Cloud-based accounting software providers go to great lengths to protect customer data. Warren Faleiro, chief technology officer at FreshBooks says its servers are regularly scanned externally and internally for vulnerabilities. All traffic entering and leaving the network is monitored by an intrusion detection system and sensitive information is encrypted in the company’s database.
FreshBook’s servers are in state-of-the-art data centres, he adds, which feature biometric access controls, constant surveillance, redundant power feeds and generators, robust fire suppression and climate control.
It uses redundant storage and servers to keep the application and customer data available in case of hardware failure and another set of servers and storage in a separate data centre in case its primary option is disrupted. Account data is replicated across multiple database servers in two geographic locations, backed up nightly to tape and stored in a secure offsite location.
Some data protection measures are comparable to those for internet banking – such as not responding to suspicious requests for information, adds KPMG’s head of small business accounting, Bivek Sharma.
“One of the key questions clients should ask is whether they are passing on their full banking details,” he says. “The client should be setting up the bank integration – these details should not really be seen by the provider.”
Richard Anning, head of ICAEW’s IT Faculty, says data should be housed in secure data centres with redundancy and back-up power supplies. These centres should also have good physical security (to prevent unauthorised entry) and appropriate staff vetting procedures.
“Companies should make sure they know where their most valuable data is stored and may choose to place it in a private rather than public cloud if it is particularly sensitive,” he adds. “They should back up their data, but also ensure their back-up system works. Many fail to test their back-up system to ensure they are able to retrieve the data in a form they can use.”
Sharma refers to databases being hacked and details published online to show the potential implications of a security breach at a provider of cloud-based payroll solutions.
“When assessing service providers, businesses should consider the size of the vendor, how widely its solution is used, how long it has been operating and whether there have been any issues with its service in the past,” he says. “It is also worth asking who the service provider is using to host the data and applying the same criteria to the hosting company.”
Xero UK managing director Gary Turner accepts his company has a role to play in educating customers on security – for example, showing them how to identify phishing attacks – although he also notes that for reasons of security, cloud-based service providers will not reveal details of all their security protocols.
“We have implemented two-step authentication so that even if a customer’s log-in details are compromised, their data cannot be accessed without an authentication key,” he explains. “Additionally, we alert customers if we see what looks like a suspicious log-in, for example from an overseas location.”
Data protection legislation in the UK is robust, but customers don’t need to insist their data is stored in the UK says Ed Molyneux, CEO of FreeAgent. Systems based outside the EU can be used if they comply with appropriate regulations.
In July, the European Commission adopted the EU-US Privacy Shield to replace the “Safe Harbour” process of transferring personal data, which the European Court of Justice invalidated in October 2015. The Privacy Shield will govern the basis upon which personal data can be transferred between the EU and US.
This protects the fundamental rights of anyone in the EU whose personal data is transferred to the US, as well as introducing legal clarity for businesses relying on transatlantic data transfers.
Darren Daly, partner and head of technology at law firm ByrneWallace observes that the Privacy Shield is based on strong obligations placed upon companies handling data; government oversight (the US has given the EU assurances that access by public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards and oversight mechanisms); annual joint review; and effective protection of individual rights. “While there are certain improvements, the path ahead may not be straightforward as further legal challenges are expected,” says Daly.
Service level agreements are not usually part of the contract for small business customers, but potential users can check information such as availability levels, adds Molyneux. “However, they should note that availability can be impacted by factors outside a service provider’s control, for example if a customer’s internet connection goes down.”
He suggests customers should also look at how often they back up data and software on their computers. “Passwords are often the weakest link in the security chain, so we make recommendations around the strength of passwords and avoiding sharing/reusing of passwords.”
Wave CEO Kirk Simpson describes backup as one of the strongest elements of cloud-based accounting. “We hold multiple copies of data in multiple data centres – how many small business owners back up their computers to a separate hard drive and store that hard drive away from the main computer location?”
When asked what steps users of cloud-based accountancy services should take to protect their data, he agrees the value of a strong, unique password remains overlooked. “If you use the same password for all your accounts, you have created a single point of failure. Your most sensitive data is only as secure as the weakest site where you have used that password and if that site is breached, the hackers will take the usernames and passwords they find and try these on other websites.”
One of the key criteria a business should consider when selecting a cloud-based accountancy services provider is that security and backup are automatically taken care of, says Hugh Scantlebury, director at Aqilla. “We also recommend reducing reliance on in-house IT – 80% of data losses are down to disgruntled IT or internal personnel activity,” he explains.
He observes that most credible providers make use of encryption and infrastructure that is regularly tested. “Beyond that, sound backup and disaster recovery provisions provide a much more robust security solution than any single organisation’s IT resource could.”
On course towards greater compatibility
HMRC has stated that it wants customers who choose third-party software to benefit from more integrated and optimised products that work seamlessly with HMRC systems, and has committed to building a suite of application programming interfaces (APIs) that will enable third-party products to carry out more tax functions in greater detail.
Cloud-based accounting solutions are a key component of the government’s Making Tax Digital plans, but Richard Anning observes that HMRC has not yet released the APIs and there will be a lot of work for existing providers to ensure compliance.
“Some systems may be discontinued because it is too expensive to update them,” he suggests.
In July 2016 the National Audit Office (NAO) warned that HMRC would need to build public trust in its new digital services, stating that while its plan to have the most digitally advanced tax system in the world appeared credible and proportionate to the scale of the risks involved, it must ensure these services are secure as well as easy to use. The NAO also noted that as HMRC’s data becomes increasingly digitised and integrated, the importance of protecting its systems against data loss and cyber attack would increase.
Richard Wild, head of the tax technical team at the Chartered Institute of Taxation, says HMRC plans to build checks into online accounts, including embedding risk triggers within third party software.