Cloud security — from all angles
Cloud accounting systems are cheaper, scalable and more advanced than most local and desktop alternatives. They help small businesses connect with their accountants in real time to collaborate on live documents. Accountants can process end of year adjustments in real time simply by accessing their client’s online file. So given all these positives, why are accountants still slow to adopt cloud-based technology?
The answer may lie in increasing concerns around security. Recent data leaks and hacks have hit huge organizations like Yahoo, JP Morgan Chase and the European Central Bank. These high-profile incidents could be making accountants, possessors of incredibly sensitive client information, wary.
Irene Marullo, a CPA and partner at Babaian CPA Associates PLLC in New York City, says her firm has experienced quick wins in efficiency using cloud solutions, but it isn’t ready to migrate all of its data to the cloud just yet. The firm is using mostly desktop-based software, though some of their clients have already transitioned to the cloud using programs offering cloud-hosted options such as QuickBooks.
So far, Babaian’s accountants have used the cloud to back up their files, replacing outdated backup tapes. The firm agree that this is a more secure, reliable and space-efficient method. Babaian also moved its staff’s email into the cloud using Office 365. They no longer experience email outages around tax deadlines due to server overloading. Now, users at the firm have 24/7 email access from any device, anywhere.
If the cloud has worked this well so far, why doesn’t Babaian migrate all its data?
Marullo said that the firm is constantly vigilant about security risks and that clients are reluctant to move their information into the cloud. The firm lets clients decide when to move their data to the cloud, which is one reason why a full-scale cloud adoption is not possible yet.
The IT perspective
Chris Cevallos is CEO of Point to Point Solutions, an IT consultancy in New York City that has many accounting and professional services firms as clients. He works closely with these firms to identify potential cyberthreats and implement solutions.
Cevallos said that the kinds of attacks accounting firms are vulnerable to are:
- Social engineering attacks where a hacker impersonates someone by spoofing their email address and sending an email to contacts they know;
- Viruses sent via email;
- Hardware attacks where USB drives are left lying around and launch an attack when plugged into your system; and
- Quid pro quo attacks where someone impersonates your IT consultant to get access to your system.
“Always consider that you’re under attack," he said.
The legal perspective
While legitimate, these concerns aren’t reason enough to forego cloud-based solutions. Justin Hectus, CIO and CISO of Keesal, Young & Logan, a law firm with accounting clients and a cybersecurity practice, thinks it surprising that people are still questioning the cloud in its entirety.
“There is a misconception about cloud storage and a lack of certainty of where the data is and how it’s controlled,” he said. “Data is still on computers when it’s in the cloud — the computers are just somewhere else rather than in your office. The basic concepts of security still apply.”
Hectus added that the right cloud-based solutions present the possibility of an improved approach to data security compared with a company that stores its data in an on-site server room. “Cloud solutions can provide better and up-to-date encryption, patching, and upgrades so accounting firms have the latest tools to protect them from hackers and security breaches.”
For those businesses using on-site servers and legacy systems, Hectus said that this kind of patchwork approach can be riskier and more complex than centralizing on the cloud. “There are more passwords to manage and more out-of-step or outdated products. Done right, having a cloud-based system can provide a simple, even approach across the board.”
Hectus recalled a time where small firms could not afford the same technology that larger companies had access to. Now, “with cloud-based versions of a document management system or secure file transfer technology, smaller firms can use the same tools as the largest organizations in the world.”
To mitigate security risks accounting firms should choose a reputable and diligent cloud provider. Hectus advised that before deploying any cloud solutions, firms need to put vendors through their risk management and due diligence process to ensure the provider is doing its part to secure their data. He also recommended looking for vendor certifications and International Organization for Standardization (ISO) standards to help vet vendors.
Cevallos said firms under FINRA compliance requirements need to make sure their cloud provider is compliant as well.
Customizing a solution
Reputable cloud providers should have appropriate measures in place for data loss prevention, including antivirus and anti-ransomware, of which you only need to look to the recent global cyber attack dubbed WannaCry to understand the importance. Cloud solutions should have two-factor authentication and encryption not just on your computer at the office, but when in transit — mobile devices are vulnerable, too.
Hectus reminds firms that, “Any cloud vendor can provide a laundry list of qualifications, but determine what’s more important to your firm when creating your own list.”
Real industry workflows show that cloud solutions mean greater efficiency and capabilities and, often, even greater security than on-site solutions. Accounting firms are understandably cautious in moving data to the cloud. However, by choosing the right vendors and establishing strong policies and procedures to protect both internal and client information, accountants can make the transition successfully. Efficiency benefits both accountants and their clients, so if your firm has been reluctant to consider the cloud, maybe it’s time to reconsider.