Save content
Have you found this content useful? Use the button above to save it to your profile.
iStock/Getty images

Data security: Cloudy with a chance of cyber attack

by
22nd May 2015
Save content
Have you found this content useful? Use the button above to save it to your profile.

Cloud accounting took centre stage at the recent Accountex event and attendees seemed more eager than ever to move their operations onto the web – but the technology’s meteoric rise has been accompanied by increased security risks.

According to Matthew Johns of cloud hosting company Rackspace, users underestimate the widespread danger of cyberattacks. “I think it’s one of those things that people hear about in the press and think ‘yeah, it’s a problem – but it doesn’t affect me’,” he said.

PwC’s global state of information security 2015 report lends added weight to his argument with the finding that security incidents rose to 42.8m - 48% up from 2013 and representing an annual compound growth rate of 66% since 2009.

Gavin Millard, the technical director of the American network security firm Tenable, diagnosed the situation rather succinctly: “Virtualisation, BYOD [bring your own device] and cloud have all expanded the modern network, increasing the threat landscape and letting malicious individuals in.”

The diffuse, decentralised nature of the web shifts more responsibility onto the user to manage their data securely.

If accountancy firms are considering switching to web-based services, Johns advised: “Shop around. Make sure that you speak to lots of people and compare them appropriately to make sure you get the right service for you and for your data.”

Users should check that the cloud service provider is serious about security. “Maybe they are a member of the Cloud Security Alliance,” suggested Johns. “You should ask if there are any compliance standards which they adhere to such as the ISO 27000 series. Can and will they tell where they are hosting your data? And then there’s the size of the business. How long have they been around?

“As opposed to red flags it’s about looking for the things you should expect to see from someone.”

Accountancy professionals are under extra pressure to get it right because, as Johns pointed out, they are “storing personally identifiable information that’s subject to certain compliance rules and regulations”.

“It’s all about using the right tools for the right jobs,” said Johns. “When accountants – or in fact anyone – is looking to put data into the cloud, you need to consider the reasons for doing so and that the potential implications for doing so are seriously thought about.”

Tags:

Replies (27)

Please login or register to join the discussion.

avatar
By AndrewV12
22nd May 2015 11:55

Cyber attack

I personally dont bank on line, so i am not going to save information on line, its just to risky, you only have to be successfully attacked once. 

Thanks (0)
By Charlie Carne
22nd May 2015 12:08

Online risks

AndrewV12 makes an interesting point. And I would go further: as the recent Hatton Garden raid has highlighted, banks only need to be attacked once. Perhaps it's time I withdrew all my money from the bank and kept it under the mattress where I can ensure that it's safe.

Thanks (1)
Replying to alialdabawi:
avatar
By AndrewV12
22nd May 2015 12:24

The difference

Any one in the world can try to break into your cyber Account therefore there is more risk, not everyone around the world can break into your local bank, unless they are tunnel rats with plenty of energy.

Thanks (0)
avatar
By mcloughlin56
22nd May 2015 12:10

Twinfield Security

Security has always been at the heart of Twinfield on-line Accounting. The security is audited every quarter and certified every year. Check out the link below:

https://www.twinfield.co.uk/twinfield-the-most-secure-solution-for-your-...

 

Thanks (0)
avatar
By carnmores
22nd May 2015 12:32

Really

your desktop is under far more threat than your cloud applications, and most bank frauds are not caused by online threat but my getting your debit card cloned or bank details from  elsewhere. this is another vested interest trying to big up their ~products~ and i totally disagree with Andrew but enjoyed Charlies sarcasm 

Thanks (4)
avatar
By R1C8ARD
22nd May 2015 12:49

Cloud is more secure than dedicated solutions

The experienced cloud hosting companies have developed far more security awareness than companies who persist with dedicated servers either run in house or in a managed service environment. Organisations like Rackspace and in particular Firehost, have developed secure cloud solutions, they specialise in security and have dedicated teams who are on watch 24/7 to prevent attacks. Due to the diverse range of clients they experience an attack every week and whilst preventing these attacks they learn from the experience, do you honestly believe that because you are not in the cloud your data is safe??

Thanks (2)
avatar
By carnmores
22nd May 2015 13:19

RIC8ARD

nice to see some sense

Thanks (0)
ghm
By TaxTeddy
22nd May 2015 13:21

Risk and reward

My Mac / PC is more at risk than the cloud? I think not.

Not to serious hackers - the potential rewards of hacking a cloud server are MUCH greater than hacking Joe Blogs' PC. If I were a hacker, I know where I would focus my efforts.

Thanks (1)
By Charlie Carne
22nd May 2015 14:25

Risk & reward - I disagree

TaxTeddy - whilst you are correct that the rewards of hacking a cloud server are greater than hacking your PC, the difficulty of doing so is orders of magnitude greater. A bank vault presents a much juicier target than the cash in my wallet, but how many people are mugged or have their homes or offices robbed every single day. I think that there are many hundreds (possibly thousands) of such small thefts each day, but a bank robbery occurs maybe once or twice per decade.

Your laptop is at risk every time you take it out, as the teenage kid sitting across the room from you in Starbucks can hack you in seconds. Your desktop computer is at risk all day and night if it is connected to the internet. Hackers operating from anywhere in the world can hack hundreds of users in a single night. And then there are the physical risks of your laptop being stolen in the street, or your home or office being burgled. It is natural to think that we can look after our data better, or that the target is not worth pursuing, but this is a myth. For the same reason that a Hatton Garden vault is safer than my mattress, your data is MUCH safer when held by specialists.

I would add one exception to the above. If you are a computer expert and really understand how to secure your data (not by buying an off-the-shelf piece of software, but actually understand what is involved in hacking and how to prevent it), then you may well be better off guarding it yourself. But this thread is not aimed at such experts. It's aimed at the 99.99% of readers who don't understand how hackers operate and wish to ensure that they have taken all reasonable steps to secure their data. I trust third party experts more than I trust myself. We all should.

Thanks (2)
avatar
By rowey
22nd May 2015 14:48

Twinfield Security

We have partnered with Twinfield for our cloud accounting service for more than 2 years - we have never had any issues with security and could not be happier with it.

Thanks (0)
Replying to raj1234:
avatar
By R1C8ARD
22nd May 2015 15:33

Twinfield

Sounds like you are happy with the service.

All i would say is, no security issues as yet doesn;t guarantee its a secure environment, to be sure, ask them if they've been pen tested and was it carried out by an independent party?

Thanks (0)
Francois
By Francois Badenhorst
22nd May 2015 15:44

I think the message really is that the intense optimism around the future of cloud (which isn't a bad thing) should just be tempered by a dose of reality. These things happen and accountants' data is often ID sensitive. 

Thanks (0)
avatar
By R1C8ARD
22nd May 2015 15:55

intense optimism?

I think the message is that there is a real lack of understanding (understandably) from the market in general, not just in the accountancy market, of what the cloud actually is and its capabilities in comparison with the tradition methods.

There is a real lack of knowledge on the otpions out there and the measures and levels each individual provider may take to ensure there environemnt is secure. Everyone thinks their data is secure until it isn't, by which time if no monetary losses are suffered directly they will be through reputational loss and fines.

 

What is clear is that if you want to make sure your data is secure, you need to take the time to learn more about the topic. Thinking that becasue you are on a desktop or on premise server, is secure now (more secure than cloud) because it always worked in the past is not the answer. I would suggest that this type of thinking is the real "intense optimism."

Thanks (0)
avatar
By kevinread
22nd May 2015 16:38

I totally agree with Charlie
The biggest risk is having your username & password stolen through your browser. For that reason I would prevent any browser from remembering my password.

Be vigilant with your password & keep it safe:
Do not use your name, your pet’s names or your children's name.

Mix up letters, numbers, capital letters, and special characters and change passwords regularly to be on the safe side.

I think the main thing that any hacker would be interested in getting to in a cloud accounts system is customer & supplier record data in order to exact a scam sometime in the future.

Other than that only the numbers could ever be hacked so what good is it to financial fraudsters anyway?

Thanks (1)
avatar
By mabzden
22nd May 2015 16:37

Things can't get much worse...

.. than how some (or most?) accountants treat their data now.

I used to work for a fairly large firm of accountants who kept their data on a server in the basement (as is probably normal). All the data was kept in an unencrypted form (including the database for the tax software - do any desktop software providers use an encrypted database?), and although you needed a password to log on to the server this was known by all staff members (and a few disgruntled ex-members of staff) and was never changed.

People would load data from the network onto their laptops or memory sticks so they could work away from the office. These laptops and computers usually had no virus protection whatsoever and (in the case of laptops) were very easy to lose.

One of the office juniors was supposed to take manual backups to a tape drive, and she'd then put the tape drive in her handbag or car and drive home. The whereabouts of the tape drives wasn't tracked or monitored, so anything could have happened to them and no-one would have noticed.

Just for good measure, none of the paperwork was shredded, and I once had to complain to the office manager because I'd found papers containing the personal details of clients blowing down the street. Unbelievable!

So I'm sure there are some cloud services that wouldn't be able to withstand a sustained attack by Lulzsec or the Chinese government. But I'd still go for a cloud solution every time.

Thanks (0)
By jon_griffey
22nd May 2015 17:19

Be careful

Too many people are getting caught up with the hype of 'the cloud'.  Essentially it means that your data sits on someone else's drive, not yours and control is therefore surrendered to a company that you know little about, based somewhere you have never been, and you  'assume' that their data security is as robust as they lead you to believe.  And without exception when you sign up with them, they disclaim responsibility for loss of your data.

I don't doubt that cloud is the way forwards, but with the speed at which this is developing I foresee there will be a scandal at some point where thousands of users lose their data.

 

Thanks (1)
Replying to Southwestbeancounter:
avatar
By AndrewV12
23rd May 2015 09:46

The hackers only have to get lucky once.

The hackers only have to find a way through cloud security once, then as far as cyber crime goes they will enter the promise land, the land of milk and money i mean milk and honey.

 

Some people forget your own PC security is more or less your your hands, not perfect but security is your choice, as for security for this cloud .......well who knows..... were told its water tight then again were told lots of things, time proves some of them are wrong.   My big worry is the   over confidence in the security of the product, it sounds like a recipe for disater. 

Thanks (1)
avatar
By User deleted
23rd May 2015 08:23

Comments & web-service risk …

We seem to be covering the same old ground over & over again and have been for xx years

PwC report

Far too woolly & broadly an up to date re-hash of the same information & caveats – also don’t really see any breakdown by type of incident

On the topic of web services

None of the experts have raised any security issues on this front. Vulnerabilities at the 3rd party web-service provider end have not been addressed anywhere - once 3rd parties have access to hosts data via api’s then what controls are in place to prevent data harvesting

https://www.accountingweb.co.uk/group-thread/xeros-ecosystem#comment-654833

https://www.accountingweb.co.uk/group-thread/xeros-ecosystem#comment-656606

@mcloughlin56 – interesting link to the Twinfield security process

Question on backups – are these ongoing backups incremental or full and no mention is made of any restores. Does the restore process occur on a periodic basis (how often) to verify and how is this process handled

Thanks (2)
Chris M
By mr. mischief
24th May 2015 13:59

in control of my own destiny

I save my work to an encrypted hard drive, the PC will not load Windows without the password which is 15 characters including punctuation and capitals, and not containing any words in any alphabet.  I back up to data sticks with the same encryption, but different passwords.  They are kept at 2 separate locations so that I can load all client files in the event of a fire or similar disaster.

I have an annual security review carried out of my physical and data security by a suitably qualified IT security expert.

All sensitive client files are sent under password protection.  The standard one is their DoB but full encryption is available to them, one has so far requested this for a few documents.

All of this is summarised in a one-page security document which all clients get a copy of when it is updated, and which new clients get as part of my "Day 1" programme for new clients which, suprisingly enough, takes place on their first day as a client.

Several have commented on this security positively.  So whilst it does not win new business, being up front with how you are using client data in my view helps retain business.

There have been too many public muck-ups involving banks and cloud server systems for my liking, I always assume in these cases that - unlike physical bank robberies - what the public gets to find out about is less than 10% of the total.

Thanks (1)
By Charlie Carne
24th May 2015 14:27

How is DoB a secure password?

mr. mischief wrote:

All sensitive client files are sent under password protection.  The standard one is their DoB...... All of this is summarised in a one-page security document which all clients get a copy of....

The DoB for most people is very easy to find, so the password for your files is easily hacked (unless the client chooses your "full encryption" option). You clearly take more care than most people, but using a publicly known encryption key rather defeats the point of the password.

A number of posts on here highlight the key problem with security. As accountants, we are not experts at data security. I trust third party specialists with my data, as they will understand all of the risks and offer much better protection than I can. Of course they are not foolproof, but I am certain that many readers on here have lost data that they erroneously felt was safer being looked after themselves.

I don't know all of the ways in which my data can be accessed, so how can I possibly protect myself from threats that I don't understand? I do so by handing responsibility to a reputable company who does understand these risks.

Thanks (1)
Chris M
By mr. mischief
24th May 2015 14:47

as i said

The choice is the clients.

I find that banks and other lenders, and other accountants, routinely send information such as business plans, accounts and tax return data out with no password protection.  At least when I send such information to banks it has some protection on it.

I could not disagree more with the notion that you can simply farm this out to a "third party specialist" and then say "not me guv" if anything goes wrong.  There have been too many public scandals, mainly involving disgruntled senior staff who had recently left such organisations and decided to do the wrong thing in a scorched earth policy.  I cannot see how any customer of such a company can possibly do due diligence on senior staff, when in the scandals it is clear that colleagues working with them on a daily basis were totally unaware of what was about to happen.

 

 

Thanks (1)
avatar
By Scriptic
26th May 2015 06:47

Trust

Some comments here (surprisingly forcefully) appear to imply that anyone expressing doubts on the security of cloud computing is completely wrong and that they ought to learn to "trust" others more than they would trust themselves. Given that even the CSA (Cloud Security Alliance) have themselves identified risks, some of which could result in the total loss of data, such comments might perhaps benefit from a little more balance.

Thanks (2)
avatar
By User deleted
26th May 2015 08:35

About the balance of risk …

@Scriptic – so far as balance of risk applies, which is the safer approach Cloud .v. Local PC/network

For the majority of people the Cloud route is the best because the risk is less – yes there are exceptions as with everything, but for the most part users simply don’t want to get involved with having to encrypt everything themselves to the nth degree (public/private keys etc.) - especially using a client DOB as a key and then broadcasting the fact on a public bulletin board!

(As an side – interestingly enough there are a ‘rash’ of ‘Whats app’ style mobile apps which allow this approach of public/private key and these are creating a huge security problem in a whole range of areas – ISIS, paedophiles and so on. If I were GCHQ etc. I would be seriously looking into encryption breaking software or ways of circumventing the encryption at this stage of the game)

There is nothing wrong with identifying Cloud risk areas because that is the only way any holes are closed up and furthermore it allows users to make a balanced judgement knowing all the possible downsides – but it doesn’t detract from the fact that in most cases Cloud is generally the safest

Neither is it about ‘trust’ because risk is all about probabilities rather than trust and on balance you are at greater risk on a local PC than on a Cloud system

Nevertheless as with everything, providers come in all shapes & sizes - some good and some bad; so choosing the right provider is probably paramount - which all comes back to 'do you know what you are buying?'

Thanks (2)
avatar
By carnmores
26th May 2015 14:17

I agree

the cloud on balance is much safer than desktop which can easily be easily be infected by virus, emails etc it is preposterous to contend otherwise. The CSA group has rightly commented on some offerings but usually the bigger the company the greater the software security. would all the gainsayers give us an example of a reputable software house that has been hacked and all data lost  

 

PS EDIT is that forceful enough?

Thanks (1)