How to Make Your Cloud Accounting Software Secure
According to Forbes, 83% of enterprise workload will be on the cloud by 2020. As such, if your accounting firm wants to meet where your clients are, adopting cloud accounting software is the logical move.
Due to the sensitive nature of accounting data, the foremost concern related to adopting cloud accounting software is data security. To address this concern, cloud accounting software providers take various steps, including making sure their products and services are in compliance with industry standards. Meanwhile, there are measures subscribers of cloud accounting software should take to minimize their security risks during software operation.
What is cloud computing?
It used to be that if you needed software, say Microsoft Office, you’d buy a CD and install it on your computer. You could only access your software and data from your own computer, and you had to ensure your data was saved and backed up.
Today, mobile phones and laptops have become affordable to almost everyone and Internet speeds have improved so much that uninterrupted connectivity has become a virtual necessity. This helped usher in the age of cloud computing, which simply means your software, hardware and data storage are situated elsewhere, not on your company server or home PC. Access is granted through the internet after you’ve paid a service subscription fee.
The biggest advantage of cloud software is Triple A: Access Anywhere Anytime. Unlike desktop software, as long as you have internet access, no matter where you are, you can use your cloud software. You no longer have to worry about losing data because your data in the cloud is backed up automatically.
Why cloud accounting software?
Although cloud accounting software may present new challenges in data security, its popularity keeps rising due to:
- Access to service anywhere, anytime
The biggest draw of cloud accounting software is accessibility. Whenever or wherever you have an internet connection, you can access software and data. This allows easy collaboration, not only among accountants within your firm but also between your firm and your clients, which leads to increased productivity and efficiency.
- Secure infrastructure
Most SaaS vendors build their products on infrastructure hosted by Microsoft, Amazon or Google, all of which provide servers and data storage that are robustly backed up so subscriber data are secure even in the event of technical failure, electricity outage or natural disasters. In addition to physical security, the cloud service providers also provide data encryption to keep your data confidential.
- Cost reduction for IT departments
Using cloud software entails outsourcing a large chunk of the work of your IT department to your cloud service provider. Your IT department can be leaner as you no longer have to worry about updating software, maintaining your own servers or backing up your data.
- System scalability
Most cloud software is built on infrastructures hosted by technology giants with virtually unlimited hardware and data storage capacities, such as Amazon. Should you need to scale up your software system as your client base grows, it can be done swiftly without interrupting your normal workflow.
Most cloud software services are flexible enough to tailor their products to suit your business needs by customization or configuration.
Understanding information security standards
When choosing cloud accounting software vendors, it is imperative that you look into their competency in securing their services. Two of the most adopted industry standards that can provide reasonable assurance for you are ISO/IEC 27001.2013 and SOC2. Be sure to ask your vendor to provide their certifications and reports to verify that they are in compliance with these industry standards.
ISO/IEC 27001.2013 is an internationally recognized, widely adopted security standard for Information Security Management System (ISMS). This standard is suitable for any industry in any market. Cloud providers need to pass rigorous audits by independent auditors to obtain the ISO/IEC 27001:2013 certificate.
ISO/IEC 27001:2013 standard covers every aspect of managing information security which includes:
- Commitment from top management
- Assessing risks
- Establishing policies and procedures that mitigate risks
- Ensuring resources and personnel needed are in place
- Providing security training for employees
- Monitoring and logging risks on an ongoing basis
- Reporting and documenting security incidents
- Evaluating and improving ISMS continuously
SOC2 is a standard issued by the American Institute of Chartered Public Accountants (AICPA). It is mainly adopted in North America. Its aim is “to help service organizations … build trust and confidence in the service performed and controls related to the services through a report by an independent CPA”. SOC2 Type I audit reports on whether an organization’s ISMS is suitably designed for its business. SOC2 Type II audit examines the operational effectiveness of the ISMS.
The two standards have many overlapping areas. The emphasis of ISO/IEC 27001 is to help an organization establish and maintain an effective ISMS for both their own and their customers’ assets. SOC2’s audience is the clients of a service organization. It helps clients to ascertain that their service providers are up to standards in providing information security.
What you can do to ensure your information security
While cloud accounting software brings many benefits, it also brings a set of challenges for information security. Since your data can be accessed from anywhere, at any time, and on any device, it is a challenge to monitor whether all access is secure and legitimate. As a cloud accounting software subscriber, even if you’ve done your due diligence and chosen the most secure cloud product, there are still more precautions your organization needs to take to ensure that the way you interact with the software is secure.
To mitigate security risks, you need to assess the risk level of your information assets based on how sensitive and valuable the information is as well as who is using it and how it is accessed.
Be sure to only grant access to sensitive information on an as-needed basis.
Based on the results of risk assessments, you need to assign roles and responsibilities, implement procedures and controls to safeguard the information security. The security controls need to be continuously examined and updated as your business and security threats change.
Use common sense
Common sense approaches such as updating your software, installing anti-virus software, enforcing rules for secure passwords, keeping vigilant for emails from unknown sources and training your employees can go a long way when it comes to protecting your data security.
At Caseware, we go the extra mile to ensure your information is secure
Information security is an ongoing focus at Caseware - since the inception of our cloud accounting and auditing platform. Caseware implements the Open Web Application Security Project (OWASP) framework throughout our entire cloud software development life cycle, from the initial design to development and testing, to the maintenance after the software is on the market and in operation. Building, examining and improving the security of our cloud based software is Caseware’s continuous commitment.
Caseware has adopted both ISO/IEC 27001:2013 and SOC2 standards for ISMS, so that all forms of information including digital information are secure in our work environment and during our business transactions. In addition to annual external audits, Caseware also conducts internal audits regularly to ensure our ISMS is up-to-date, robust and effective.
Caseware also rigorously follows the same ISMS standards in collaboration with our service providers and regional distributors to secure the entire service supply chain.
As a Caseware cloud user, you maintain full ownership of your data. You decide when to add or remove data and you control who has access to your data. To ensure your data security and to keep with the highest industry standard, we make sure your data is encrypted in rest and in transit.
To learn more about how Caseware ensures your information security, visit Caseware Security Control FAQ.