How secure is your cloud environment? If you\u2019ve outsourced to a managed service provider (MSP) and you\u2019re referring us to its SLA for an answer, we suggest you think again. Cloud-based data and applications might be hosted remotely, but responsibility for security doesn\u2019t stop at the data centre\u2019s front gate.\nIn reducing complexity, costs and the burden of local support, cloud is rightly becoming today\u2019s predominant business platform, but CIOs who believe that outsourcing the infrastructure means they\u2019re also outsourcing responsibility for corporate cybersecurity are doing their employers \u2013 and themselves \u2013 a real disservice.\nSecurity starts at home\nThe weak point in any security chain is more often than not human. Recycled passwords, social engineering attacks and a failure to implement 2FA\/MFA are more likely threats than remotely installed malware or any kind of physical attack. CIOs looking to secure their cloud data should turn their attention first towards their users, rather than their supplier.\nResearch by Microsoft, which counters more than 300 million fraudulent sign-in attempts on its cloud services every day, reveals that 99.9% of attacks can be countered through the single act of deploying multi-factor authentication, requiring a physical check or confirmation code in addition to a password on every account.\nIt\u2019s reasonable to believe the results would be similar for non-Microsoft cloud services, and MFA \u2013which is reasonably easy to use, even for the less digitally savvy \u2013 can simultaneously mitigate the risk of data loss when a device is stolen, compromised or left in the back of a taxi.\nSecure by Design\nSecurity needs to be baked in at every level and reassessed any time the business needs require an infrastructure change. Likewise, it is vital that organisations looking to partner with an unknown MSP verify that it has taken adequate measures to provide real-time analysis of their systems and potential threats through deployed security information and event management (SIEM).\nWith SIEM detecting threats from both inside and outside the organisation, monitoring behaviour and ensuring MSPs and their client remain in compliance with common security standards, administrators can detect issues before they become problems. Moreover, by establishing rules-based responses, systems can actively participate in their own protection, shutting down endpoint services or blocking access to hostile IPs at the point of detection while simultaneously ensuring business as usual for authorised users.\nUsing cloud services developed by a provider like Microsoft, rather than on-site or locally managed but remotely hosted infrastructure owned by the customer, ensures not only that organisations benefit from the latest intelligence sooner \u2013 and more timely updates to their core infrastructure \u2013 but that CIOs have the capacity they require to manage owned assets and track where their data rests. Securing CRM data at the server level but leaving staff laptops unprotected could, after all, give would-be attackers easy access to business-critical assets.\nSecurity portability\nLoyalty is no longer a given, either from staff to their employer, when their increasingly portable skill sets make them ripe to be poached, or from your own organisation to its suppliers.\nCloud offers easy terms, short contracts and platform-agnostic data formats, all of which makes it easy to switch suppliers. CIOs are duty bound to ensure that an organisation\u2019s security measures are at least as portable as its data if the business is to remain agile.\nSecurity, in itself, should never be a reason to stick with a current supplier if it\u2019s no longer the best fit. Likewise, moving from one provider to another shouldn\u2019t pose a security risk unless the provisions thus-far implemented are bespoke \u2013 which, by definition, makes them more complex to administer and prone to fail.\nThere\u2019s a sweet spot in every set-up that lets businesses develop services across diverse platforms without exposing their data to risk. It\u2019s the CIO\u2019s job to find it, ideally in partnership with their cloud provider. Security is no longer a service to be bolted on at the periphery; it\u2019s an infrastructure keystone, just like the storage and connectivity that facilitates cloud computing.\nRethink your security posture\nFind out how Avanade can help you rethink your security strategy\u00a0in a post-pandemic world, using Microsoft security technologies.