Lately I have been asked quite a bit about cloud accounting security from those interested in setting up an online firm. These are from people that are interested in setting up an online model, but worried about the security implications. Let’s dig into cloud accounting security a bit more to see if we can create a bit more comfort around this topic.

A bit of history

cloud-accounting-security-2

Not that far back, but before the cloud became a thing, accounting firms would primarily store their data on an on-premise server. To date, this is still a very popular way for most firms to store data. It requires some technical expertise to select, maintain and update the hardware nor is it cheap, but it’s the way that most have done it for many years now. Many have comfort with this approach since firm owners feel more “in control” of their data due to the fact that it resides on their premises and that you do not have to rely on external third parties to store your data.

So the good news is that you have all your data in your own control.

The bad news is that to keep this data secure from hacking, equipment failure, power outages and natural disasters, you need to really know what you are doing and spend quite a bit of money to buy/maintain the equipment and ensure the security of it.

Hacking is probably the single biggest risk to data security, especially these days due to the increased sophistication of hackers. Accounting & bookkeeping firms are at high risk for cyberattacks since the information these firms possess are typically what hackers are looking to obtain.

If you aren’t an IT person yourself, then you do have to rely on someone to keep your server secure and up to date. So while you might have your data stored on-premise, you have to have a high amount of trust in the individual and/or company that is maintaining your hardware and software related to the server to keep your data protected and secure from some of the risks I mentioned above.

The bottom line is that with your own server you are in complete control, but you might not actually want that control given the level of sophistication required to ensure proper control.

The cloud

cloud-accounting-security-3

With the cloud, your data is being stored on a physical server, somewhere, just not your server. When you access a file or program in the cloud, this file is not stored on your hard drive, it is stored on someone else’s hard drive and you are accessing this file or program through the internet. All of what you consume today on the internet is essentially the cloud. You are accessing files, videos, pieces of software, etc, which are stored elsewhere in the world, and not on your own computer.

Cloud software for your firm

cloud-accounting-security-5

Today, running your firm completely online is certainly the trend. But in order to do so effectively, you need the right technology stack comprised of different pieces of cloud software. So cloud accounting security is something that is top of mind for some of you in order to assure that your clients’ data is well protected and safe.

In order to run an online firm, at a minimum, you would need cloud software for the following areas:

We won’t go into this here, but an all cloud firm is much more efficient, more nimble, more flexible (here’s a story of a CPA that works remotely from paradise in Indonesia) and cheaper to run than a non-cloud firm. There’s not even a debate on this. The debate is on security and whether cloud accounting security can be as robust as those firms in a non-cloud environment.

Cloud accounting security

cloud-accounting-security-4

So just how secure is the cloud for your accounting firm?

Much of this depends on who’s actually storing your data and how sensitive your data is. But let’s assume that we are dealing with the big players that a firm may use when leveraging the cloud for their software needs. Players like Xero, Quickbooks Online, Google, etc.

Above I mentioned that hacking, equipment failure, power outages and natural disasters were major risks to having an on-premise server. Let’s take a look at all of these and see how it compares to having your own dedicated server in your office.

Hacking

If you have a super sophisticated IT team, with state of the art hardware that’s constantly being maintained, some may argue that an on-premise server can be more resilient to hacking than data being hosted by a cloud provider. The issue here is that 99% of firms out there will not have a super sophisticated IT team, nor will they have state of the art hardware, nor will it be constantly maintained properly.

 

 

The fact of the matter is that if you are accessing a file or program on the cloud, it is likely being hosted by one of these giants: Microsoft, Amazon, IBM, Oracle or Google. Are these companies susceptible for hacking? Certainly. But who’s security practices would you expect to be tighter? Google’s? Or your local IT person? I put my money on Google.

I know specifically of one firm that was actually hit with a ransomware attack and had a good chunk of data lost as a result of this. These top tier companies, while not immune to attacks, are exceptionally sophisticated in monitoring threats, attacks and have dedicated security teams geared towards fending off attackers. Again, that’s not to say that their systems can never be hacked, but I would wager as less likely than a firm that does not have a well refined IT infrastructure in-house.

I’m also aware that the bigger the company, the bigger the target, but neither cloud nor on-premise is 100% secure.

Equipment failure, power outages & natural disasters

What happens if you have equipment issues with your server? Yes, there are backups that are made, but typically there’s a business disruption that occurs. Depending on your backup procedures, this could have a catastrophic impact on your firm. One of the worst things that could happen to your firm would be data loss and equipment failure is certainly one thing that could lead to that.

Here is where being on the cloud is the clear winner. Yes, I have personally experienced disruptions in service at times from some several cloud providers, and some of this is likely due to equipment issues on their end, but the beauty is that these disruptions usually are solved relatively quickly. The reason for that is because these cloud providers don’t need to rely on a single piece of equipment. They have a global infrastructure that they can rely on should one region go down.

The same logic applies with power outages and natural disasters. If an earthquake hits a region, your cloud provider can just switch things over to another location elsewhere in the world.

Let’s also add another point that’s important for most of you:

Data privacy

With an on-premise server, you may think that data privacy is more secure since the data is housed at your location, but that simply may not be the case.

For instance, if someone breaks into your office and steals your equipment, your data is at risk.

In a cloud environment, theft is much more difficult as equipment is typically monitored quite heavily with physical security. Simply take a look at Xero or Quickbooks Online‘s security assurances. You’ll notice that they both make mention that their servers are guarded 24/7/365 (amongst other things).

On top of that, when dealing with a cloud provider, data is encrypted on-site in order to ensure data privacy, typically using bank-grade encryption levels. What that means is that your data cannot be accessed without the proper keys, those keys being your passwords and, if enabled, 2 factor authentification (ie. a second PIN or code that must be entered to gain access, which I would highly recommend enabling). The levels of encryption, if at all, that you may use with regards to an on-premise server may not be to the same level as with the various cloud providers that you’ll be working with.

This level of encryption is important for unauthorized users trying to see your data. In the case of being on the cloud, for instance, if you store documents on Google Drive that are sensitive, perhaps you are concerned about Google employees being able to view this information. For a Google employee to get access to your data, they would need to get the encryption keys and this is restricted to only very high levels of authority or if a valid court order was present, for instance, so it would be quite unlikely for this information to leak.

Something else that I would recommend would be to read the privacy policies & terms of service of any cloud software company that you intend to work with, usually found on their websites, to see how they will treat your personal information.

Which is most secure?

Many firms are moving over to the cloud today, big and small. Today, cloud accounting security concerns are certainly an important consideration, but after research and proper planning, it’s not holding these firms back from setting up an online firm. I’m a 100% cloud advocate, but it’s up to you to do your own research and choose the option that you’re most comfortable with.