One of the most common questions about online software is security. If I can’t see the server that runs the program under my desk, how do I know if my business information is safe?
Measuring the risk
A security company once said the only safe computer is one that has been switched off. All software, whether it runs on your desktop or online, is vulnerable to security threats. This doesn’t stop businesses from using software. Software is indispensable to running an efficient, modern business and communicating with your employees, customers and suppliers.
Instead of asking, “is online software secure?” a better question is, “is online software more secure than desktop software?”
For the vast majority of small and medium businesses the answer is yes. To understand why we need to look at the vulnerable points in the process of using software.
The points of vulnerability with desktop software are all located in one place, the desktop or laptop computer. It is the point of access for the user, the point of storage for the accounting software and the user’s data file, and the point of connection to the internet.
The level of security for desktop software comes down to the initiative and budget of the user.
Most businesses spend very little on security, whether electronic measures such as firewalls and anti-virus protection or physical measures such as locked doors and anti-theft cables. They also tend to spend little time or money on educating staff about best security practices.
The reality is that an office computer is usually vulnerable to a greater range of internet-based attacks than online software. And it is much more vulnerable to physical risks such as fire, flood or theft.
Not only is the software often poorly protected, the emergency processes to restore the software are usually lacking too. Backup is the great Achilles heel of many businesses who usually treat it as an afterthought. When something does go wrong it can take many hours or even days to return to full operation.
The points of vulnerability for online software are split between the vendor and the user. The point of access for viewing the software (whether laptop, desktop, smartphone or tablet) is still the user’s responsibility to secure.
Storage of the accounting software and the data file is not the user’s responsibility but the vendor’s. Software companies run their programs from enterprise-grade data centres with highly sophisticated, layered defences.
These enterprise data centres are patrolled by guards and access is controlled by keycards and fingerprint and iris scanners. Other physical defences include firefighting systems (gas and sprinklers), large diesel generators to supply power during blackouts, and flood-resistant locations.
Data centres usually have multiple, redundant, extremely fast internet connections. The networks are protected by the latest security technologies and 24-hour monitoring by a team of IT security experts.
There’s also security in obscurity; the data for one business is stored on the same server as hundreds of other businesses.
If a server fails in an enterprise data centre it can automatically push an online business application from one group of servers to another.
Online software companies have detailed backup procedures for restoring their applications if a software bug causes a crash. The average amount of downtime for the best-known online business programs is several hours in a whole year.
How hard is it to secure?
Whether the threat is theft, natural disaster, a virus or a hacker, online software is generally far better protected than a desktop program. If a thief steals a smartphone they won’t be able to access the online software without entering a password.
A business owner could log in from another computer and change the password in their online accounting software and it would be impossible to access from that smartphone again.
If a thief steals a laptop they have a much greater chance of opening data files in any desktop software it contains.
In the past hackers have tried two main approaches to hack into online software from the user’s computer. They use password-guessing programs that cycle through billions of combinations until they find the right one. This is called “brute forcing”.
Or they snoop on a network and capture the password as it passes between your computer and the data centre where the online software is located.
These two types of attack are almost impossible against online accounting software sold by mainstream vendors today. The security practices banks use to protect online banking services to millions of customers have become standard practice for protecting online business software.
The login screens for online accounting software limit the number of times you can attempt to enter a password. If you try too many times it will lock your account or suggest you reset your password.
The second attack, network snooping, is also easily defended against. Online accounting software forms an encrypted tunnel between a computer and the data centre. Any information such as a password or your account balance passing up or down the tunnel is unreadable to anyone else.
The most successful forms of attack have nothing to do with online software itself. The weakest link is usually the user, and hackers target them accordingly.
Far too many people use one password for all programs. This means that if a hacker steals a list of passwords from a small business which counts you as a customer, they will try that password and email address in your Gmail or Yahoo account, banking and other online services.
The second attack is called social engineering. This can take multiple forms but its common goal is to encourage you to reveal your password. One method is to email a link to a fake website, such as a bank’s online banking or a payments gateway such as PayPal.
Or a hacker could phone you and impersonate your bank and ask for your password as part of the verification process.
You can minimise the risk of attack in several ways.
- Use a unique, difficult to guess password and keep it in a very secure location.
- A password manager is a very handy tool for creating and storing long and difficult passwords for many websites. Of course, you need to have a very secure password to access the password manager but at least it’s the only one you need to remember.
- Never reveal your password to anyone, even if they are allegedly calling from the bank or software company. If someone does ask you for your password it is almost always with malicious intent.
- Only use your own laptop or computers rather than public computers.
- Public wifi networks in cafes and airports can be compromised. For maximum security use your smartphone or tablet, or tether to them with your laptop, to access your online accounting software. Telcos tightly control access to their networks which makes them more secure.
One specific area of concern deserves its own chapter. What happens to your company file when you move from desktop accounting software to online? Read Chapter 8: Looking After Your Data to find out more.