A typical SMB IT infrastructure consists of a consumer class firewall, dumb network switches, an entry level server that sits in a poorly secured closet, inadequate environmental controls, no fire suppression systems, and no redundant power.
The facility itself is likely a shared office space without 24×7 security monitoring or other theft deterents.
In short, SMBs typically have all of their proverbial eggs in one basket and lack the expertise and financial resources to properly safeguard their data.
By migrating their data to a cloud services provider who does have high availability IT infrastructure, proper environmental controls, redundant power systems, 24×7 security, security card access, locked server cages, etc… they can mitigate against many of the shortcomings of DIY IT solutions.
Assuming that the cloud provider takes no additional measures to secure customer data, the above measures still represent a vast improvement over the status quo.
Taking into account the likelyhood that the cloud provider has superior firewall and IPS/IDS systems, encrypted backups, two factor authentication options, more frequent security patch rollouts, and NOC techs with superior skills (to name just a few), I would argue that an SMB that chooses to run apps and desktops from the cloud is in a much better position than if they choose to run their own IT systems in-house.
What do you think?