Is My Accounting Safe in the Cloud?
So you’re thinking of making the leap into the online era, the new frontier of accounting storage: the cloud (don’t worry, we’re not talking about the cumulus variety). Maybe you’re looking to save computer space by taking your accounting records off your hard drive or are interested in finding a more innovative way to store your data. Or maybe you’ve already made the switch! Whatever the reason, the fact that you are reading this article means that you want to know more about this new, sometimes daunting technology.
If you’re anything like me then at one point in time you may have thought that information stored in the cloud hovers above us in an invisible, data-like fog, which does not sound like a very practical (or secure) way to store much of anything. Obviously, this is not how it really works, but it does beg the question, what is the cloud exactly, and is it truly a safe way to store sensitive data like accounting information?
Table of Contents
What is the Cloud?
The cloud, a slang term for remote computing, is rapidly being integrated into our everyday lives. You probably already use a version of a cloud system and might not even know it. If you use an email account or even a Facebook account, you are already using a version of the cloud! We even use the cloud when we bank online or use an Amazon account to pay for a product. It’s important to note that there isn’t just one cloud system; quite a large number of companies offer different cloud storage services at varying prices and varying degrees of protection. The cloud’s primary function is remote storage of data that, in most cases, backs itself up automatically.
To be more specific to accounting, data that would normally be kept on, say, a company computer’s hard drive, is instead stored on remote servers that can be accessed with an application or software provided by an external, third party source. Therefore, in order to store, access, and manage your financial information, all you need an Internet connection and a password.
But is this convenience really safe? Can you really trust something as important as your accounting data in something as nebulous and complex as the cloud?
Along with a growing demand for online cloud services has come an increased demand for security. No one wants to purchase a service they don’t feel comfortable using. Greater demands for security have led companies to develop some pretty standard measures of safety. It is important to note that every company offering cloud accounting services is going to have different safety standards and procedures, and it is up to you to look into those before you purchase cloud space.
The following are safety features to look for when it comes to purchasing the right cloud service for you and the needs of your company.
Most cloud companies offer automatic back-up services. Depending on the company you choose, some begin to back-up your data the moment the software is installed. Other programs also allow you to set your own back-up schedule, making it possible for you to customize how often you would like back-ups to occur. The best part about this feature is that once it is set up, your information is saved and stored with little to no effort on your part.
Another major safety feature involved with cloud use is redundancy. This means that multiple copies of your information are backed-up and stored in several different computer systems, and in some cases, different geographic locations, minimizing the risk of complete destruction of your information due to equipment wear and tear, a power outage, or even a natural disaster. By having your information stored on multiple computers (often with different back-up power sources), cloud providers can assure that in most instances your data will be accessible. Even with this feature, it is also a good idea to download your data and do your own back-up every so often. It doesn’t have to be frequent, but this ensures that you will always have access to older versions of your information. This would be helpful in the event that some of your information was accidentally deleted or tampered with, because most cloud companies only provide access to the most recent version of your information (which could include potential “bad” data).
While your data is being transmitted from your company to the cloud, and while it is stored on the cloud, you want to make sure that it is encrypted. Encrypted data is transposed into a special code; in the event the data is accessed by unauthorized personnel, it is next to impossible for that person to make any sense of what they’re seeing. There are different types of encryption and different standards of safety. Secure Sockets Layer (SSL) is a good example of a widely used encryption method, which provides safe transmission of your data from websites and browsers. SSL encryption is usually described by a number. For example, a company might use a 128-bit SSL encryption, which is pretty standard for accounting software; this is also the level of encryption that most major banks use. The higher the number, the lower the chance that anyone will ever be able to hack your information by using a brute force attack. To put this into perspective, cryptographers consider a 128-bit secret key virtually impossible to crack. It is estimated that it would take the fastest computers in the world millions of years to try all the different combinations required to break the code.
Customer Service and Technical Support
Another benefit to moving your accounting to the cloud is that most cloud companies come with customer service that is usually available to help with any needs you might have. An additional bonus is that these companies have their own IT teams, dedicated 24/7 to ensuring the highest level of protection. IT teams are also able to upgrade software, patches, and back-ups, which is all included in the cost of your subscription charge. Customer service is not limited to cloud software but also applies to most locally installed software programs.
The cloud is hosted by a third party so your accounting service and any accompanying security measures are updated automatically, leaving you with the most up-to-date experience.
Risks and Vulnerabilities of the Cloud
As they say, the only guarantees in life are death and taxes. While cloud companies do have security measures in place, there is always the potential for some security risks. Let us further examine some of the risks that come with switching to the cloud.
Relying on the Internet
If the Internet connection goes down on either side then you will not be able to access your data. Think of a cloud server as a brain. This brain allows for communication between companies and the server, permitting information to be sent and received. If access to this brain is cut off on your end (say from an Internet outage), then you will not have access to your information. Similarly, if the “brain” itself fails for any reason, then you are at the mercy of the cloud company and their ability to get their servers back online. For example, in April of 2011 Amazon (an online merchant company which also provides cloud storage services) went offline. This caused major problems for the businesses that depend on Amazon’s East Coast servers to operate and complete business. The outage lasted for roughly 3 days. When you rely on your accounting being handled by a cloud computing company, you open yourself up to the same risks.
Denial of Service Attacks (DoS)
When relying on the internet, denial of service attacks can be another way you might lose access to your information. There are two types of attacks: Denial of Service attack (DoS) and Distributed Denial of Service attack (DDoS). A DoS occurs when attackers try to prevent legitimate users from being able to access or use a service provider by flooding or crashing the service provider’s systems. A DDoS attack is more serious; attackers flood the system with lots of different IP addresses that have been forged so that they are hard to trace (this is known as IP address spoofing). On November 4, 2015 Zoho (a business productivity app provider) experienced a DDoS attack that lasted intermittently for 6 days! It was accompanied by attempts at blackmail and extortion to get the attacks to stop. It is important to note that even though these attacks were extremely inconvenient, never was anyone’s information in any danger; it was just inaccessible. Think of a DoS attack as equivalent to going to your bank to withdraw some money. When you get there, you see a huge crowd of people blocking the entrance. Your money is still safe in the bank, but you have to wait until the crowd disperses to be able to access it.
Because your data can be accessed from any device with Internet access, it’s highly recommended that you choose a strong password, unique to your accounting program. Flimsy passwords can be one of the weakest aspects of using a cloud service if you are not careful. Choosing short and simple passwords that have to do with your own life is not a good idea. Passwords that use your birthday, children’s names, username, or anything else that is related to you in any way leaves your account vulnerable to attack. It is also a good idea to regularly change your password to throw off any potential hackers.
Government Seizures and Subpoenas
It is safe to say that most people like their privacy and are reluctant to just hand their data over to anyone in law enforcement or the government without being provided with a warrant. This is a factor you should strongly consider when outsourcing your accounting data to a third party provider. For example, in the United States, once you upload your information to the cloud, it is subject to different laws. Government law enforcement officials can, in most cases, access your data with a subpoena or a simple court order, instead of being required to show probable cause as well as a warrant. Though the likelihood of this actually happening would be very low, it is still good to be aware that it’s a possibility.
Other Countries and Different Laws
Another thing to be aware of is that some companies are located—or have their servers located—in other countries. It is a good idea to look into the privacy and safety laws that might apply in those countries, because what is applicable in your own country might not necessarily apply in another country.
There has been a lot of controversy surrounding the subject of bank feeds in recent years. Most major accounting cloud providers offer the use of bank feeds, which integrate your business bank account into their program. This eliminates the need to enter data manually. Services like Yodlee (a major cloud-data service provider to global banks) integrate a live feed of your financial information by using your bank username and password to access your account information. Yodlee uses a technique called screen scrapping, which allows them to log into your account in read only mode. Although it is widely recognized as a very secure provider, it is important that you review the terms and conditions of Yodlee (and other similar services), as well as the terms and conditions of your own bank so you can make an informed decision. One of the major concerns with using a cloud provider which employs a third party such as Yodlee is that by giving them your bank login details, you may be actually violating the terms and conditions of your bank. Many banks have updated their policies to allow this, but again it is smart to understand what you are signing up for. That being said, Yodlee hasn’t had any successful security breaches in the last 15 years and is used and monitored by some of the largest banks in the world.
Cyber Attacks and Hackers
Along with the increased use of online cloud services comes the increased presence of cybercrime. Where there is sensitive information being stored, there is likely someone who is going to try to access that information. If you were storing items like mundane Word documents or your latest attempts at becoming a flower photographer, you would likely be mildly upset if those items somehow managed to be hacked or leaked. But when it comes to financial documents and accounting data, if this information were leaked to the public or hacked, there would be much more severe consequences. With the passing of time, technology is becoming more and more sophisticated, and so are hackers, malware invasions, and security breaches. Though most cloud service providers work extremely hard to keep up with the latest security measures, there is always going to be a risk that advancements in technology will come with advancements in hacking. That being said, the top names in accounting software, companies like Xero (see our review) and QuickBooks Online (see our review), have never been successfully hacked.
Malware and Firewalls
Though cloud centers might be bigger targets for hackers, any computer with an Internet connection can be hacked. That is why it is important to make sure you keep up-to-date virus protection on your computer and use an extensive firewall system. This can help limit the risk of hackers using malware to access or steal your information through the use of techniques like keystroke logging. An example of this occurred in late 2013, when hackers were able to steal $300 million dollars from banks around the world, primarily in Russia (it’s estimated that they actually stole more). They were able to do this by sending emails with links that, when clicked, installed a malware program called Carbanak. This form of hacking is known as phishing and will be addressed in the next section. After the malware was installed, hackers were able to use keystroke logging, take screenshots of bank computers, and even remotely control them to infiltrate the banks systems. Even more alarming is the fact that the attackers were so sophisticated that this fraud had been going on for about two years before banks, regulators, or authorities caught on. With that in mind, your computer being infected with malware is a risk for cloud users, but it can be an even bigger risk for locally-installed programs if the user does not have a strong firewall and virus protection.
Hacking isn’t limited to computer attacks; you can also be hacked in person. Though pronounced “fishing,” phishing does not involve a peaceful day on the lake trying to reel in a prize winning catch. In this instance, you and your company’s data are the “big fish” hackers are trying to lure in. Knowing this, it is important to be cautious of anyone who claims to be from IT and asks for your password or any other sensitive information. Hackers can gather information through phone calls and emails that will often look and sound completely legitimate. Usually, these emails will have questionable links, but without proper training, an employee might unintentionally give away important data. Though Xero has never been successfully hacked, in October of 2015 they dealt with attempted phishing attacks. Attackers sent out official-looking emails that asked customers to use the links provided to change their password for security reasons. The links contained malware that gave attackers the ability to compromise the accounts of anyone who clicked on them. Xero worked to help affected users and responded by sending out emails warning customers to not trust any emails with external links. They encourage people to go directly to the Xero website in order to access their account and change their password. Here are some more tips from Xero to avoid being phished.
We live in an age where our phones are basically little computers; the problem is, we sometimes fail to think of them that way. Many cloud services allow you to access your account on your Android device or iPhone, which can be extremely convenient, but also creates an opportunity for your information to be a target. Many people do not have virus protection or anti-malware on their smartphones, leaving them especially susceptible. It is also a lot harder to keep track of employee’s smartphones and the Wi-Fi networks they might be logging onto. It is a good idea to look into how secure your phone is before using the accounting app on your mobile device and to establish company rules and guidelines for employees who will be using their phones for work.
Unencrypted Hacks and Encryption Keys
If your data is un-encrypted, it is an easy target. It’s important to know who has access to your encryption keys. Your encrypted information is only safe if it stays encrypted. It is always a good idea to keep the encryption keys with you and not store them in the cloud. If you leave encryption up to the service provider, you are also trusting that they will keep your data encrypted and not share it with anyone.
Though it is not likely, there is a risk that an employee of the cloud company might steal and or share your data. This happened in 2013, when Edward Snowden gathered hundreds of government documents and released them to the public. Many cloud companies require their employees to sign confidentiality agreements, but there is always a possibility that people will break the law.
Another risk to your data is you! “How can I be a risk to my own accounting security?” you might ask. Easily. It is very important that you don’t share your password with anyone, especially if you wouldn’t want them to have access to all of your information. Once you give that information to someone else, they have the potential to share it as well.
What to Look for when Choosing your Accounting Cloud Provider
- A cloud company that has a good reputation is a great place to start.
- Examine what kind of certifications the company has.
- It is also important to note that when shopping for your service provider, you need to be aware of two separate components: the company selling the cloud service and the data center used by this company to store your information.
- In addition, here is a list of several standard safety features you should look for when it comes to finding the right company to entrust your information to:
- Encryption, 128-bit ssl or higher. Some companies even use 256-bit encryption.
- Extensive firewall technology.
- Third party audits/monitoring, along with penetrative testing.
- Off-site methods of backing up all of your data.
- Servers that are protected from electronic and physical access by unauthorized personal.
Warning: Though there is some standardization for the safety claims that companies make, it is a good idea to research which company has the best options for you! Details about some safety measures are not easy to find on websites; you can find out more information by checking out our review section here, where we have done the leg work for you! If you still have questions, you can do more research or talk to a representative of the cloud provider yourself.
What Does This All Mean?
We have examined what the cloud is, explored some of the standard safety features, and reviewed potential risks that come with using the cloud. But the question remains, is the cloud really a safe way to store your accounting data?
I cannot stress enough that the most important thing you can do to make sure you are choosing the right cloud service is to do your homework. At the end of the day, it boils down to what is right for you and your company. No system is going to be perfect, but if you want the convenience that comes with transferring you accounting data to the cloud, make sure you do your research and find a cloud company with security standards you can trust.