entire database wide open with no password on it at all — chat histories and credentials sitting there for anyone who wandered past.
So far, so “bring it all home,” you’d think. Here’s the inconvenient bit. When you look at where breached data actually lived, keeping it in your own building doesn’t make it safe. Data stored on-premises got breached too — in fact the share of breaches involving purely in-house data went up last year, not down. A server in your stockroom isn’t a vault. It’s a server, in your stockroom, that now has nobody watching it at three in the morning.
The honest version is the boring one: data can be got at wherever it sits. The real question was never cloud or my building — it’s who’s actually minding it, and how fast would they notice if something went wrong.
The robot you’re worried about
Then there’s the AI of it, which is really half the unease — and it isn’t about data at all. It’s the Skynet feeling. The sense that we’ve plugged something clever and faintly sinister into the heart of the business, and one day it’s going to become self-aware, decide it can’t open the pod bay doors, and start making decisions we never signed off on. Add the worry that it’s quietly coming for everyone’s job, and “let’s keep things in-house and switch the AI off” starts to sound a lot like sanity.
Two honest things here.
First — and this genuinely surprised me — the AI everyone’s nervous about is, right now, the very thing bringing those breach costs down. Not because it’s grown a conscience, but because it spots a break-in far faster than a tired human staring at a dashboard at midnight. The villain has quietly taken a second job as the night watchman.
Second, and more useful: Skynet is not your problem this quarter. Judgment Day is not on the calendar. What’s actually happening, in real businesses, right now, is far more ordinary and much harder to spot. It’s Dave in accounts — lovely Dave, up against a deadline — quietly pasting the customer spreadsheet into a free AI tool he found online to “just tidy it up a bit.” No malice, no robot uprising. Just your data, gone off to who-knows-where, and nobody any the wiser. That sort of thing turned up in roughly one in five breaches last year. That is the AI risk. It isn’t HAL. It’s a well-meaning colleague and a deadline.
And notice — hauling your servers back into the building does absolutely nothing about Dave. He’s still got a browser.
So — own your data, or don’t?
Here’s where I’ll be straight with you, because that’s the whole point of these notes.
For some businesses, owning your data outright is exactly right — and not out of fear. If you run bespoke software that lives on your own server, if you’re in a line of work where the data genuinely cannot leave the premises, or if you simply prefer paying once and owning the thing rather than renting it forever, then on-premises isn’t running for the hills. It’s a deliberate, grown-up choice — and a good one. Plenty of very profitable businesses never left, and they were right not to.
But “the cloud is dangerous, bring it all home” is the wrong lesson to draw from a real worry. Dragging everything back into the stockroom doesn’t make a breach less likely, it doesn’t stop your team feeding data into AI tools, and it certainly doesn’t stop AI changing how work gets done. It solves the one anxiety you can see, and none of the three you actually have.
The better instinct — the sound one, buried under the panic — is simpler than “retreat.” It’s stop handing things over without thinking. So don’t repatriate everything. Do the grown-up version instead. Work out which bits of your data genuinely matter, and decide — on purpose — where each of them ought to live. Know what you’d lose, and how quickly you’d know you’d lost it. Have an actual rule about which AI tools your team is allowed to use, so that decision isn’t being made by Dave at 4:50 on a Friday. Own the things worth owning, rent the things worth renting, and don’t outsource the thinking to either the cloud or the bloke who sold you the cloud.
The storm’s real enough. It’s just smaller, closer and a good deal more human than the trailer made it look. Skynet isn’t coming for your business this year. But Dave, a free chatbot and a deadline very much are — and no number of servers in the cupboard will save you from that. A clear head will.
If you’d like a genuinely honest, jargon-free opinion on where your data ought to live — your building, the cloud, or the sensible bit of both — that’s exactly the kind of conversation we like having. No sales pitch, no scaremongering. Just a straight answer.
