How To Keep Accounting Data Safe In The Cloud

We store away our physical treasures behind locks, but what about the treasures we can’t see? What about the information we store on that invisible mystery called the Cloud?

The internet is arguably the place we need security the most, and the place we most often forget about it. If you use cloud-based accounting software, security is even more critical; after all, this is where you record sensitive financial information for your company, employees, and customers.

Most cloud-based accounting software companies offer some range of security measures, but are those measures enough?

Unfortunately, the answer to that is often “no.” While choosing a software company with strong security is a must, it is important to realize the role that you personally play in keeping your data safe in the cloud. In this post, we’ll provide eight helpful tips and tricks to maximizing your security so that you can keep your accounting information safe and secure. And you don’t need to be a tech genius to implement them.

Questions To Ask About Your Service Provider

First things first, be sure to choose a software with strong security.

Good accounting software companies are upfront and honest about their security policies, and these policies can generally be found on the bottom of their websites. If you aren’t very familiar with cloud accounting or internet security, it can be hard to know what to look for in terms of security measures, so we’ve created a list of questions for you to ask your current or potential service provider.

Note: If you are using or choosing a locally-installed accounting software, your software provider does not provide security. You are on your own in terms of security since all safety measures will be directly attached to your own computer. Skip down to the next section for helpful security tips (most of which apply to locally installed software as well) or stay tuned for our How To Keep Your Locally Installed Accounting Software Secure post.

1. Do They Have Multiple Data Centers?

You want to find a company that has multiple data centers, preferably in different, undisclosed locations. This way, if anything happens to one data center, you will still have a copy of your company file saved safely.

One of most common issues with cloud accounting is servers crashing. If a company has multiple data centers with multiple servers, then this is no longer a problem and you can continue using your software in peace.

2. What Are The Physical Security Measures At These Data Centers?

Since data centers store your sensitive financial information (including bank accounts, credit cards, SSN, etc.), you want to ensure that strong physical security measures are taken to protect your information. Physical security measures can (and should) include:

• 24/7/365 surveillance
• Video monitoring
• Bulletproof walls
• Fire protection
• Flood protection

3. Is Data Backed Up Regularly?

Not having frequent data backups should be a deal-breaker. If anything should ever happen, you want to be able to retrieve up-to-date copies of your data files.

4. Is my data encrypted?

One of the most important security measures to look for in accounting software is data encryption. 256-bit SSL encryption is ideal. Read our post What is SSL? A first Look at Online Security if you’d like to learn more.

5. Who Has Access To My Data?

Carefully read your company’s privacy statement to see who has access to your data and how that data is used. Often, live bank feed integrations or accountants will have read-only access to sensitive information, which is important for you to know. My general rule of thumb is if reading the privacy statement makes you feel queasy, it’s not right for you.

Also, be sure to ask who else has access to the data centers. Ideally, companies have controlled entrances and admit authorized personnel only.

6. Does The Company Have Virus/Intrusion Detection?

This is a key preventative measure that can catch any potential intrusions or breaches before they become a problem, giving you peace of mind and added security.

7. Are There Firewalls In Place?

A firewall blocks unauthorized access to a network, offering another layer of preventative security.

8. Has The Company Ever Been Hacked Before?

This is probably the most important question. Being hacked (or experiencing a security breach) in the past can obviously be a huge indicator of poor security (although, if the hack was the catalyst for significantly improved security, then the company may be worth keeping in the running).

You’ll also want to check the company’s downtime ratings or history—that is, how often the company’s servers crash. You want a company with positive uptime and as few crashes as possible. You might have to do some Googling to discover this information.

9. Bonus: Does The Company Offer Two-Factor Authentication?

While two-factor authentication isn’t necessary, it adds another layer of security that prevents hackers, or even employees and coworkers, from getting into your account with a stolen password. We’ll cover this in more detail below.

Security Precautions You Should Take

The game doesn’t end after you choose an accounting software company with strong security. You’d be surprised by how much your own security habits—or lack thereof—affect your data’s safety (and your own safety for that matter). That’s why we’ve put together these eight steps that will help you and your employees keep your accounting data protected.

1. Don’t Share Your Passwords With Anyone

When we say don’t share your password with anybody, we mean it. Passwords are supposed to be a secret for a reason.

We may not be talking about the one ring to rule them all, but we might as well be. Security is a serious issue, so make sure you keep your password secret—keep it safe—because that is the surest way to protecting your company.

2. Create Strong Passwords

Everyone has heard again and again that it’s essential to create strong passwords for our internet accounts, but how do you actually do that? We’ve gathered several tips from experts in the technology and security field; let’s begin with what not to do.

Don’t:

• Share your password
• Use common password combinations (123456)
• Follow the three most common password formats (according to Business Insider)
  1. “one uppercase [letters], five lowercase [letters] and three digits”
  2. “one uppercase [letters], six lowercase [letters] and two digits”
  3. “one uppercase [letters], three lowercase [letters] and five digits”
• Use the same password for multiple spots
• Start with a capital letter followed by lowercase letters
• End in an exclamation point
• Use password checkers

Do:

• Use long passwords (at least 8 letters)
• Use a combination of letters, numbers, and symbols
• Use multiple special characters
• Create a completely new password for every site
• Make it seem random

Tip: Business Insider interviewed a professional hacker from RedTeam Security, a cybersecurity firm that identifies any weaknesses in a company’s security before a hacker can, about his top tip for coming up with passwords. The hacker, Kurt Muhl, says to come up with a sentence you can remember, like: “I bought my house for $1.” Then, take the first letter of each word only, so you’re left with Ibmhf$1. And a few extra symbols or numbers where you’ll easily remember, and you’ve got yourself a strong password. After all, it’s much easier to remember a sentence over a random collection of letters, numbers, and symbols.

3. Store Passwords Securely

Okay, so now that you know how to set strong passwords, how should you store them? It may be wise to make a unique password for every login you have, but there’s no way to remember all of those passwords in your head. We’ve looked at several possible solutions, as well as unsafe organization methods to stay away from.

Some of these guidelines seem obvious, but you’d be surprised how many people don’t realize that the following storage choices are dangerous:

Don’t:

• Store them in an Excel document on your computer
• Store them in a Word document on your computer
• Store them in any sort of document on your computer (hackers can still access these)
• Save them in emails (sent or received)
• Leave them out on your desk
• Put them in a file that clearly says PASSWORDS

The bottom line is, don’t leave them where someone else could access them. Hide your list of passwords out of the sight of family, coworkers, and cleaning crews.

So where should you keep your passwords?

Many people in the tech industry recommend that you use a password manager like LastPass, Dashlane, or KeyPass. It’s worth noting that LastPass has been hacked on multiple occasions. If it were me, I would not take any chances on password managers where my data could be at risk from security breaches.

Instead, I recommend writing a list of passwords and storing then in an inconspicuously named file in a locked file cabinet or safe that only you have access to. If you really want your data to be safe, write your passwords in some sort of consistent code that only you know and that isn’t written down.

Yes, it sounds like a lot of work, but it’s a price worth paying for keeping your data—and more importantly, the data of your clients—safe.

4. Use Two-Factor Authentication

If your software offers it, use it. Two-factor authentication is a security precaution that makes users log in with a password and a second form of identification (email security code, ATM card number, fingerprint, etc.). This security isn’t foolproof, by any means, but it means people can’t access your account with just a password.

Accounting software companies that use two-factor authentication include:

• Xero
• QuickBooks Online
• Zoho Books
• NetSuite

5. Install Virus/Malware Detection Software

If your software provider doesn’t use intrusion or virus detection, we recommend researching an anti-virus and/or malware detection solution. (Anti-virus and malware detection software are a good idea for personal computers as well, even if the software provider you use does offer this form of security.)

Some common and reputable options include:

• Bitdefender Antivirus Plus
• Bitdefender Total Security
• Kaspersky Anti-Virus
• Kaspersky Internet Security
• McAfee LiveSafe
• ESET Internet Security
• Avira Internet Security Suite

Note: Please do your research before purchasing. Forbes and PCMag both offer many articles giving advice on choosing good virus/malware protection.

6. Educate Your Users

Most business owners probably have at least some knowledge about internet security, but that new fresh-out-of-school intern you hired might not. You want to make sure that all employees and contractors using your software have a firm understanding of internet security.

In 2015, Xero (one of the leading accounting companies in security) experienced an attempted phishing attacks. A phishing (pronounced “fishing”) is where hackers “fish” for user’s passwords and information so they can hack accounts. In this attack, Xero users were sent a fake email that looked like it was from Xero but it contained “malicious content.” While the company resolved this issue promptly, the best solution is always to have educated users who know to avoid suspicious links and verify addresses.

There are a few ways you can educate your employees:

• Send Out Pertinent Articles In Weekly Company Emails: Have your employees read articles like Xero’s “3 Ways to Avoid Being Phished” or McAfee’s “10 Tips to Stay Safe Online.”
• Encourage Free Education Courses: Free online courses cover an array of topics, including security. Khan Academy offers courses on Cybersecurity, and MOOC offers a Web Security Fundamentals course, a Network Security course, a Cloud Computing Security course, and more. Both of these resources are free and there are several others like them.
• Enroll Your Team In Certification Classes: Not only can you sign up for free online courses, you can also earn verified certificates for the classes you take. Many of the certificate classes cost extra, but it could be worth spending the company budget on a weekend of classes if each employee comes out with a verified, professional certificate in security.
• Follow Your Software Company On Twitter: One of the first places companies post security breaches is on Twitter because they can get the word out fast and quickly update users on any developments. Be sure to ‘follow’ your software company so you can tell your employees about a breach or server downtime right away. Or, better yet, have your employees follow the company on their work Twitter accounts.

7. Take Advantage Of User Permissions

Almost all good accounting software offers business owners the ability to manage users and set user permissions for their employees. One of the best examples of this is Xero, which lets you set five different roles (no access, read-only, invoice only, standard, and advisor) and control the level of access by specific feature.

Be sure to take advantage of these user permissions. They are one of the most effective tools to control what your users see and don’t see. This way, you know that only the most trusted employees have access to more sensitive information, which eliminates worry.

8. Keep Your Software Updated

Believe it or not, software updates aren’t just made to clutter your screen or annoy you while you’re in the middle of working. These updates often contain fixes to potential bugs or breaches. Make sure you take the time to update your software and ensure that you are operating with the best, most modern security measures.

Ready To Rumble

We hope that these tips help you become more aware of the importance of internet security, both for your company’s sake and for your own personal wellbeing. Everyone can, and should, be able to use their software worry-free. While it might seem like a lot of work to implement these security measures, this is one case where it really is better to be safe than sorry.

If you’re interested in cybersecurity for locally-installed programs, read our How to Keep Your Locally Installed Accounting Software Secure post.