Replies (32)
Please login or register to join the discussion.
Embracing Technology
Hi John
This was a very useful debate. Prior to the Any Questions I had read about the security issues so it was very interesting to hear other accountants points of view.
Just prior to that I emailed all my clients whom we share Drop box folders with to make them aware of this issue, and to ask them if they wanted to continue using drop box or change provider . We made it quite clear that if they continued to use it we would have to put something in writing moving forward.
Not one client said they wanted to stop using it and they were prepared to take the risk. On the suggestion of providing another provider, most of my clients who are also heavily involved in IT said they felt it was the easiest to work with and were prepare to take the risks .
It is amazing how things have changed. We as a practice have changed a lot in the last couple of years. Between using Dropbox and and having a Video Skype call with clients we have found our clients have been a lot happier as they feel they are more in contact with us and have less paper to go through. If they do not want items kept on Dropbox they download it and we agree to clear it from dropbox once we are finished.
Some of our clients have notice clinches so I also include dropbox in my backup anyway to cover us as a practice.
Technology will always change and we should embrace it . I now check my Skype for instant messages from clients . It is a great way for them to just type instant questions and it is very easy to copy the History to OneNote or similar for your clients . It also keeps a very easy to use record of when you phoned them and how long for. I find it useful for billing.
My clients use texts quite a bit almost as instant thoughts. They are not expecting a instant answer , their busy running the business and it is almost as if they do not want to forget that question. Of course you charge for the service. But Copying texts is difficult to your client records but it means it is all there and you can give them a quick call.
Also it a good idea to check that your phone is been backed up as well, just in case .
Kind Regards Sarah Douglas Douglas Accountancy and Bookkeeping Services Glasgow
Copying Texts
One useful trick with iphones is that you can take a "picture" of the text and then email that to yourself. You simply load the text onto the screen and then simultaneously press the top on/off switch with the navigation switch. The iphone effectively does a "print screen" command. The image is stored under "photos" and you are able to email this to yourself or anyone else.
I have found this useful on many occasions.
iPhone / Smart Phone
iphones is that you can take a "picture" of the text and then email that to yourself.
I would have thought any smart phone could do this. Certainly any Android phone with a camera.
always bear in mind
BACKUP BACKUP BACKUP (and not on same service)
see @3ammagazine https://twitter.com/3ammagazine/status/219901886931804160
12 years of online magazine missing in action as host vanished.....
Copying Texts
On iPhone, one can also copy the text (press and hold the text box, select copy) and then paste into email to self. Particularly useful as a reminder / message unread.
Remember Third-Party risk as well
A point that may have been missed is that CLIENT records often have sensitive information of others -- especially the personal information of EMPLOYEES in order to process payroll, etc.
So when a client says "they are prepared to take the risk," I've found that most NEVER CONSIDERED the potential ramification of accidental disclosure of payroll info and the remediations they would have to do to compensate for this. The clients were only considering the effect of the disclosure of the business' FINANCIAL data.
What's the liability for practitioners? No idea (and it probably would depend upon which jurisdiction you conduct your practice).
Good to hear that many practitioners are having frank discussions with their clients. While I do worry about the access/security/potential "unintentional disclosure" issues, if all are willing to accept the risk/consequences, then Dropbox is a fantastic tool. I know I can't live without it - and I only use it for non-sensitive info.
Other quick observations:
- TrueCrypt works with DropBox (and other such services) but only if the container is small (1Mb-2Mb tops). Otherwise, the file synchronization time can be considerable (I've noticed the problem just when leaving home computer and trying to open the files once I arrived at work). Note also if you open up a truecrypt volume within Dropbox, then the volume is exposed (there's notes about this on the TrueCrypt site).
- Password protecting Word/Excel/etc.: no security there - there are hundreds of free tools that can bypass the indigenous password protections on these files. 10 seconds with a Google Search. So that approach isn't providing ANY diligent protection that would exonerate a practitioner's responsibility in the eyes of IS auditors or the court system.
Dropbox security option
For a (fairly) easy route to securing data on Dropbox, have a look at SecretSync (http://getsecretsync.com/ss/) - no, I'm not paid by them, or in any way affiliated other than as a user. This software sets up a folder, synchronised via Dropbox: any files put into this folder are automatically encrypted (can explain the voodoo if you want) before they're copied to Dropbox, so that you control the encryption. The folder can contain sub-folders as well, so you can set up a standard file system under it.
What's stored via SecretSync on Dropbox is encrypted and can't be accessed on an iPad (etc) or from any computer that doesn't have SecretSync on it. As a result, you need to have SecretSync on each computer that you sync through Dropbox, if you want access to the files in each place. The SecretSync software unencrypts the files as they're sync'd from Dropbox.
The advantage over TruCrypt and other similar encryption models is that all this happens on the fly, without user interaction. Yes, I'm just lazy. I want the technology to do it all for me. Your mileage may vary!
@afairpo
For a (fairly) easy route to securing data on Dropbox, have a look at SecretSync (http://getsecretsync.com/ss/) - no, I'm not paid by them, or in any way affiliated other than as a user. This software sets up a folder, synchronised via Dropbox: any files put into this folder are automatically encrypted (can explain the voodoo if you want) before they're copied to Dropbox, so that you control the encryption. The folder can contain sub-folders as well, so you can set up a standard file system under it.
What's stored via SecretSync on Dropbox is encrypted and can't be accessed on an iPad (etc) or from any computer that doesn't have SecretSync on it. As a result, you need to have SecretSync on each computer that you sync through Dropbox, if you want access to the files in each place. The SecretSync software unencrypts the files as they're sync'd from Dropbox.
The advantage over TruCrypt and other similar encryption models is that all this happens on the fly, without user interaction. Yes, I'm just lazy. I want the technology to do it all for me. Your mileage may vary!
... so you wouldn't be able to get to your encrypted files via an iPad - could be an issue if you need files 'on the move'?
iPads were never designed for corporate use
Jaybeee661,
You're completely right -- i-devices never designed to handle things like generic encryption layers, etc. It's one of the big problems with that whole ecosystem (from a corporate perspective). Right now, the "best" option is to wait for the Windows 8 Pro Surface tablet (not the RT version) which can/should be able to incorporate TrueCrypt (and I bet SecretSync will work too, once they have code written for the Win8 environment).
Steve Jobs was designing the world's best music/video environment when he dictated the iPad specs. Corporate use was furthest from his mind at the time.
(btw, I totally love my ipad but, this is one of the glaring areas where it lets me down).
@jaybee661 - yes, that's a problem
Yes; if you need to access client files from Dropbox on the move then SecretSync won't be helpful, but neither will any other encryption that you control as far as I know. The iPad has its own encryption but I haven't come across any apps that will unencrypt a file from Dropbox (or other similar storage).
For what it's worth, and the following is probably tl;dr, if I have to take client material on an iPad, I temporarily copy it to Goodreader and password protect it (various times, because I'm paranoid - the iPad is passphrase protected, the Goodreader app requires a password to access it, the files are password protected individually, and they are within password protected folders. Goodreader uses the iPad's encryption system so that password protection encrypts the files, it doesn't just lock them).
Much the same as printing it out, really. It's mildly irritating not to be able to get material from Dropbox on the fly, but I'd really rather not have to worry about the potential for uncomfortable conversations with the Bar Council and the Information Commissioner's Office.
Terrific summary John
OK I'm going for a crawler of the year award!
I'm not a dropbox user yet, but have to exchange large files which email can't cope with from time to time.
I've found this really helpful and is a good example of the AW community really coming into its own
Dropbox,, Google Drive & Sugarsync
I've tried three syncing software solutions before deciding which one to go for.
Dropbox is the market leader but is quite expensive. Sugarsync is slightly different to both Dropbox and Google Drive in that you choose which folders to sync, rather than having a specific folder that needs to be populated with the folder/files you want to sync.
In the end I went for Google Drive quite simply because of price. The software isn't as nice as Dropbox's but at $2.49 per month for 30GB (5+25) against $9.99 for 50GB (100GB is $4.99/m in Google drive). I've been using it for about 2 months now without any issues.
The other benefits are that you always access files on any machine with Internet access,and if you use more than one laptop these files are invisibly made available on all machines with or without Internet.
One reminder though - these are syncing solutions so if you delete or change a file that's synced old versions will be replaced or removed, unlike a backup service where deleted files may still be available.
Might depend on situation
Google Drive / Microsoft SkyDrive -- both of these are definitely cheaper than DropBox. However, I've never been able to get either to work as smoothly as Dropbox (meaning, the dropbox folder is just like any other folder on my computers - local copies of all data that then replicate to the other machines). Google/Microsoft do not have a local folder - instead, you "map" the network data share so that it appears as a local drive (and file copies will be slower, as it always takes longer to grab a file from across a network compared to a local copy). At all times, you have to have network access to reach your data - not good if you want to work on files while on a plane, etc.
But if you aren't in "travel mode" and have good high-speed network connections, both of these cloud platforms would be excellent choices as well.
SecretSync - possible issue
I just took a look at the SecretSync home page. Product definitely looks impressive, and I'll definitely check it out in greater depth as a replacement for my current set of TrueCrypt folders/USB keys, which I use for my sensitive information. Then, Dropbox could do all the heavy lifting.
One possible "death star" snag: from the SecretSync FAQ page, it sounds like the system automatically does the decryption for you (from the Dropbox "tunnel" folder) and places the non-encrypted file into a folder located on the machine(s) at each end of your Dropbox service.
In my case, my home machine is a laptop - if I were to lose the laptop while on the road, if a thief could get past my Windows 7 password, then they would have access to the sensitive data in the SecretSync folder without any further password protection (though I do have to check out how SecretSync "passphrases" might play into this). Anyway, this might be a bit of a long-shot as far as security concerns go. But right now, I have encrypted TrueCrypt containers protecting the data as a second layer of defense.
But if you have excellent net connections and not using in a mobile context, they would be excellent solutions.
true ...
if I were to lose the laptop while on the road, if a thief could get past my Windows 7 password, then they would have access to the sensitive data in the SecretSync folder without any further password protection (though I do have to check out how SecretSync "passphrases" might play into this).
The passphrase is a secondary layer of protection for your SecretSync files but it doesn't require you to type it in to access the folder. If a thief can get past your laptop login then they can probably get past passwords to get at data, if they're specifically looking for the data. For what it's worth, the ICO would rap your knuckles if the laptop wasn't encrypted and password protected, but they don't require folders to be separately encrypted or password protected.
Agreed
For what it's worth, the ICO would rap your knuckles if the laptop wasn't encrypted and password protected, but they don't require folders to be separately encrypted or password protected.
Exactly my thoughts. Laptop is password-protected and right now (via TrueCrypt) the data is encrypted.
Saw your other post re US Patriot Act as well - this is another aspect, too. While I don't have any info that would be of interest to them, it's not my place to make that decision on behalf of my clients.
and finally (should have combined these in one post)
With Google Drive, don't forget that Google has handed over data in a European data centre to the US Government under the Patriot Act before now (as has Microsoft) - http://www.zdnet.com/blog/igeneration/google-admits-patriot-act-requests....
Also note that the EU Article 29 Working Party has just said that safe harbour self-certification alone isn't enough when using US data centres (http://ec.europa.eu/justice/data-protection/article-29/documentation/opi...).
Own cloud server
Why not buy yourself a cheap PC, slap on a copy of Linux and some file sharing software (if you are not happy with the stuff built in)?
You may need to have a fixed IP allocated to the PC (ask your ISP) or use a service such as
noip.com - and hey presto you have your own cloud server which is completely under your own control and without the monthly subscription.
http://www.webupd8.org/2011/10/owncloud-2-your-personal-cloud-server.html
Sure, if you have the technical expertise . . . .
Why not buy yourself a cheap PC, slap on a copy of Linux and some file sharing software (if you are not happy with the stuff built in)?
You may need to have a fixed IP allocated to the PC (ask your ISP) or use a service such as
noip.com - and hey presto you have your own cloud server which is completely under your own control and without the monthly subscription.
http://www.webupd8.org/2011/10/owncloud-2-your-personal-cloud-server.html
This is the most preferred approach; however, only if you have sufficient technical knowledge to properly control/monitor access to the server, protect the data on it, etc. For example - the review on the page link you provided openly points out that this system lacks indigenous file encryption (which DropBox has, even though it has the weakness of being applied server-side, rather than client-side).
Own cloud server
Linux has built in encryption software eg encFS which can be utilised for this, or use something like truecrypt.
As far as support goes, there is extensive documentation provided with all Linux distros and also most software.
The 'Linux community' is generally very helpful and of course there is paid for support should you wish to take it up.
Follow the links in whatever distribution you choose to try.
Since all the software can be freely downloaded (as in unrestricted and without cost) or found bundled in the distro's software repositries, you don't really have anything to loose.
You may be interested in this:
Dropbox
Started to use it as a means being able to transfer Sage files from a client to the office since these can become too large to send via email. However, Dropboix didnt seem to like Sage files. However, it was great for up loading PDF and excel files and emailing a link to these specific documents in the public folder. Now using it to put "to be read later" documents in and accessing them during spare moments using ipad.
Dropbox security
If you invite someone to a Dropbox folder they can then invite others without you necessarily being aware of it. Has anybody come up with a way round this?
Doesn't appear to be a way around it, no
All I can suggest on the shared folder point is regularly checking the information as to who has is sharing it - it's available on the Dropbox website when logged in, if you check the folder 'shared options' information.
Shared folders
Thanks for the comment. That is how we deal with it at present but it does throw a spanner in the works as far as confidentiality of records is concerned.
Private FTP site
Thanks for the comment. That is how we deal with it at present but it does throw a spanner in the works as far as confidentiality of records is concerned.
Borrowing a bit from the concept of your own private cloud server (per the posting re Linux, etc), when I worked at BDO Canada LLP, we had a private FTP (File Transfer Protocol) server to handle client file transmission. FTP is the process used in web pages whenever you download a file. An FTP server - besides allowing for file downloads - also allows user to upload files. In BDO's case, staff could have their clients set up with secure access, and files could then be uploaded/downloaded as the staff person/client needed.
Ultimately, this is a better option than Dropbox (as it exists right now) but does require more onus on the accountant to ensure security, access, privacy, etc.
New options for shared folders
Dropbox have just added a box that you can uncheck to stop users other than the owner from inviting others. The default is sharing so you will have to go into all shared files if you want to turn this off.
DropBox for temporary sharing, specialists for secure docs?
At Receipt Bank we have had a DropBox integration since last year. We built it because we were asked for it by so many firms. Their experience of DropBox was that it was an excellent mechanism to share files with clients and they wanted us to connect to it so that documents and data could flow straight from DropBox to FreeAgent, KashFlow, Xero, etc.
From our experience we know that many firms trust DropBox as a mechanism for file sharing. For file storage my impression (from the firms I speak to) opinion seems to be a bit more split with many firms preferring industry specialists such as DocSafe for the sharing and storing of key client docs.
How about for Cloud Accounting purposes...
It is just a matter of time that businesses are all going to be managing their entire business cycle, and consequently, all their business transactions, in the Cloud.
The biggest concern by far for most people is safety and security of the data. Would drop-box be the answer to this safety concern ? Or is the concern really not a valid one, that cloud data storage is secure enough on its own ?
I would appreciate a response from users who have something to add, or simply to respond.
Rgds,
Raj Dhawan, CPA
http://www.RajDhawanCPA.blogpost.com
I think we've covered this already
The biggest concern by far for most people is safety and security of the data. Would drop-box be the answer to this safety concern ? Or is the concern really not a valid one, that cloud data storage is secure enough on its own ?
Raj, I think between John's article and the dialogue to date here in the user comments, you've likely got a good expression of the issues already. For some (and their clients), dropbox is secure enough - meaning, it's not 100% ideal but it is "sufficiently low risk" in their eyes compared to the advantages of the service (and same with similar other product offerings, like SugarSync, Box, etc.).
For others, it isn't secure enough (for example, I love dropbox and use it extensively but, I would not trust it with tax information, payroll information (including such information within accounting software databases), medical information, etc. of others). In my capacity as an information systems auditor and performing the likes of a SAS70/SSAE 16 etc service audit report, I'd probably have to draw attention to the server-side encryption as being inadequate to satisfy COSO/Cobit internal control objectives for proper access to data (in English, the data owner cannot exercise sufficient control that information could not be disclosed to others outside of the owner's influence - namely staff at DropBox in particular).
Bottom line: it depends entirely upon the practitioner and their client's sensitivity for risk (compared to the nature of the data being stored). For example, I do have the spreadsheet/books of a service club within my dropbox files -- while it would be undesirable to have the information "accidentally disclosed", there's very little harm to anyone if it actually happened (there's no personal info, such as income, birthdates, social insurance numbers, etc. stored in it). The convenience in this case is well-worth the risk.
Another important distinction: Dropbox is an excellent file transfer synchronization system between multiple systems. However, it is *NOT* designed for iterative collaborative work, such as available in Office 365's Sharepoint system or Google's Drive (Docs). Those environments were built to have multiple people accessing the same files simultaneously (such as word processor spreadsheets, and presentation files) and combining their efforts into a unified whole. I would strongly suggest that no one locate accounting data sets (such as Sage 50) within *ANY* of these environments (and especially Dropbox and its ilk) without first doing a careful assessment as to the underlying record lock provisions. I'm not aware that any of these shared environments are built to properly handle multiuser database access, without preparation first (Office 365's sharepoint can likely handle systems built upon MS-SQL/Access but again, only with proper configuration). I'd doubt that Dropbox can do so without high probability of data corruption.
SugarSync
What about Sugarsync - a fantastic service, were you can select any files folders anywhere on your PC for auto backup / sync between comps. $50pa for 30Gb can't be bad and works well for me.
SugarSync
What about Sugarsync - a fantastic service, were you can select any files folders anywhere on your PC for auto backup / sync between comps. $50pa for 30Gb can't be bad and works well for me.
SugarSync -- from a security/privacy/access perspective -- has a major advantage over DropBox: it does encrypt the data at the client end BEFORE uploading to the sugarsync servers.
But when I was trying it out (months ago), I found that the file transfer process was no where near as seamless as that of DropBox. I had numerous occasions where I saved a file in a SugarSync-designated folder on one computer and constantly found delay in having it synchronize on others (and I don't mean a few seconds' delay, I'm talking hours - in fact, I'm not sure that some of the files ever did synchronize without manual manual intervention). Maybe I had something set incorrectly set somewhere but I couldn't find it. Dropbox was far more seamless and automatic in its operation.
If it's working for you, that's great. While my experience wasn't positive, I've certainly heard from others that it works well. Same thing with Box.