Security is an enormous issue for SMEs including accounting firms, from ransomware to data breaches and employee theft. Where there is a risk of financial and reputational loss, “silver bullets” and hype merchants quickly follow.
The only way to work out the best plan of action for your firm is to talk to as many experts as possible and draw your own conclusions.
Quite a few security experts flew in for a conference held in Sydney by identity management company Ping Identity. Ping has been advising banks on how to protect the privacy of individuals and companies during the transition to “open banking”. Open banking is a new framework which will give you the ability to change banks at the click of a button, bringing all your transaction history, account numbers and other data with you.
I asked Sarah Squire, Ping’s senior technical architect, how SMEs and firms could best protect their data in an age of incessant online attacks.
The short answer: keep data in cloud apps and share access to the app. It’s safer than sending files by email (especially PDF reports).
Digital First: Sarah, what advice would you give to SMEs and firms who want to protect their data? Accounting firms in particular have access to a lot of data that isn’t theirs, so they carry greater risk.
Sarah Squire: The two best practices are to encrypt data when it is stored and when it is transferred. When you’re transferring it to a client, the client needs a private encryption key on their computer to decrypt the file. Most laptops and phones can securely store a key unique to a consumer that they can use.
Digital First: That sounds like an enormous hassle, sending out encryption keys to every client if you’re a firm with hundreds or thousands of clients. Is it better then to use cloud software to share data, rather than download it as a file and send that?
Squire: If you encrypt the file and send it through email then it’s the same as using a (cloud) app but the app is vastly more usable. That’s certainly a secure way.
Digital First: So you would advise accountants to preference using apps to s data rather than individual files? That SaaS (cloud apps) would give them a better security posture?
Squire: Yes, absolutely.
Digital First: So should we be moving away from Windows Office on the desktop to Microsoft Office 365 or G Suite in general? Just because the cloud productivity suites can store all the files online, so you’re not having to encrypt and decrypt them with email?
Squire: Yes. (Companies rarely protect files properly, particularly PDFs.) One of the biggest problems with PDFs is that you don’t know what is in it until you open it. If you don’t know what is in it you can’t be compliant with the General Data Protection Regulations (a privacy law for EU companies). You need to have a document management program to help them store the PDF in an encrypted way and to store everything about the file in a structured manner (with metadata).
Digital First: What is identity management?
Squire: Identity management sets up identities for each person in the firm and gives them one set of permissions and one way of logging in to all your software (desktop and cloud). Whether you’re logging into QuickBooks Online or Xero, you should be entering the same password and using two-factor authentication to log into (your identity platform). Everyone needs to do this regardless of your role, whether you’re an intern or partner.
Digital First: How does a role translate to an identity?
Squire: I like the metaphor of hats with keys on them. The keys will let you into an office with certain apps or files. One hat can get you into the janitor’s office, another into the accountant’s office, but neither of those will let you into the CEO’s office. The CEO’s hat has all the keys on it.
Digital First: Why is an identity platform better than a password manager?
Squire: Because a password manager is controlled by the employees. You could have an employee who is a bad actor and you need to log them out of all their apps one by one.
Digital First: But you can use password managers to generate passwords for apps without showing the password to the employee.
Squire: You still have to go to each of their apps and change the passwords because they could have reset or copied out their passwords.
Digital First: Does Ping store personal passwords?
Squire: No. For personal passwords I recommend people use a password manager. It’s not the best technology but it’s the best we’ve got.
Digital First: Is the password manager in an in-built browser as good as LastPass (an enterprise password manager) for personal use? For example in Chrome, Microsoft Edge, Safari, and so on.
Squire: Yes, just make sure you lock your computer. You don’t want your computer holding all your passwords if it gets stolen. You would need to log out of your browser on another computer, (which would then cut off access to the passwords on the stolen computer when it synced online with your browser identity.)
Digital First: What’s your position on using a Google account to log into lots of apps rather than using passwords or an identity platform?
Squire: Ping uses the same technology as a Google account but we are much more robust and can do a lot more. Google is cloud based only, it can’t control access to on-premise or desktop apps like you can with an identity platform.
Google account only gives you single sign-on (one password to access many apps). An identity platform also has access control and permissions and a directory of users.
Also it’s harder to log out with Google. Say I log into Fitbit’s website with my Google account. If I log out of Fitbit but I’m still logged into Google, you can just refresh the page and it will log back automatically into Fitbit. If you are sharing your device (say with family members) then you need to make sure you log out of Google.
Digital First: Why do you think Ping is better than Okta, your major competitor?
Squire: Ping is much more active in open banking. We are working with the largest banks in the world, we have more expertise in the financial industry and in open APIs.
Digital First: And are they that different feature-wise?
Squire: No, not off the top of my head. We have a graphical user interface for people who aren’t technical. It’s drag and drop to set up new permissions.
Digital First: Is two-factor authentication (2FA) sufficient on its own to provide good security? Or do you need an identity platform as well?
Squire: 2FA is better than nothing. If you have really high risk use cases – for example, clients who are celebrities or who have a lot of money – 2FA with SMS is not super secure. SMS messages can be “sniffed” (and used to open the app). Or someone can walk into a phone shop and say, “Hi, I’ve lost my phone. Can you port my mobile phone number to a new one?” Then they will receive the SMS.
It is better to use an authentication app for 2FA. You can’t walk into a phone shop and convince the staff to give you access to an app. But if there’s no-one actively trying to get into your accounts then SMS is fine.
Image credit: SentinelDaily