The cloud has become the epitome of innovation, drastically improving the efficiency and simplicity of accounting and bookkeeping tasks. Cloud accounting has started to become the standard with tools like QuickBooks Online, Xero, and Zenpayroll. However, more often than not, CFO’s and controllers don’t understand the full extent of security protocols these systems have in place to protect some of their company’s most valuable and sensitive data. Data breaches aren’t just for the big guys, they can happen to anyone or any company – you or your cloud accounting software provider; so it’s important to protect yourself. Even if you aren’t the most technical person, it’s your responsibility to know the risks and find ways to mitigate them.
The most common risks for the data stored inside your cloud accounting software stack are data theft and loss. If your company data is stolen, it could cost your company money and the lessen your credibility to lenders. If you data is lost through either malicious or accidental deletion, you run the risk of slowing or halting operations, failing audits, or other liabilities.
Thankfully, there are things you can do and look for when searching for cloud accounting software to protect your data.
This one seems obvious, but there are specific things you want to look for. One of the most important aspects is to understand where and how your data is stored, and who at your service provider can access your data. All data should be encrypted and the encryption keys properly stored by the vendor, and data transmission should only occur over HTTPS. Also, depending on your industry regulations, you may need to make sure that your data is stored in a specific country or is stored by a HIPAA compliant vendor. Be aware of industry regulations and that the software provider meets them.
Third Party Applications
Any application that you grant access to your existing cloud accounting software will affect the security level of your data with its own security regulations. Be sure to only connect trusted applications that meet the same levels of data protection. You can look for reviews in trusted marketplaces, recommendations from other users, and industry certifications. Be sure to monitor the permissions that you grant third party applications and that they only have access to the data they need access to. For example, if you are using a report building tool, make sure that it doesn’t ask for access to your connected bank account. That data is being pulled into your accounting software for the tool to build reports so it would be an unnecessary permission. It is also a best practice to regularly review the applications that are connected to your software and remove any that are no longer being used.
You are entrusting another company to hold on to your company data for you and possession is 9/10ths of the law. Carefully review your terms of service and be sure to ask about the ability to retrieve your data from the company. Is there an easy way to export the data? What happens to the data if you decide to terminate service – do they hold on to a copy of it? For how long? What is the procedure if you don’t pay your bill or the company shuts down, is there a protocol for getting your data? It’s not uncommon for companies to hold a copy of your data for a certain period of time after services have been terminated, they often do this to ensure that you don’t lose anything in the transition. However, especially if it’s sensitive data, be sure there is a time limit on how long they keep it. Another important requirement to look for is whether the company is looking to sell or share any data you may have stored with them. Be sure to fully understand your software vendor’s responsibilities to your company’s privacy.
One of the best things about the cloud is that there is usually a built in backup feature. However, this feature is sometimes only meant to protect the service provider – meaning they don’t want to be the cause of lost data. However, sometimes they don’t cover you if YOU lose your data (meaning you accidentally delete or change it). Understand what the policy is. Can they help you get back lost data? Are their restrictions or limitations on what they backup? If they are limited, have a plan in place to make copies of your own data – either by using a backup service or by exporting the data and keeping copies of it.
If QuickBooks goes down, so do you. Make sure that your service level agreement with your vendor includes an uptime promise and policy. What is their plan and procedure if they experience an outage? This should include both planned and unplanned downtime.
The number one security risk for companies is poor password management. Be sure to use strong passwords – using a tool like LastPass or 1Password will help you use secure and unique passwords with the convenience of not having to remember or type them. It is also a good policy to grant users access only to what they need. Make sure that your software allows you to set roles and permissions to help you regulate access. Don’t encourage account sharing – make sure that everyone has their own login and password to the software. This will help create audit logs in case there is a breach or loss and help manage users that either leave the company or change roles.