The concentration of your eggs into one basket is the biggest issue I see here. If your business email, SCM, DNS, CDN, storage, backups, compute, CI/CD, data warehouse/BI, desktop compute... all come from one company (e.g. AWS, MS, or GCP), then you can lose *everything* in a flick of the pen.
When you do risk assessments (e.g. SOC 2), you rank all your venders by risk, and answer "what could I do if I lost vendor X?" These are things a business is supposed to do, which is why many intentionally have more than one vendor for the same service, run hybrid cloud, etc when the answer to that question is "close my business."
When you do risk assessments (e.g. SOC 2), you rank all your venders by risk, and answer "what could I do if I lost vendor X?" These are things a business is supposed to do, which is why many intentionally have more than one vendor for the same service, run hybrid cloud, etc when the answer to that question is "close my business."