It's really pretty simple. If you put data unencrypted in the cloud, it can be (usefully) stolen. If you run applications on your computers that you didn't write, they may have Trojan horses in them. If you run any standard OS or software on a network, you are subject to 0-day defects that could steal anything on that computer or plant software that watches future activities.
Plan accordingly. In practice, this means strategically-placed air gaps and encryption, as well as turning off automatic software execution when USB drives or CD/DVD's are plugged in, running updated software and virus checkers (but don't trust either to find everything), and most importantly, employee training. If you aren't doing any of those, start with employee training. Employees with security training will help you find your weaknesses -- without training, they only create additional weaknesses.