When you choose a cloud provider to deliver a service - be it managing your payroll or storing your data - you're effectively outsourcing a business activity. It's your responsibility to ensure that service provider is acting in your business's interest.
Take note of the legal jurisdictions your cloud service operates in, including country and region or state. Laws relating to data and intellectual property vary globally, so you'll need to know to which jurisdiction the terms and conditions of your cloud service apply in order to understand where legal disputes may arise and be heard.
Also consider whether and what data may be shared with third parties, when and how your business is notified of any service outages and what processes are in place, should a security breach occur.
If more than one person in the business needs to access the cloud service, you need to make sure you can manage access appropriately for each individual or role type.
For example, with a cloud accounting service it may be important to segregate the access of your accounts payable and receivable staff. It's also unlikely all of your users need administrative rights to create and delete user accounts - this should be limited to those who genuinely need it.
It's important to revoke access of staff when they leave your business, given cloud services are accessible by anyone with an active user account and an internet connection. Make this part of the exit process for departing staff.
Your business data is one of your most important assets.
Ensure that your cloud provider encrypts all your data, both when it's at rest (i.e. held in storage) and in transit (i.e. being sent or received).
In-transit data is usually protected using HTTPS, a common communications protocol used across the internet. Cloud providers will list the use of HTTPS in the list of features on their website and in the Terms and Conditions.
Similarly, you should read about specific information pertaining to the type of encryption used when data is at rest (stored on the cloud provider's servers).
Using a cloud provider doesn't relieve you of your responsibility to protect business data.
Before committing to a cloud provider, make sure you can also create a local backup of your data. This helps protect your business data against the failings of your cloud service provider, whether caused by a security incident, a system failure or any other failure of their business.
When you trust a cloud service provider with your data, you make assumptions that the provider is following solid processes for ensuring cloud systems are well maintained.
Confirm that your cloud service provider keeps its underlying IT infrastructure up-to-date with the latest security and reliability patches.
As your business grows, you will likely need to re-evaluate the risks associated with using a cloud service. You might, for example, negotiate access to system logs maintained by the cloud service provider so that you can monitor user access to your data, or investigate security incidents and service outages.