CPAs and accounting firms need to bolster their technology knowledge and shore up their data defenses to lessen the risk of becoming easy prey for cybercriminals on the hunt for personally identifiable client information.
That warning was sounded by the three experts gathered for the fourth annual JofA accounting technology round table. The experts—David Cieslak, J. Carlton Collins, and Rick Richardson—agreed that many, if not most, CPAs and firms need to learn more about how the technology they use actually processes and protects the data they are entrusted to safeguard. Failure to do so could lead to consequences ranging from missed business opportunities to devastating security breaches.
How should CPAs respond? The experts didn't always agree—especially when it came to the benefits and risks of the cloud—but their discussion shed light on several possibilities.
This is the second of two articles covering the accounting technology round table. The first part ("Beyond Spreadsheets: Technology Round Table, Part 1," JofA, April/May, page 36) focused on, among other topics, the future of the spreadsheet and the long-term viability of desktop computers, laptops, and tablets.
The JofA interviewed the experts in a January conference call. The second part of the edited transcript follows, and the panelists' profiles are below.
What kinds of security concerns or priorities do you think CPAs should have, or are there any mistakes they're making that you would point out?
Cieslak: Candidly, I think the storm is coming. I'm very concerned about what's going on in the security area. I see too much in the way of weak internal security policy, end users being given local admin rights, people clicking on things they shouldn't be clicking on, very soft or lax password policy, low restrictions as to what can be used, where, when, and by whom. There's not real strong segregation of sensitive information from nonconfidential information.
With as good as malware is becoming, my biggest concern is that people are being compromised, or at high risk of being compromised, and don't even know it. And not just for an hour or two or a day or two—this can go on for months. When end-user machines are compromised, they turn into machines that can then be leveraged to attack other machines in the office. The potential for high-value information being stolen is scaring the living daylights out of me.
I know I said it before, one of the things I like about cloud is you've got at least that security. When I say cloud, by the way, I'm not necessarily talking about Dropbox or sharing files back and forth with clients: I'm more talking about core applications, so I think about my email out on the cloud or core applications running on multitenant SaaS (software as a service)-based solutions out on the cloud. I've probably got a publisher that's got full-time, 24/7 security staff that's keeping an eye on those servers. They're forcing security updates. They're backing up. There are redundancies, failover.
I'm a big fan of some cloud-based alternatives because they are going to help us address areas around cybersecurity that I think are bad. Candidly, I feel like the situation is getting much worse because we're too lax, and the nastiness of the threat is escalating.
Richardson: I couldn't agree more with David when it comes to finding secure solutions in the cloud, particularly for major core application issues.
I think there's a mentality in most local facilities—whether they be CPAs or our clients themselves—that "as long as we're doing something in the office, it's fine; we just have to be careful about the internet. Why does there need to be a password on a spreadsheet that includes 260 client Social Security numbers? It's just being used here in the office; it's not going anywhere." Yet, those are the targeted kinds of security breaches that criminals are looking for. They're trying to engage in identity theft, and they look for places where they can get the most bang for their buck. And that's either going to be a large retailer that has a tremendous number of credit cards or professionals who handle that most private of personal data. Those are CPAs, doctors, you name it—all of whom I think tend to underestimate the level of security they need within their own facilities.
Cieslak: The way black hats gain access to the trusted side of the network is through stolen credentials.
Collins: I agree that credential theft is a growing concern. To help address the problem, Microsoft's Windows 10, which comes out in late 2015, will include double authentication and the ability to separate your business and personal credentials so that the security of your personal and business files, passwords, and emails is managed independently. That's a step in the right direction.
Based on data-breach statistics, the top two types of data theft can be attributed to stolen laptops and dishonest employees. To mitigate these risks, companies should encrypt all their laptops using Microsoft BitLocker or some similar tool. You may need to perform a background check on employees that you currently have in place as well as potential employees. Perform background checks on current and potential employees, and password-protect sensitive data from those employees who don't need access.
David and Rick are very pro-cloud, more so than me. I fully see the benefits the cloud has to offer—the benefits are enormous—but the risks seem frightening, too. I once saved my portfolio with all of my investment account numbers to my cloud, and it felt like I was betting my paycheck on a Las Vegas roulette wheel. I just don't feel comfortable putting my personal information in the cloud, so why would I recommend this to my client?
From a CPA's perspective, what's the best thing to do?
Collins: Keep the sensitive data out of the cloud, and lock down your current systems with secure firewalls and the latest security technology. There are plenty of files out there that you can share that don't constitute a huge risk.
Cieslak: I don't share the same reluctance to put sensitive information in the cloud. Stolen credentials are a concern because, when someone has your credentials, they can gain access to that secure information, but if the larger cloud vendors and publishers are following their security protocols, I would suggest that those are going to be more secure than most organizations are internally.
Neither choice feels ideal. I look at where the exposure is greater and where the exposure is less. I'm advocating being on cloud as opposed to being local because my observation is that too many organizations not only are lax, they too often hide their heads in the sand and say, "I hope I'm not so interesting that I would ever come under attack." Their security strategy is hope, and I think that's an absolutely awful approach.
Collins: The best option is probably to construct a private cloud with the best possible security. It takes greater knowledge of technology and more money, but it might be the right solution for CPAs.
Richardson: The biggest concern that I see in local practice environments is that they have built their technology with help most likely from outside somewhere, and their level of expertise within the practice, with few exceptions, is poor. The smaller firms need to get somebody onboard who is knowledgeable and responsible for overall data security for the firm as a whole, and for their individual installations in the offices themselves. Hiring one or more bright young people that understand the CPA business and are savvy technology professionals would be a huge step forward for smaller practices.
Where do you see CPAs in terms of technology skills? What should they have mastered at this point, and what will they need to know in the next two to three years just to be competitive?
Cieslak: There seems to be a widening gap between those people who know the technical aspects of computing and the users who are just using the devices. People are becoming too far removed from the technical skills they need, and that's raising our security exposure. How well do they know the applications they've elected to execute in different business processes? If they're really only marginally familiar with the capabilities, it undermines their effectiveness.
Collins: Of course, CPAs still need to know the standard stuff, such as Office, Windows, and Adobe Acrobat, but there are many new skill sets worth pursuing. As examples, new project management tools, business intelligence tools, and analytics tools have emerged in recent years. In addition, traditional solutions, such as video production, data security, web publishing, database administration, and global apps, may play a role in what CPAs will be dealing with down the road.
As a specific example, because marketing channels are being redefined, CPAs perhaps should also learn about marketing their products and services through apps and social media. With more people moving to electronic and mobile media, companies that don't follow suit may not stay relevant. This may mean CPAs need to lead their companies to champion projects that embrace social media or build smartphone apps that enable customers to interact with their companies—skills that traditionally lie beyond their normal comfort zone.
Richardson: I concur with the thoughts regarding being close enough to the technology to understand what you're doing with it. CPAs have to remember that they are professionals who hold themselves to a set of standards that require them to do more than just merely use applications. And so understanding enough relative to the client's situation becomes crucial for CPAs, regardless of how easy or transparent the technology itself is.
Longer term, data analytics are really a big deal. We need more understanding of how analytic software can assist us in not just auditing but in reviews and in compilations. There are so many places where the knowledge becomes important, but so few of our practitioners are really skilled with the tools that are out there—or even aware of them.
Are too many tasks going to become automated? Are too many CPAs going to want to be able to just push a button and get stuff done?
Richardson: Wanting to push a button and get stuff done is desirable. It doesn't mean that you obviate the responsibility for knowing how the stuff got done—at least at a level where you can be confident of the totality and integrity of the data you've been charged with.
Cieslak: We observe too many practitioners who seem to be OK with a very remedial level of knowledge regarding the body of data and the applications that they're working with. You need to understand what the risks are in those processes. Are the numbers we're looking at correct? What were the steps that got us to these numbers? What's the probability that these aren't correct? Technology is absolutely fundamental for all of us to do our day job, and if we're too satisfied with a remedial understanding, we put ourselves at greater risk.
At some point it's not unreasonable to think we'll be left behind as a result, because other professionals will step into that place. I think about Big Data, I think about some of these other areas where there is some pretty terrific potential, and, if CPAs aren't getting in, getting their arms around it, really, truly not only understanding it, but mastering it, then the customers will find another resource to help them.
I can hear AICPA members saying, "OK, exactly what do I need to know, and how do I learn about it?"
Collins: One of the biggest mistakes CPAs make is they own technology they don't fully know how to use. Most CPAs use less than 10% of the functionality of the applications they have implemented. The key to fully utilizing technology is to really learn how to use it. Companies and employees need to commit the hours to sit through the proper training classes—be they hands-on, live lectures, or study-on-your-own classes.
Cieslak: I might even go one step further and say get certifications. If you've got products that you are really looking to leverage within your practice, it almost requires the discipline of the certification process to say, "You know what? I am going to get certified in product X."
Collins: I agree with David so long as we use the words voluntary certification. I'm not sure our profession needs more requirements hanging over our heads.
Richardson: Let me add one other thing. Today's work environment is moving more and more to a collaborative one, and part of the CPA's responsibility is understanding how much of the entire work process is handled by him or her versus staff versus people at data centers around the country or the world. Part of it is understanding that as we move stuff to the cloud, work flows change, and they aren't the same as they were when QuickBooks was running on a PC in the office.
What should the CPA's software priorities be for the rest of 2015 and for the next two to three years?
Collins: The benefits of syncing your computer, laptop, tablet, and smartphone together using a solution like Windows 8 and an Office 365 subscription are significant. This type of solution allows users to access and work with all their data files and emails from any device and significantly improves productivity. Thanks to the cloud, we no longer need to face the frustrations of managing multiple versions of data files across multiple devices.
Cieslak: I think the cloud makes a lot of sense from a collaborative perspective—working efficiently and effectively together—and it allows us to better protect ourselves against some very threatening, looming security risks.
Richardson: I still come back to this issue of having the professional understand where he or she is in the world. And by that, I mean let's say we've gone with QuickBooks Online or Xero or whoever it might be for our client accounting, and now that's all running up in "the cloud."
"We also have three other applications—one of which I can't remember the name of, but it's the one that lets me do stuff with my client where I can take the tax return, and I can see it, and I get it back—I think they call it Dropbox, but I'm not sure—but I know it's there because I can just press that one button and it shows up."
Those kinds of things just can't continue. Getting to the cloud and understanding what's going on in the cloud are two different things. I think we'll get to the cloud out of sheer economic need at some point, and certainly as more and more practitioners see the security value—at least with many of the solutions.
The problem I have is the people that want to use "cloud technology" and then compromise the security of their client's data because they've thrown it somewhere that's a commercial or social media kind of share point. That's not somewhere we want to see certified financial data or tax returns going.
David Cieslak, CPA/CITP, CGMA, GSEC, principal and founder of Arxis Technology and a popular technology speaker known as Inspector Gadget.
J. Carlton Collins, CPA, the CEO of ASA Research and author of the JofA's monthly Technology Q&A column.
Rick Richardson, CPA/CITP, CGMA, founder and managing partner of Richardson Media & Technologies and a speaker on the future of technology.
About the author
Jeff Drew is a JofA senior editor. He oversees coverage of practice management and technology. To comment on this article or to suggest an idea for another article, contact him at email@example.com or 919-402-4056.
- "Beyond Spreadsheets: Technology Round Table, Part 1," April/May 2015, page 36
- 10 Steps to a Digital Practice in the Cloud: New Levels of CPA Firm Workflow Efficiency (#PTX1204P, paperback; #PTX1204E, ebook)
- Hosting in the Cloud (#BLI165030, one-year online access)
- Cyber Security for CPAs Workshop, May 13, Denver
- Practitioners Symposium and Tech+ Conference, June 7—10, Orlando, Fla.
- Digital CPA Conference, Dec. 7—9, Las Vegas
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.
Information Management and Technology Assurance (IMTA) Section and CITP credential
The Information Management and Technology Assurance (IMTA) division serves members of the IMTA Membership Section, CPAs who hold the Certified Information Technology Professional (CITP) credential, other AICPA members, and accounting professionals who want to maximize information technology to provide information management and/or technology assurance services to meet their clients' or organization's operational, compliance, and assurance needs. To learn about the IMTA division, visit aicpa.org/IMTA. Information about the CITP credential is available at aicpa.org/CITP.