It’s safe to say the cloud is here to stay. Subscriptions to online accounting software continue to increase with no signs of slowing down. Accounting firms are accepting cloud solutions as the new normal and relying on Software-as-a-Service now more than ever.
With this increased reliance on cloud-based tools to manage your practice, is your client’s financial data safe?
Transitioning to the cloud has been a relatively seamless process for accountants. However, trying to make sense of the apps in the space has led to a sense of fatigue for many firms. Beyond evaluating features and functionality, owners need to evaluate the risk involved and ask themselves: How is this app handling my clients’ data? Is it stored and backed up?
Like protecting your clients’ hard copy data, you are responsible for keeping their cloud data safe as well. Lost or corrupted client data would result in a major setback to your client, your firm, and your reputation.
What does this look like in practice?
It is important for anybody who is involved in managing client data to know that major providers only back up data at a platform level. In the event the accounting software provider’s servers experience a severe crash, for instance, they can recover the platform (along with client data) but they are otherwise not liable for any errors you, or your clients, make inside the software.
This is a practice leveraged by many SaaS companies known as the Shared Responsibility Model. Software companies are only responsible for backing up the software that runs their platform, along with all user data in a single, huge, backup file. Identifying transactions or receipts in this massive collection of data is like finding a needle in a large field of haystacks. There’s no way to use this all-or-nothing backup repository to restore individual accounts. This is why users are the ones responsible for maintaining and backing up data at the account level. Every firm must have a backup strategy, and building one begins with identifying the potential threats to your client’s files.
Here are some common threats to be aware of when managing client data in the cloud:
- Human error: This is the biggest culprit resulting in data loss, and unfortunately, there is very little control over it. Whether it’s by you, your client, or your staff, there is no option to undo a minor setback or a major security breach. You are responsible for recovering the data. If the compromised data contains personally identifiable information, you might also have to report the breach to the affected clients and possibly regulatory bodies.
- Third-party application: These issues are commonplace when using integration tools. An app can wreak havoc in many unpredictable ways — anything from duplicating purchase orders, to corrupting transactional data. Integrations don’t always work as intended and since many third-party apps require full access to the underlying data, they come with the risk of permanent data loss.
- Failed CSV imports: These happen often, especially when working with large files. But CSV files can do much more than fail. If your delimiters are wrong or your columns are off, you’ve dumped a dataset into your client’s file that will take you hours or weeks to undo.
- Malicious attacks like ransomware: These continue to be one of the most common cybersecurity threats facing practices and the public. Attackers can compromise IT systems and gain access to account controls, lock owners out, and hold files ransom. Even if your firm has security protocols in place, all it takes is one hack to hijack your clients’ data.
Although risks and threats are increasing along with the use of cloud accounting technologies, the good news is that the best practices around data protection are simple to put in place.
So, how can you increase data security in your firm and position yourself as the most reliable choice for your clients?
Establish a solid backup strategy
On a fundamental level, backup strategies tend to fall into one of three storage categories: local, on-premise, and cloud.
- Local storage: An example of local storage is exporting your data as a CSV file to a USB drive. The benefit of this approach is that external hard drives or thumb drives are inexpensive. The downside is it’s not particularly secure and requires someone to remember to manually back up the data on a regular basis. You are not free of risk with this strategy. You can still lose data if something happens to your local storage. Your backup lives on a computer or hard drive, and restoring data with this method can be a laborious and error-prone process.
- On-premise backups: These rely on physical servers located at the firm’s or client’s offices. This method often includes redundancies and is more secure than a local copy. It comes with a much steeper price tag as the hardware can be costly and time-consuming to maintain. Additionally, using on-premise servers still requires someone to manually backup the data on a regular basis.
- Cloud-based backups: These are ideal for practices that lack an in-house IT team. These tools are subscription-based, so the cost is predictable and requires no capital expenditure. Cloud backup systems are secure, automated, and are something your firm can set up to run in the background — no technical expertise required. Keep in mind that all cloud-based backups are not created equal. Your backup is only useful if you’re able to quickly recover any lost data.
Many cloud-based applications do not have a failsafe in place to protect clients’ data and accounting professionals have an obligation to protect it. If you are serious about data security, now is the time to hold your clients’ data to a higher standard.
One of the easiest and most cost-effective ways to put a backup strategy in place is to use an automated backup and recovery service.
Put your strategy to work
Deciding on which backup is right for your practice is only the first step. It’s not enough to make a policy, you have to put these policies into practice and operationalize them.
1. Document your policies and procedures. Along with your risk management plans and security protocols, start by creating a single source of truth for your backup strategy. Data security is evolving. Take the time to document how and why your practice backs up client data, and what to do in the event of the need to restore a client’s data. Good documentation is an important part of keeping your client’s data secure; it helps your staff to keep calm and execute on agreed upon measures in a high-pressure environment.
A good backup strategy should include documentation that includes:
- Clear labels and classified risk levels;
- A list of contacts in the event of a data emergency;
- Information on what data is backed up, how often it’s backed up, and where it's stored; and
- Communication requirements and policies for handling personally identifiable information.
2. Remember to update. Make regular documentation audits a part of your quarterly administrative cleanups. Vendor updates and changes to your security framework should be up to date at all times to reduce the risk for confusion or misalignment with your backup strategy.
3. Spend the time training your team. Be proactive and make sure everyone understands the firm’s data security policies. Staff should have a good understanding of how and why data is backed up, and know where to access the information they need to implement security measures. Regularly run detailed training sessions with the team on your firm’s responsibilities and compliance requirements when backing up your client’s data.
4. Educate your clients. Education is a major contributing factor to the success of your backup strategy. Your clients are the missing link in the security chain. Cover your clients’ files with backup protection from the moment your work begins. Don’t wait until a crisis arises to educate your clients on the importance of backups. And while you're at it, it’s the perfect time to tell them to use a strong password. As many recent breaches have shown, passwords like “123456” or “password” are unfortunately very common.
Changing the way you and your team approach data security won’t happen overnight. But using a good backup solution will improve your time to recovery, reduce your operational costs from time spent managing data disasters, and help you avoid falling victim to online security disasters, including the ones that are often overlooked.