Security is an even bigger risk, now that the GDPR and NDB is
Note that this article advocates for either encrypting everything or stick to the cloud, whereas at Nimbus we believe that you should both
stick to the cloud AND encrypt everything.
Top security tips for firms? Stick to the cloud or encrypt everything
Security is an enormous issue for SMEs including accounting firms, from ransomware to data breaches
and employee theft. Where there is a risk of financial and reputational loss, “silver bullets” and hype merchants quickly
The only way to work out the best plan of action for your firm is to talk to as many experts as
possible and draw your own conclusions.
Quite a few security experts flew in for a conference held in Sydney by identity management company
Ping Identity. Ping has been advising banks on how to protect the privacy of individuals and companies during the transition to “open
banking”. Open banking is a new framework which will give you the ability to change banks at the click of a button, bringing all your
transaction history, account numbers and other data with you.
I asked Sarah Squire, Ping’s senior technical architect, how SMEs and firms could best protect
their data in an age of incessant online attacks.
The short answer: keep data in cloud apps and share access to the app. It’s safer than sending
files by email (especially PDF reports).
Digital First: Sarah, what advice would you give to
SMEs and firms who want to protect their data? Accounting firms in particular have access to a lot of data that isn’t theirs, so they
carry greater risk.
Sarah Squire: The two best practices are to encrypt
data when it is stored and when it is transferred. When you’re transferring it to a client, the client needs a private encryption key
on their computer to decrypt the file. Most laptops and phones can securely store a key unique to a consumer that they can use.
Digital First: That sounds like an enormous hassle,
sending out encryption keys to every client if you’re a firm with hundreds or thousands of clients. Is it better then to use cloud
software to share data, rather than download it as a file and send that?
Squire: If you encrypt the file and send it through
email then it’s the same as using a (cloud) app but the app is vastly more usable. That’s certainly a secure way.
Digital First: So you would advise accountants to
preference using apps to s data rather than individual files? That SaaS (cloud apps) would give them a better security posture?
Squire: Yes, absolutely.
Digital First: So should we be moving away from
Windows Office on the desktop to Microsoft Office 365 or G Suite in general? Just because the cloud productivity suites can store all the
files online, so you’re not having to encrypt and decrypt them with email?
Squire: Yes. (Companies rarely protect files
properly, particularly PDFs.) One of the biggest problems with PDFs is that you don’t know what is in it until you open it. If you
don’t know what is in it you can’t be compliant with the
General Data Protection Regulations
(a privacy law for EU companies). You need to have a document management program to help them store the PDF in an encrypted way and to store
everything about the file in a structured manner (with metadata).
Digital First: What is identity management?
Squire: Identity management sets up identities for
each person in the firm and gives them one set of permissions and one way of logging in to all your software (desktop and cloud). Whether
you’re logging into QuickBooks Online or Xero, you should be entering the same password and using two-factor authentication to log
into (your identity platform). Everyone needs to do this regardless of your role, whether you’re an intern or partner.
Digital First: How does a role translate to an
Squire: I like the metaphor of hats with keys on
them. The keys will let you into an office with certain apps or files. One hat can get you into the janitor’s office, another into the
accountant’s office, but neither of those will let you into the CEO’s office. The CEO’s hat has all the keys on it.
Digital First: Why is an identity platform better
than a password manager?
Squire: Because a password manager is controlled by
the employees. You could have an employee who is a bad actor and you need to log them out of all their apps one by one.
Digital First: But you can use password managers to
generate passwords for apps without showing the password to the employee.
Squire: You still have to go to each of their apps
and change the passwords because they could have reset or copied out their passwords.
Digital First: Does Ping store personal passwords?
Squire: No. For personal passwords I recommend people
use a password manager. It’s not the best technology but it’s the best we’ve got.
Digital First: Is the password manager in an in-built
browser as good as LastPass (an enterprise password manager) for personal use? For example in Chrome, Microsoft Edge, Safari, and so on.
Squire: Yes, just make sure you lock your computer.
You don’t want your computer holding all your passwords if it gets stolen. You would need to log out of your browser on another
computer, (which would then cut off access to the passwords on the stolen computer when it synced online with your browser identity.)
Digital First: What’s your position on using a
Google account to log into lots of apps rather than using passwords or an identity platform?
Squire: Ping uses the same technology as a Google
account but we are much more robust and can do a lot more. Google is cloud based only, it can’t control access to on-premise or
desktop apps like you can with an identity platform.
Google account only gives you single sign-on (one password to access many apps). An identity platform
also has access control and permissions and a directory of users.
Also it’s harder to log out with Google. Say I log into Fitbit’s website with my Google
account. If I log out of Fitbit but I’m still logged into Google, you can just refresh the page and it will log back automatically
into Fitbit. If you are sharing your device (say with family members) then you need to make sure you log out of Google.
Digital First: Why do you think Ping is better than
Okta, your major competitor?
Squire: Ping is much more active in open banking. We
are working with the largest banks in the world, we have more expertise in the financial industry and in open APIs.
Digital First: And are they that different
Squire: No, not off the top of my head. We have a
graphical user interface for people who aren’t technical. It’s drag and drop to set up new permissions.
Digital First: Is two-factor authentication (2FA)
sufficient on its own to provide good security? Or do you need an identity platform as well?
Squire: 2FA is better than nothing. If you have
really high risk use cases – for example, clients who are celebrities or who have a lot of money – 2FA with SMS is not super secure. SMS
messages can be “sniffed” (and used to open the app). Or someone can walk into a phone shop and say, “Hi, I’ve lost
my phone. Can you port my mobile phone number to a new one?” Then they will receive the SMS.
It is better to use an authentication app for 2FA. You can’t walk into a phone shop and convince
the staff to give you access to an app. But if there’s no-one actively trying to get into your accounts then SMS is fine.
Image credit: SentinelDaily