Hossein Dadkhah from DataDrivenCIOs and I had a fascinating discussion yesterday about how accounting companies should be thinking about their clients data. It really is an eye opener thinking about the considerations that accounting companies need to have when dealing with their client documentation.
Here is an edited version of the discussion Hossein and myself had over Zoom.
Vic20 or Commodore 64
Eric: So you’re not an Accountant or Bookkeeper yourself but you have a lot of views on the Accounting space?
Hossein: I would love to share what I know.
E: Tell me about your background and your current business?
H: I’ve been doing security and IT for 20 years now. I had an early start. I developed my first computer in Grade 5, an XT8006.
E: Was that before the Vic20 and Commodore64.
H: That was just after the Commodore 64. Do you remember the tapes, where you had to fast forward to an indicator number, just like play, and they would load the software.
E: My best memory is they had these computer magazines, and in order to create games, they gave you code in the magazine, just 0’s and 1’s, like 5 pages, and in order to play the game, you had to type in all this code for hours. Some of those games were the best games I’ve ever played – like “Hunchback of Notre Dame”.
H: I remember with Microsoft DOS, I think it was 5.0. It had this game called Gorilla, you probably remember that. You put the angle and the speed, and you shoot a boomerang to the other side. I looked at the code, it was tens of thousands of lines of code. Good old days. Anyway, officially, I have a bachelor in software engineering, a masters in computer science, and a masters in information systems and security.
My company is called DataDrivenCIOs and we’re IT security focused advisors, we focus heavily on cyber security. We work extensively with CPAs, Accountants, and Bookkeeping firms, and we ensure that they can get their job done efficiently while protecting the clients data. Anytime there is customer data, there is a high liability that comes with it.
Starting a company advising Accountants on Data Issues
E: Did you start the company? When did it start, and how big is it?
H: Sure, the company started about 8 years ago, but we’ve been full time in it now for 2.5 years. We now have 5 employees.
E: How are you getting your client base?
H: As I mentioned, a big group of our clients are CPA and Accounting firms. I teach courses for CPAs. There are also a lot of networking groups for CPAs, so we get to meet them often. But really, most of it is word of mouth. Once you start working with one accounting group and they like you, they start recommending you to the other ones.
Once you start working with one accounting group and they like you, they start recommending you to the other ones.
The threat for Accounting Companies
E: When you talk about security, where is the threat? You’re advising accountants on their documentation or their clients documentation? If the cloud enterprise hosting companies today are quite established, where is the specific threat?
H: We help the accountants and CPAs to help protect their clients data, and mitigate their liability. Remember, each of these CPA’s and accounting companies have sometimes thousands of clients. So if anything happens with the data that is provided by their clients, which is often sensitive data, they are liable. They have to be responsible for it. We help them make sure there liability is mitigated. We help the accounting companies put controls in place, to reduce the chances of data breach for them. This way they can get as secure as they can get, because security is a relative word.
No-one can claim that anything relating to security is 100% secure. In terms of cloud, there is a lot of cloud providers out there, a lot of accountants are using cloud based systems, that’s where the industry is going. And these accountants have employees all over the world, in many geographic regions, as they can just connect to the application wherever they are. But there is a lot of security considerations that comes into this that also needs to be put into the calculation. When it comes to a cyber attack, we always hear these terms, about Russia, about these hackers sitting outside trying to break in. That’s part of it. That’s a reality of the situation.
But believe it or not, the weakest line of defense, in any type of system is the humans, the employees that are accessing the data. Your employees could be your first line of defense or they could be your weakest link – however you want to look at it. If you start training them, if you get them sharp, to stay alert, they can become your first line of defense, to help your business and reduce liability. So there are a lot of different angles that come into this.
Our job is to do “defense in layers” or “security adapt” – to put layers in place, to mitigate the risk, and prevent the data getting out there. Here is an example. All the tax professionals in the US need to comply with IRS law. One of the IRS laws is that all tax professionals need to have a written data security plan in place. This is actually a federal law. You are not suppose to email sensitive client data via an unsecure medium.
Lets say you are doing taxes for a company, or you are doing payroll for a company, you have all this sensitive information such as social security numbers. Personal information. So you start training the employees, telling them they are not suppose to send this via email, as email by default is not secure. But then you need to put controls in place, if something fell out of order, if somebody forgot, somebody made a mistake, intentionally or unintentionally. You put filters in place on your email security, so it looks at the patterns, this looks like a social security number, this looks like client sensitive data, this looks like medical information, and you stop it right there. You put layers in place in order to mitigate the risk. And that’s basically what we do.
Which cloud accounting software should Accountants use!
E: So if the accounting companies or tax professionals aren’t using a service like yours, what are they doing? Are they going to a cloud provider and hoping for the best? Are there specific cloud hosting companies that provide extra protection that accountants are aware of? Is this a well known fact in the industry, that accountants need to be thinking about the data and the security of the documentation of their clients. Basically, are they aware of this, or do you need to be educating the accounting companies and tax professionals on what they should be doing?
H: Both. It is a known fact. All the accountants and tax professionals go to training every year. They are suppose to take a certain number of hours each year, and cyber security is always a big part of this training. Because they are dealing with all this sensitive client data. But it’s one of those things that unless it happens to people, it doesn’t ring a bell. I hate to say this, but it’s almost like having car insurance.
Lets take an example of a doctor. You’re suppose to go to a doctor once a year to do your annual physical exam. And if you don’t go to your doctor every year, that’s okay. You got busy, and you didn’t do your annual medical exam. But once you go to the doctor, he’s going to run through some tests, and tell you what are your problems. You have blood pressure, you’re at risk of heart attack, you have high cholesterol, he’s going to give you all these diagnostics. All he’s telling you is that it’s there, and you need to do something about it. These are not the risks. These are real. Because he did a blood sample. Unless you go to a doctor you don’t have that wake up call.
That’s where we come in. All these risks are out there. The biggest problem about all these data breaches and data security is that people don’t see it. I always use this funny example. Lets say you are sitting on the computer in your office, and you go use the restroom and come back. Meanwhile, I could come in and plug in a flash drive, and get a copy of the files that are on your desktop. Chances are 99.99% that you’ll come back to your desk, and you won’t be able to tell me that we got a copy of your data. This is the problem. If people don’t see it, they don’t feel it, and by that point it’s too late. So education is a huge part of what we are doing. Security is a big factor. There are all these cloud providers out there, providing services to the accounting professionals, and those are great, as they make their life easier, but one of the things we say, is that when you are dealing with a third party, you need to look at their terms and conditions, and see if something happens, what is the situation. We call it a “shared liability model”.
If you are using accounting software online, for example, quickbooks online, in their terms of agreement, it says if there is a data breach, you are ultimately responsible for it. In other words, if Intuit get a data breach, for example, you as the company executive decided to put your company data on that cloud. They do have some liability for you, but most often the dollar amount is not going to be more than what you paid them over the course of that year, which is pretty minimal compared to the damages. In 2019, the average data breach, would cost you $4 Million. And you also need to think about reputation if there is a data breach. There is a lot of cloud accounting software out there, and they are awesome, they make your life easier, but you need to make sure you have all these controls and layers in place, if something happened. You can detect it quick, a) to mitigate the losses as soon as you can and b) to have a plan to prevent it happening again.
Accounting Software Platform Data Breaches
E: Have you hear any stories about data breaches on the accounting software platforms themselves.
H: Yes, if you do a simple google search you’ll find all the companies that have data breaches. There are way bigger examples of companies other than accounting software. Linkedin got breached a few years ago. And remember a lot of people use their corporate emails when they login to Linkedin, and the stats say that 46% of people use the same password everywhere. So now I have your linkedin user name and password, and people will try it for your company email. Once they get in, they now have access to your company data.
46% of people use the same password everywhere.
E: That’s really concerning, but what’s really interesting for Accountants and Bookkeepers, is to understand specifically in this vertical, have there been any breaches in the industry that are well known? I’m aware of many breaches on companies such as Facebook and Linkedin, but I’m really interested to understand if there are security hacks or breaches on the accounting software that gets used such as SAP, or QBO, or Xero or AccountingSuite etc? Or are those companies doing something different to prevent this sensitive data being breached. I haven’t personally heard about breaches in the accounting software space.
H: Good question. I’ll tell you this. Often in a lot of cases, there are no laws to force the companies to release the news that they got breached. A lot of breaches go simply unnoticed. There is a blog, “The Week in Breach”, this lists each week all the companies that got data breached. But these are the ones that we hear from. A lot of companies might or might not release the fact that they got breached.
The problem with a breach is not just data, it’s reputation as well. It’s a trust factor. If you give me your house key, and I manage to lose the key, you won’t trust me as much, as now, someone has the key to your house. Next time you’ll give it to someone else to watch your house for you. A problem that we’re having is that a lot of companies don’t release the news of a breach. There are no laws forcing them. And it gets funnier with the new data protection laws in place. Lets take GDPR as an example. GDPR is a very complex law, but one of the points is, if you have a data breach, and you don’t release it within 72 hours, and later it turns out that you had a data breach, the penalty is 3% of your global revenue. GDPR is recent. But we’re hearing similar things in California.
3% of your global revenue
E: Lets look at this from a different angle. Your job is to help Accountants & CPA’s protect the data. Are there any examples you’re aware of, either from your clients, or from Accounting companies that you’re aware of, that have had breaches on their side?
H: Yes, we got a couple of the clients because they got a data breach. I hate that. I prefer to work with clients before they get the data breaches. But yes, a couple of the cases came to us after they had a breach. We’re not fans of these situations, but if we can help, we help. We put controls in place to prevent it happening again. It’s all about layers.
Protection. Detection. Response.
E: You’ve been speaking about big accounting companies. A lot of the 1 or 2 person accounting companies we speak to, or often the pure bookkeeping companies, don’t seem to be concerned about the documentation. They often do the bookkeeping via the cash basis rather than the accrual basis, whereby they’re drawing up the books from bank statements and credit card statements rather than the source documentation, and often if the transaction is under $75, they’ll take a picture of the document with their phone and throw the original expense slip away.
I’m trying to reconcile my thinking. On the one hand, we’re talking about how critical data is, and how important it is for accounting companies to ensure that the data is secure and not getting breached, but on the other hand, a lot of smaller accounting and bookkeeping companies, and their clients, don’t seem to be concerned about the source documentation data. Is it that big companies are overly concerned, and that smaller companies don’t have that concern.
H: Unfortunately that is a true statement. We see a lot of smaller accounting firms that do not have as much concern about the data security. Part of it comes down to their liability, how big they are, and whether they can handle it or not. Remember, on the client side, not the accounting firms, but on the client side, clients are getting more and more educated. They know when they give you the data, they have rights over the data, so if something happens, you are liable to them. When it comes to data security, whether you are a giant enterprise, or a small company, the principle is simple, we call it “protection, detection, response”.
Think about your house. How would you secure your house? In your house, you have a fence, you have locks, you have double windows, you have an alarm system, you have a dog, maybe you have a gun, you’ve got insurance. All of that. Think about that list. You’re either trying to protect your house with tall fences. That’s one idea. Or you’re trying to detect if your house gets broken into. That’s the alarm, dog, and motion detector – all of that. Or you’re trying to respond, so you have insurance, a gun. The same thing is with an accounting firm. Protect, detect, respond.
If you’re a company with a thousand employees, or a small accounting firm with 3 employees. It’s the same thing. Unfortunately, it’s one of those things, that unless it happened to you, if you’re too small, you wouldn’t put that consideration into the fact that security is important. Most people think they have an anti-virus, a firewall, and feel they are secure. Another prime example is right now, with CoronaVirus, the employees of companies are working from home. It’s as simple as either doing one of those “work from home “software or doing a VPN and remote desktop. Whatever they’re using. One thing they might not realize is they’re putting themselves at great risk right now. I’ll give you an example. If you’re using remote working software, the standard ones, off the shelf, like TeamView or RemotePC, or whatever they’re using, you are enabling your employee to download whatever they want from their work computer into their home computer. No questions asked. Full trust. Other people are using VPN. What you’re doing with a VPN, you’re exposing your home computer to your business computer network. You have malware, spyware, ransomware, something. By establishing a trusted tunnel, you’re allowing it to move into your company network into your accounting firm network.
Another prime example is right now, with CoronaVirus, the employees of companies are working from home.
Scary = CoronaVirus + Accounting Companies + Remote Work
E: That’s scary information. What advice can you give to Accounting Companies who are now dealing with CoronaVirus and scrambling to let their teams work remote. Do you have tips for Accounting Companies to deal with remote work?
H: Consider security and risk. This is the time, right now, when all the hackers, and bad guys are getting more active than any other time. We all hear about the phishing emails and all of that, coming in about CoronaVirus, and people open them without considering. Anytime you are adding a pathway to where customer data is being channeled, you need to consider. The biggest thing I want to say is that the clients trusted you with their data, and you are liable for it. It doesn’t matter who did it on your team or how it happened, or whether it was intentional or unintentional, it doesn’t matter. You as a company executive, as a firm owner, as a company owner, you are responsible for the client data. To be more specific, whatever remote access you are providing to your employees, make sure it limits the amount of data that can get transferred.
The best solution is a solution where you can get no data off the computer you are working from.
Definitely put data monitoring solutions in place. There is a lot of user behavior analytics and data monitoring solutions in place that would record the session, that would scan for data, that would scan for social security numbers, and all that to see where its going and would track those, and if it was going somewhere it wasn’t suppose to be going, it would raise a flag. In times like this, these controls are even more important.
When you work in an office environment there is a lot more trust, it’s a lot more secluded, where it’s easier to control stuff. But when you’re working from home, a lot of those are not there. One other point is that a lot of the laptops or computers at home are not encrypted. If someone breaks into someones home and steals their tower, they are probably leaving with a giant pile of data from the client. Anything you do in these crazy times, put security considerations into place.
Data security issues for internal finance teams
E: You’ve spoken about accounting companies dealing with security issues for their clients data. A lot of larger companies have internal finance teams. Is it the same considerations they need to go through, or are there differences?
H: When it comes to security, the same security goes. Put controls and layers in place. It doesn’t matter if you’re an accounting firm, or an internal finance team, you need to think about the data.
When it comes to security, the same security goes.
Blockchain and the future of Accounting Companies
E: Where do you think the future of data or security around accounting companies is going to go. People are speaking about the blockchain, but there are problems with that. What will the industry look like 5 or 10 years from now. What will the accounting company of the future going to look like?
H: Obviously, there is a giant push to moving to the cloud. It’s less about local software or on-prem software and more to the software in the cloud. The biggest assets companies are going to have are not their property, not the money in their bank accounts, not their buildings, it’s not any of those things. The biggest asset companies have is their data. That is the new currency. I think that’s where it’s going. How much data you have determines your price, and how valuable you are. I think there’s a huge push to moving stuff to the cloud, and I’m a huge fan of the cloud, but the responsibility comes back to the accounting firm owners who utilize any type of cloud systems, to make sure their assets are protected. Just like when you buy a car, and you get insurance for your car, or you buy a house, and you buy insurance for your house, you want to get a similar level of protection for your data.
That is the new currency!
Choosing between Quickbooks Online and Quickbooks Desktop
E: I had an interesting fact from an accountant I was speaking to yesterday in the US, who said that actually even though people are moving from on-prem to cloud solutions aggressively, Quickbooks desktop rose 1% last year in the US. I believed on-prem solutions were falling dramatically and they said the actual usage of QBD went up. Based on what you’ve been telling me, it’s a very scary world when using cloud software, so when would you be advising companies not to be using cloud software and to stick to on-prem software.
Quickbooks desktop rose 1% last year in the US
H: I would never be pro or against for that statement. I would never say move to the cloud or move to on-prem. Whatever solution you consider, consider the risks. But in terms of Quickbooks, I’ll tell you something from a couple accountants I’m very close with. Quickbooks came up with Quickbooks online but the problem is that it does not have all the features that Quickbooks Desktop has. And you’re also dealing with a lot of smaller companies that paid for Quickbooks one time and they want to keep using it. A lot of small businesses are not a huge fan of subscriptions. There is a mentality that subscriptions are not good. If I can buy it once and use it forever, why should I keep paying for it. So some of those factors comes into consideration why Quickbooks Desktop grows.
One of the solutions we have is called “360 Secure Desktop”. It provides desktop in the cloud for Accountants. Instead of working off their own computer, they work off this secure cloud desktop which has a whole lot of security controls in place. And that is perfect to run Quickbooks online or Quickbooks desktop. It’s a computer basically that you can run stuff off of. But honestly, the usage of Quickbooks Desktop comes back to the features and to the subscriptions.
You can go to Costco and pick a copy of Quickbooks for a couple hundred bucks. If I can do it once and use it for a long time, the accounting principles don’t change a whole lot. Accounting is Accounting. It’s been like that for years. Why should I pay this company each month, unless you’re a new business, or you’re migrating because you want something bigger out of it. But also in the higher editions, like the Accountant Premier Edition or their enterprise edition, there is no way there online edition comes close to features. I think that’s why people are sticking with the desktop version.
You can go to Costco and pick a copy of Quickbooks for a couple hundred bucks.
Do you have strong views on the Accounting & Bookkeeping industry?
DOKKA explores the thoughts of Bookkeepers, Accountants, CFO’s & others involved in the Bookkeeping & Accounting space.
Mary McBlain from McBlain and Davis Accountants – Understanding the Bookkeeping & Accounting industry in the UK
Lisa Cervantez from PureSpeed Lightwave – Why an internal Finance Team chose SAGE 300 as their Accounting Software
Jeffrey Levine from Persofi – Bookkeeping differences between Israel versus the UK
Akiva Brett from KB Tax – A South African Tax Practitioner
Julie DeLong from Backyard Bookkeeper – Part 1 – Choose between Quickbooks Online and Quickbooks Desktop
Julie DeLong from Backyard Bookkeeper – Part 2 – Advice from a Virtual Bookkeeping Company
Holly Dunn from Accountable Bean – SAGE versus Intuit
If you have views on the Bookkeeping & Accounting industry, lets speak.
