Save content
Have you found this content useful? Use the button above to save it to your profile.

Online security – dark spectre or damp squib?

3rd Nov 2014
Save content
Have you found this content useful? Use the button above to save it to your profile.

The papers are never short of a story when it comes to online security. Many big name businesses have suffered a security breach, including banks – and it’s a sure thing that more will continue to be reported on a regular basis.

Yet this does not render the idea of online accounting a non-starter, just like it did not stop the world converting to online and mobile banking. After all, whilst it’s easy to talk up the risks, a newspaper story does not have the space to always offer an in-depth and balanced view, or cover adequate context. A balanced story does not offer the writer a compelling headline and a fear-factor to keep readers gripped!

Nothing is 100 per cent secure. Not your house, your fire alarm or your office’s front door locks. Given time and resources any determined attacker can penetrate any system, building or process. But will they? What is the actual level of risk to you?

Sage recently partnered with CIMA for a panel discussion at the Barbican in London, ‘The real face of online security’ which aimed to answer that question.

The panel discussed how those organisations targeted by hackers tend to be big names precisely because they are well known organisations with lots of data to steal – and as a consequence of their size, more entry points for an attacker to try.

For the smaller business with less of a national profile, the risks are fewer. There’s less cachet in such a business being targeted, and the smaller amount of customer data and financial records means the prize is less tempting for hackers.

What does this mean in the world of accounting? Well, half of CIMA members are still relying on spreadsheets for managing their accounts, but many are starting to realise the benefits of using online software. Concerns around security continue to be the biggest barrier for accountants considering a move to using these cloud computing services, as 51 per cent of the audience agreed. A total 56 per cent of the audience present had yet to move to online finance systems at all.

One comment from ethical hacker Cal Leeming was that data is never absolutely 100 per cent secure online, but that that does not mean that you will automatically be targeted by villains. He suggested that the classification of risk is the first process to go through when considering what data and systems should go online. An accountant should consider what data they feel comfortable putting online and choose to only share that which isn’t mission critical, if that’s the right step for that practice.

Each business has to decide what level of security they feel comfortable with for all the types of their data. For the most critical data, without which the business could not function, and the loss would be a catastrophe, the most stringent security should be applied. The business might decide either to keep that data on one secure machine – or simply investigate the most secure of online service providers, satisfying themselves as to their credentials. And it’s important to bear in mind that a cloud service provider should be able provide enough detail to give you adequate understanding of the strength of their offering.

Putting the online risk into context, the panel suggested that you’re more likely to have your laptop stolen whilst travelling, or your office burgled, than your online software breached. And there are ways to protect yourself and make yourself less of a target, just like in ‘real life’.

Whilst you wouldn’t leave a spare key under the front door mat, it’s amazing how many people use the same passwords across many of their online services – or write them down on a sticky note next to their screen for a colleague or office visitor to see! Those are more of a threat to online data security than a phantom, faceless army of hackers.

A lot of hacking examples are glamorised in the media, the celebrity photo hack being one recent example – ‘Celebgate’. But it’s unlikely that an accounting firm’s VAT returns will be such a tempting target. Attacking start-ups and small to medium sized businesses simply won’t win hackers either street cred or the big cash hauls that they want.

As a corollary to the security question, online venturers must consider usability. Nothing might be safer than written records carved into a clay tablet and buried under a desk each night – but what if the team member responsible doesn’t come in the next day? Who knows where that data is, who can keep the business running? What if those records are damaged or lost?

Online solutions can offer rollback functions to restore earlier versions of data, provide workflow resourcing to allow others to work on the project, and back up data to several secure sites. Often the backup and restore functions far surpass what a small business can afford, since the supplier can access huge economies of scale and stay up to date with the latest tools.

If online processes and security are a new area for you, then a good first step is simply to ask a peer who’s further down along the journey for advice. It might be a smart move to consult a security expert to advise on the strength of the online solutions and discuss the needs of your business, data types and classification to confirm they are a fit.

Society is at a tipping point with cloud computing. The public has taken online solutions to heart, from Facebook and Gmail to online banking and dating. It’s all data in the cloud. Whilst it’s firmly a big part of our lives, it behoves everyone to take a close look at what they are signing up to and to learn to understand the real risks as well as the benefits, and to keep it all in perspective!

Our panel’s top tips:

Assess the category of all your company data by confidentiality. Should each type be accessible by all, held private to an individual or team, to the company, or to an agent and their client? One way of classifying data includes as:

  • Protect - personal data
  • Commercially sensitive
  • Commercial in confidence

When choosing a provider, find out where your online data would be kept – within the UK, EU, or elsewhere in the world?

Are you comfortable with your current disaster recovery policy? Would an online backup facility help reduce business risk?

Tags:

You might also be interested in

Replies (1)

Please login or register to join the discussion.

avatar
By User deleted
03rd Nov 2014 10:47

SageLive – Advertorial Credibility ….

As for credibility - well let’s start with SageLive and type the following into Google search ‘.. SageLive Kashflow ..’ - http://www.kashflow.com/blog/sage-live-security/

Just to recap for the benefit of Sage – it is never a good idea to display the password on a web page in the toolbar line because surprising enough it has security ramifications!

The only reason that this episode was not their death knell was because of their size in the first place

Never forget that this was a company refused to engage with SaaS/Cloud at an early stage and only joined the party about 10 years late after most of the ‘hard-work’ had been done by others - and they were a major factor in the length of time Cloud systems took to gain traction because of their failure to engage.

So in this respect they have done the entire profession (and others) a great dis-service in holding back progress so that Sage themselves could benefit/profit by continuing to sell outdated software, despite knowing full well what they were doing

Furthermore their engagement even today is only half hearted, trying to walk a tight-rope between legacy systems whilst at the same time getting their publicity machine to send out the message about Cloud.

After all it’s all down to revenue and the transition between selling boxes to selling services is a tricky one which they don’t wish to jeopardise – so stuff the user and we will continue to flog legacy systems on the endless roundabout of pseudo-updates every year – for revenue stream you understand! In preference to Cloud offerings which offer on-going updates ‘free’ as a by-product of the service

As for security – well providing the provider does not disclose the users passwords in clear on the browser screen then the risk associated with Cloud are not that great. Anyway it’s all very well advocating keeping critical data ‘..on one secure machine ..’ but does that really negate all the risks – what about backup locations, secure backups, having the machine stolen etc. …….

In any event, on the security side, are we talking about breaching a system via their logins or behind the scenes directly into a database Provider breach) because these are entirely different scenarios – yet no distinction seems to be made between the two

All in all this article is simply a re-hash of many similar articles that have gone before on Aweb and contains nothing new, except it is now badged under Sage - mmmm... must do better!

Thanks (0)