Client Data Security: Best Practices to Protect Your Firm and Clients

According to a report from 2021, some 42 percent of business and professional services organizations suffered ransomware attacks over the past year. As the number of cyberattacks continues to rise, it is imperative that we prioritize protecting our data. Today, Blake meets with Byron Patrick, General Manager of Botkeeper, to talk client data security, and the best practices you should employ to keep your firm, and your data safe.

Blake: And human beings are the weakest link. We are our own worst enemy.

Byron: Hands down. Hands down.

Blake: Whether it's a business owner who doesn't want to follow precautions because it's inconvenient, or it’s staff, for the same reason, it's, we're lazy. Human beings are fundamentally lazy.

This episode of the Earmark Podcast is brought to you by Botkeeper. Botkeeper technology offers an affordable, scalable, accurate, and efficient solution with best-in-class support. Integrate, automate, sync, and transform your bookkeeping and pre-accounting tasks with Botkeeper today. Visit Botkeeper.com for more information.

Oh, and if you'd like to earn CPE credit for listening to this episode, visit earmarkcpe.com, download the app, take a short quiz, and get your CPE certificate. Continuing education has never been so easy. And now, onto the episode.

Hello everyone, and welcome to another episode of the Earmark Accounting Podcast, I'm your host Blake Oliver. And I'm joined today by Byron Patrick of Botkeeper. Byron, welcome to the show.

Byron: I appreciate you having me, Blake.

Blake: So, what do you do, Botkeeper Byron?

Byron: I'm effectively an organizational therapist. My official title is general manager, which basically means I support all the teams at Botkeeper, and I try to keep the train on the tracks.

[00:01:40] What does Botkeeper do for accounting firms?

Blake: You work primarily with accounting firms, I understand.

Byron: Yes.

Blake: What do you do for accounting firms?

Byron: So, we effectively power the CAZ or bookkeeping operations of the accounting firms. So, we do our best to remove some of the challenges of the mundane transactional efforts that accompany CAZ and bookkeeping processes and take that load off the hands of the accountants and let them focus on the good stuff that they like to focus on.

Blake: And you are a CPA?

Byron: I am, yep.

Blake: You're branded as a CPA. You have the famous CPA tattoo

Byron: True.

[00:02:30] Byron's CPA tattoo

Blake: Which you're probably tired of talking about it, I imagine, but I just find it- it's such a great conversation starter. Did you think about it that way when you got it? What was the inspiration?

Byron: Yeah.

Blake: For our listeners, you can't see it. It's on your forearm, right?

Byron: It is.

Blake: So, it's easy. You can just pull up your sleeve-

Byron: It is. That’s it.

Blake: And it says CPA right there.

Byron: I definitely intended for it to be a conversation starter. The positioning was intentional. My desire was when we shake hands, you're going to look down and see my forearm, and say, let's say, “That's not your initials, so what else could that possibly mean?” And it definitely- it creates a lot of good conversation, and I'm proud of what I've accomplished, and what it stands for, so I'm happy to wear it.

Blake: And it means that you have to always maintain your license. You can't let it lapse, right? Or the AICPA might come after you and require you to have it removed.

Byron: That's very true. I am holding out, no matter what I do at this point in time. In fact, there may even be a few state laws that I can't walk in certain states, unless I get some level of reciprocity in those states, at this point.

[00:03:47] Cybersecurity and client data security

Blake: Well, Byron, we're here to talk today about cybersecurity and specifically, client data security.

Byron: Yeah.

Blake: I was always concerned about this in my practice. Didn't always do the best job with client data security, I'm going to just be totally honest. We tried our best, but it can be really, really difficult to keep data secure on our own systems, especially in the cloud. When we have all of these cloud apps that are all talking to each other, exchanging data, we've got files all over the place. We're working with contractors, we're working with employees; they could be all over the country, all over the world.

It's a totally different game than it used to be where it was, “Okay, let's maintain security of physical files and data on a server in our office.” You could put a wall around that office, you could lock the door, and the data was secure. As long as your physical locks were secure, as long as your network was secure, you were pretty good. Now, it's a totally different story.

Byron: Impression.

Blake: And I dunno, to me, it's actually one of the biggest challenges of going cloud.

Byron: Oh, I absolutely agree. And to further complicate it, I think this evolution of technology has also been about convenience, right? And convenience and security don't always align. In fact, oftentimes, many people see them as polar opposites. So, I think that introduces some additional challenge. I mean, back in the day, when the data was on a server in your closet, there was no expectation of sharing that with anybody outside the office, or even the idea of trying to make that data portable. Today, these are, if you can’t easily transfer information to somebody else, it's like, well, what use is it at that point?

Blake: Yeah, I think what you just said about convenience being at opposite ends with security is really spot on. A lot of times, that's the case. And the classic example is client or bank, often even, wants us to email something to them without any security. “Email is the easiest thing, let's just email it to each other.” And we all know by now- hopefully, everybody knows already, without even attending this or listening to this course, this episode- that email is not secure. Fundamentally, an insecure or unsecure protocol. Insecure would be if it had self-image issues, right? Unsecure is-

Byron: That's right.

Blake: -is if it's not a secure protocol, from a technology standpoint. And I think I-

Byron: I’ve never thought of that distinction, but I think you're right.

Blake: A person could be insecure, but a protocol can be unsecure. I hope I have that right. I'll have to-

Byron: You know what? I'll trust you.

Blake: Check me on that one; I'll look it up later. So, well, let's talk a bit before we get into the nitty-gritty of all this. What's the- why should we care? Byron, tell me, why should I care, as a firm owner, about cybersecurity?

[00:07:09] Byron's background in cybersecurity

Byron: And maybe if it's worth 15 seconds, just to give some background of my experience, even just with data security and accounting firms.

Blake: Oh, yeah.

Byron: ‘Cause I think it's a little bit relevant. For almost a decade, I ran an IT company that was basically, an outsourced IT department for accounting firms. So, you think of some of the hosting providers today, I was doing that before it was called hosting. I worked with accounting firms for many years, helping to advise them on security, ensure they were secure. In fact, it was my job to make sure they were secure. So, this topic itself has been extremely relevant to my day-to-day for more than a decade, at this point.

[00:07:57] Why security matters

Byron: And the why it matters, frankly, has been probably the one thing that hasn't changed over the course of this time, is as accountants specifically, we need to be good stewards of this incredibly sensitive data that we maintain. And not only is there potential penalties or fines that we could be subject to for not being good stewards. Frankly, I've seen businesses go out of business due to lack of due diligence and being careful of the security, and just thinking about the ripple effect you do have a breach, who that impacts, the employees of your business clients are impacted. It's a lot of weight to maintain that I don't think everybody takes as seriously as they should.

[00:08:57] Kronos cyber attack

Blake: Yeah. And so many businesses now under threat of cyberattack. Ransomware, in particular, is the big one We see it in the news with big companies. The latest is Kronos, Ultimate Kronos Group.

Their private cloud hosting environment got hit by a ransomware attack and took down lots of really big businesses: governments, hospitals, all their time tracking, their time data, they can't get access to it. And that's been almost as we record this, almost what was last month. It's been weeks and weeks. And not being able-

Byron: I have friends who have had payroll issues through the holidays, specifically because of the Kronos ransomware attack. It's nuts.

[00:09:47] Ransomware attacks & frequency

Blake: 42 percent of business and professional services, organizations suffered a ransomware attack in the past year. 42 percent; that's nuts to think about that many, some sort of ransomware attack. And specifically, for CPA firms, between 2014 and 2020, reported data breaches- so, not just ransomware, but all sorts of data breaches- increased by over 80 percent. And really, a lot of it's being fueled by Bitcoin cryptocurrency, the ability for the hackers to somewhat anonymously get their ransom money. It used to be, you had to send a briefcase full of money, right? That wasn't exactly the easiest way.

Byron: Cash.

Blake: Cash. Cash is actually difficult. With ransomware, that you can make the payment to a wallet. And so, that's fueling all of this; billions and billions of dollars.

Byron: It's an entire enterprise.

Blake: And the cost to us is dramatic.

Byron: Yep.

Blake: A 2015 study put the average cost of a breach at over $200 per record. So, if you're a typical firm, and you've got a few hundred, maybe a few thousand clients, that could be a lot of money. If it's 1000 clients, times $200, $200,000 right there, just a single breach. That could be your profit for the year, potentially.

[00:11:06] How do firms protect themselves?

Blake: So, it's expensive, it's happening a lot, how do we protect ourselves? Especially when most of the time, we don't have an IT department. Most firms, we're lucky if we have an outsourced resource. Most of the time, we're just doing it ourselves. We've got a few staff, a few partners; we're doing our best. I don't know, where do we even begin, Byron?

Byron: And frankly, even before you get into solutions, I feel education is number one. And we just, frankly, had the first part of the conversation; why should you care? I know of a firm- actually, it's not a firm, it's a business. Just in the last month that had a breach, and the reason for the breach is because the owner is using AOL email for their business email, refuses to change, and will not acknowledge the risk that she is introducing to her business.

Blake: So, she's using AOL email, red flag right there.

Byron: How do you help this person?

Blake: We're going to 30 years now with AOL. That's pretty impressive.

[00:12:27] Don't use easy-to-breach email address, e.g. AOL

Blake: So, AOL email, and I assume just emailing tax documents, returns, financial information back and forth with clients.

Byron: Yeah. So, actually it's not an accounting firm.

Blake: Oh, a business?

Byron: What happened is, the AOL email address- which is very low hanging fruit to breach- they basically sent an email to all of that company’s vendors, that said, “Here's updated payment instructions. Send all of your payments to this ACH and routing number, going forward.” So, now, all of her vendors have received an email directly from her. They're used to seeing her AOL email address. They are now paying their bills to this new bank wire instruction account, which doesn't happen to be an account owned by that company.

And it went unnoticed for a few weeks. Only got discovered because they had a large customer who paid them, and then they followed up, and they were like, “We haven't received any of your payments.” And they were like, “Well, yeah, we did it based on the instructions you emailed us.” And they said, “We didn't email you instructions.”

And then- but the worst part is the follow-up conversation is like, “You need to use your corporate email, which has multifactor authentication enforced. “Well, that's too inconvenient for me, so I'm not going to do it.” So, it starts right there in, why should you care to change your behaviors? If you can't get past that conversation, the rest of the conversation is going have a chance.

[00:14:06] Humans are the weakest link in security -

Blake: And human beings are the weakest link. We are our own worst enemy.

Byron: Hands down. Hands down.

Blake: Whether it's a business owner who doesn't want to follow precautions because it's inconvenient, or it’s staff for the same reason, it's, we're lazy. Human beings are fundamentally lazy. I think-

Byron: Lazy and curious, right?

Blake: Yeah.

Byron: So, we click links because they look like- I mean, we just talked about before we jumped on, you get the text message that you won the lottery, “Oh, did I?” You click that link.

[00:14:41] Byron "won the lottery" - stop clicking unknown links

Blake: Oh, yeah. So, for our listeners, just before we started recording, Byron posted on Twitter that he had won the lottery, and it was one of those, “This is this common scam now, a fake text message saying you've won the lottery. Click here.” And did you click it, Byron, just to see?

Byron: Of course not. So, that's part two of the conversation, teach people to stop clicking links.

Blake: But that's what links are for. That's what we've been trained to do, right? Clickbait, we want to click, we want to find out more.

Byron: Well, and you mentioned earlier that even the banks, as far as email security, I believe also the banks have conditioned us poorly to click links. So, they, for years, have sent us emails saying, “Your account profile needs to be updated. Click this link.” And then you sign in, or do this, click this link, click this link. And then now, they're starting to send an email saying, “We'll never ask you to click a link.” Well, you've spent 10 years teaching us to click links.” We need to stop clicking links, that's for sure.

Blake: And there is a strategy that we're going to talk about later, to help teach our staff, to reeducate our team not to click those links.

Byron: That's right.

Blake: So, stay tuned to hear about that. I wanted to just highlight a few more stories. And Byron, please, feel free to share some more stories if you have them- horror stories.

Byron: Yeah, let's do it.

[00:16:07] Real story examples - Dentist & Deloitte & others

Blake: So, there's this great story that I saw this past year- maybe it was the year before- about a dentist in Maitland, Florida, who was apparently shopping for wine, after hours, on his computer in the office, and clicked a malicious link, and it gave the hackers on the other end access into his computer. Now, instead of encrypting his entire computer, they knew what to look for. They went and looked for the QuickBooks file, and just encrypted that, and demanded $10,000 to give it back.

So, he had the choice of, “Do I reconstruct five months of records?” because that was the last time he had made a backup, or “Do I pay them the $10,000 in Bitcoin that they want?” Classic example of a of a small company. The ones we hear about in the news are big, often, because it causes a disaster, and it becomes public. That's one of the few stories that does become public with a small business, because most businesses don't want to advertise that this happened to them.

Byron: That’s right.

Blake: Right?

Byron: Yeah.

Blake: But it's happening all the time.

[00:17:16] Back up your computer!

Byron: All the time. And the thing that just pains me about that story- and you nailed it- the lack of backup. Because if you're not doing a daily backup- if you are doing a daily backup, my man could run a check on his computer, wipe out the ransomware, restore the backup from yesterday, and maybe lose an hour worth of work that he'd put into it. But the lack of backups is just infuriating, at this point in the world.

Blake: In the case of the Kronos hack, part of the reason they're having such a hard time getting back in action is that the hackers disabled access to their backups. So, the backups are there, they just can't access them. And they have to manually restore each customer. It was all hooked up to be restored easily, and now, it's one at a time, and that's why it's taking weeks and weeks. So, the strategies that hackers are using are adapting.

So, even if you're backing up, it can still be a problem, if they have a way to get to your backups. Keeping backups in a separate offline place that's not connected to your main system, that's another strategy we'll talk about. There's one more I wanted to highlight, which is a well-known accounting firm called Deloitte. You may have heard of it, Byron.

Byron: Just a little one.

Blake: You may remember, dear listener, that back in 2017, Deloitte was the victim of an email hack. Their server, one of their email servers was hacked into, containing correspondence regarding many public companies. Now, it went on for months; they didn't detect it for months They finally detected it, shut it down, but nobody really knows exactly what the hackers got, and what they did with it. So much is unknown.

Accenture got hit by a ransomware attack in 2021. An accounting firm called BST, in New York, got hit by malware in 2019. So, we're hearing enough about these to make it seem real; this is not fake news, this is happening, is what I'm trying to say

Byron: 100 percent. And I know at least a dozen CPA firms, personally, that have faced some level of ransomware or data breach.

[00:19:36] How many firms/businesses pay the ransom?

Blake: Let me ask you, how many of them pay the ransom?

Byron: So, the good news is, I don't know anybody that's paid the ransom. They’ve all been able to recover in some way, shape, or form, but for them, it's the inconvenience, it's the disruption to their business, it's the timing. I can tell you; I know two of them specifically that it happened in the busiest time of year for them, which at that point, every minute counts.

[00:20:07] Best practices for protecting firms, clients, and data

Blake: So, let's get into some best practices, now that we've scared ourselves. We’ve got ourselves amped up for this; we're ready. We know that we need to do something. How do we reduce our risk? Let's talk about some best practices for protecting our firm, and therefore, protecting our clients and their data.

[00:20:24] Training

Blake: So, you mentioned training, Byron.

Byron: Yep.

Blake: I think that was your number one thing that you mentioned, right off the bat. What kind of training do you recommend that firms do? What kind of training do you do at Botkeeper? There’s a lot we could do there. Where do we start?

Byron: So, we do a required annual training. It's using a third-party vendor that ensures we go through it. It includes not only quizzes, but it includes demos where you will see, for example, emails, and try to identify the red flags in the email. So, it's interactive training, it’s required annual training to keep it top of mind. I mean, that's bare minimum. We then have regular security tips that are going out via Slack to remind everybody how to stay aware of various things as it relates to their security.

[00:21:18] White hat hackers

Blake: And one of the best ways to train people throughout the year is hiring a company. There are these companies now that will phish your company.

Byron: It's true.

Blake: They’re white hat hackers, as we call them. White hat meaning they're the good guys, as opposed to the black hat hackers. You hire these white hat hackers; they will create phishing emails to target your employees. And then if an employee clicks on a link or falls for the attack, they can get automatically enrolled in mandatory security training-

Byron: That’s right.

Blake: As a remedial punishment, if you will. I love this strategy.

Byron: Oh, it's fun. It's fun as well because we also have a Slack channel where people will post, “Hey, this email doesn't look safe.” And so, it becomes this public process, which also reinforces the education. And it's always entertaining cause every six weeks or so, we'll get the message where clearly, the training is not sinking in, because they say, “I clicked this link, and it told me I'm now enrolled in training. Is this email not safe?”

Blake: So, clearly, they didn't get the memo.

Byron: That’s right.

Blake: So, there's a lot of these services out there. Some of the top ones, Barracuda, BoxPhish, Phished, Cofense, Hoxhunt. If you do a search on a phishing simulation, phishing with P H I S H, phishing simulation, you’ll find a ton of these; we'll have a link in the show notes as well. I think this is probably the number one thing to implement. I would do this immediately.

Byron: Absolutely. And it's cheap.

Blake: Cost, versus the reduction your risk, very much worth it. Easy to do. What else?

Byron: Well, so, there's the training, and then I think a lot of it- and this goes to what you were talking about earlier, as far as how the data now exists in so many places. And not only does it exist in so many places, but it's accessible from many devices. So, putting in place not only policies, but device management to ensure that the devices that are accessing your corporate data are, in fact, secure.

[00:23:35] Having good device management - work / home separation

Blake: So, basically, making sure that I'm not accessing Botkeeper data- let's say I'm a Botkeeper employee, right, I'm not accessing my email on a personal phone. So, that's a big problem in a lot of firms, is BYOD, Bring Your Own Device. Employees are bringing a tablet to work, they're connecting it to the email, they're connecting it to systems, they're logging in. Maybe they've got a personal computer at home that the kids play games on that's being used for work at home. We can't be having that, right?

Byron: Yeah. And there's so many risks associated with that, not just the data- you lose track of where the data is being distributed. And like you said, a lot of times, home devices, you're subject to kids, kids’ friends, yada, yada, yada. And I mean, there are ways where you can actually- with the proper tools- enforce, like, “This is my personal phone, but there's a work profile on it which is managed by Botkeeper. So, I can only access corporate data within that profile that Botkeeper can purge if necessary and enforce policies to ensure that it's safe.” You just need the tools and the policies around it to enforce them.

Blake: But best thing you can do, just simply put, is all work info's on work computers, work devices. You want to get more fancy, do that mobile device management that you've got, but for most people, it’s just- it's that dentist in Florida, don't use your computer at work that has the QuickBooks file for shopping online.

Byron: That’s right, yes.

Blake: So, I mentioned mobile device management. That's a big one. MDM is the acronym, and that is technology that helps us to manage and secure employee devices. And that's what we have to have if we're going to enforce any of these policies. So, the only way to get onto the corporate network is to have the MDM software installed, the computer hard drives are encrypted, MDM software can enforce that.

If a laptop is stolen, you can use the MDM remotely to erase it, and you can also remotely lock that computer, if you need to as well. Basically, manage it when you're not in the same office. Because it goes without saying, but we're not all working on desktop PCs in the office anymore. So, they travel around.

[00:26:02] Antivirus software - history and evolution vs EDS

Byron: That's it, yep. Absolutely. For years, it was all about preaching antivirus software. And Lord, I hope that that were beyond just purely the conversation of any virus software, but the premise of antivirus software has evolved significantly. And there are more tools, more technology, that has gone beyond the traditional AV.

So, endpoint detection and response type of software is- again, it's a minor expense that will do some proactive management, to look for patterns, look for behaviors on computers that uh look malicious or mal-intended, and help protect- not just identify, but actually take action to prevent issues from occurring.

Blake: Absolutely. EDR is really exciting. When I learned about this, I was amazed. So, we should probably talk about the difference. What is the difference exactly between antivirus and endpoint detection and response software? And I think the best way I can describe it is that antivirus is- it's like your body's immune system.

It has to have seen a virus before in order to defeat it. So, sometimes, it fails, and you get sick often. That's the problem with antivirus. If something new comes along, it doesn't know what it is, you have to wait for the antivirus company to create a profile for that virus and send it to your computer. So, it's not always effective.

EDR is different. Endpoint detection response looks at the behavior of all the programs running on your computer, and it says, “If a program starts to do something that looks suspicious, we're going to pause it. We're going to shut it down until one of our IT professionals can look at it and make sure it's okay.” So, an example would be sending data to a server in China when you have no employees in China. Why would that happen? That could be malicious activity, for instance. So, that's a really neat software. And really, if you have EDR, you don't really need AV anymore.

Byron: Yeah, it really- it's an upgrade to the AV. And what a perfect analogy, given the state of the world that we're in. I mean, you nailed it.

Blake: I can't help it; that's all I can think about, is virality and viruses, yes.

Byron: That's great. And building on that, I think is also the network monitoring as a whole. Just the logging of data and access to data. And a lot of this, we talked about smaller organizations don't necessarily have the ability to bring in a logging solution to do all of these things. But as you are talking with third-party vendors, which we are often doing, this should be an important element of that conversation.

Are there access controls that are logging every individual user access, IP addresses, timestamps, and these types of things? Because inevitably, if something does occur- you talked about the Deloitte situation, now who knows what really existed? But if something does occur, we should be able to look at those logs and identify what was potentially touched.

[00:29:41] VPNs

Blake: And VPNs have been around for a long time; Virtual Private Networks. I think many, many of us are now familiar with VPNs, especially if we have any corporate America background at all, because big companies have invested heavily in VPNs. I have a VPN on my computer that I use, an app that I use whenever I'm out and about, I'm at a coffee shop, I'm using a Wi-Fi network that I am not familiar with, I always turn on the VPN. And what that does is, it creates an encrypted tunnel through the Wi-Fi, through the router at that location, to a server.

And then from that server which I trust, that's how I access the internet. So, secure tunnel as a way to think about it, Virtual Private Network is the term. That's an easy one because they're so affordable now. And you know why? It's really interesting, Byron. The reason that VPNs have become consumerized is because of streaming.

It's all these people around the world who are geo-locked, meaning they can't access content here in the U.S., outside of it for license reasons and whatnot. And so, they’ll buy a VPN service for $10 a month, and then they can log in- they can tunnel into a server here in the U.S. or in another country and access their Netflix or what have you, YouTube, what have you.

Byron: That's right. It has a lot of applications, that's for sure. But to your point, it's funny ‘cause people, oftentimes, it's hard to understand what that secure tunnel really is. And I tell people, it's similar to today's postage service. When you mail something, it's like that letter or that package is intact, end-to-end, and anybody could just grab it and open it up.

But in deploying a VPN, you're effectively taking that package, blowing it into a million pieces, sending it all separately in different paths, different ways. And then when it gets to the destination, somebody is able to assemble it. But in between, it's just meaningless.

Blake: Nobody can see what's in there, yep.

Byron: Nope, that's it.

[00:31:56] Thank you to our sponsor, Botkeeper

Blake: We're going to take a quick break. In the meantime, here's a message from our sponsor, Botkeeper. Thank you to Botkeeper for making this episode of the Earmark Podcast possible.
Female Botkeeper: What is Botkeeper? We are a human-assisted AI platform that automates the bookkeeping. And we are purpose-built for you, for firms. We've been doing this for five years, so our machines have learned a lot through the years on how to map transactions. If our machines are not 100 percent confident on how to code a transaction, they'll [INAUDIBLE] it up to our humans who can code it, and throw it back to our bots, and they can learn.

So, because we code in nanoseconds, we alleviate all of that manual headache that firms really struggle with. So, the problem that we solve, the number one problem that we solve for firms is capacity. And that will elevate the firm’s game, where you're able to do less of the manual compliance work, and more of the advisory work that the small businesses are so hungry for.

So, we really want to get to know you better. We really look forward to understanding your goals for yourselves, and how we can support you and help. If you'd like to reach out and learn more, please email
me. My email is Deneen@Botkeeper.com.

Blake: So, let's talk about now, the most annoying thing that most people face when it comes to security, but also, it's the most effective. And it probably would have prevented this Deloitte hack with their email, and that is two-factor authentication. Not one, two-factor authentication. So, what do you guys use? What is your two-factor app?

Byron: So, we use Okta for multifactor, which is- I mean, it's great. I, personally- and I realize that I come from a position where everything and anything I use is multifactor, and I find Okta to be incredibly convenient.

Blake: And Okta is actually beyond just the two-factor. It does the single sign-on as well, which we can talk about these together, I think, because they're becoming more and more tied together. I use an app called LastPass authenticator.

Byron: Oh, yeah. I use that personally.

Blake: I use a password manager called LastPass. We'll talk about password managers. The way it works is, when I log into a banking website, for instance- Relay, I log into Relay, and then I have to put in my password, I also have to put in a multifactor code. It's a six-digit code, and I pull it up on my phone and there's a six-digit code, and it changes 30 seconds or so. A hacker, even if they got my password, would need to know that six-digit code which is changing every 30 seconds. So, the only way they could get in, even if they had my password, is if they also have my phone.

Byron: That’s right.

Blake: Which makes it infinitely more secure than if I'm just using a password.

Byron: And it's convenient. I mean, I find it to be super easy.

Blake: It's annoying though, right? We got to admit it. It's kind of annoying because you get a bunch of these, and then every time you go to log into a site, you gotta pull out your phone, you gotta put in the six-digit code. It can be a pain.

[00:35:33] Okta experience - how it works

Blake: But that's where the single sign-on apps help a lot. So, you guys use Okta. So, tell us how- your experiences when you use Okta.

Byron: So, what Okta does is basically, that becomes the primary place where we authenticate. So, you put in your username, you put in your password, you put in the code, just as Blake described when logging into Relay. But then Okta owns the authentication to additional apps. So, if I want to log into our Google workspace, Okta provisions that. I have a dashboard that I just click on it, and I don't have to log in there because Octa manages that login.

Blake: It just automatically logs you into any apps connected to Okta.

Byron: That's right. So, I only have one login when it comes to our corporate environment. And which I guess, that's probably where the convenience side of it is introduced, because I'm not faced with, “Okay, now I have to log into HubSpot. Now I have to log into Google. Now I have to log into whatever additional apps we're using.” I log in once, and then I have access to the full suite.

Blake: Now, you may not be using Okta, but if you've ever seen one of those buttons on a login screen that's log in with Microsoft, log in with Google, now there's log in with Apple, those are all single sign-ons. So, it's your primary login, which is Google, Microsoft or Apple that is controlling or linked to all of these other services. And so, it should make it a lot easier.

As long as your Google account, for instance, is secure, then everything else is secure. Of course, we are now creating a single point of failure, where if somebody hacks into your single sign-on account, you could be really screwed. But that just means we got to have extra security around that.

Byron: Lots of complicated passwords, use two-factor there; let's take precautions to secure those things. But the other advantage that a lot of times is not discussed with a solution like Okta is also, if and when employees leave, now rather than having to touch 14 different applications to terminate their access, you go into Okta, you disable that user, and it happens across all of those applications that they've been given access to.

Blake: The user is logged out of all of those systems, nobody can get in anymore, trying to use those credentials. That is- in my opinion- the killer app of single sign-on. It's the reason to use it, because accounting has 10, 20 percent turnover, maybe more these days, given the Great Resignation. So, it's really important to restrict access, to remove access. But I haven't met a single firm owner who has ever said, “We've got that locked down. That we always remove access from every system when somebody leaves.” Unless they are using a single sign-on system, which makes it easy.

[00:38:41] Removing former employees’ access

Byron: And back in the day, when I was managing these systems, we had a checklist for every firm. And you had to have somebody sit down- which by the way, introduces human error because we're not perfect- and make sure that these things were all disabled, which also means it takes time. So, there's a gap, so somebody is upset, they walk out of the office, they grab their phone, they log into HubSpot and delete 400 records.

Blake: Which actually happened-

Byron: That's right. Payroll company.

Blake: This happened this past year, 1800Accountant.

Byron: That's what it was, yes.

Blake: They had a disgruntled HR employee who was walked out of the office by security- which is what you're supposed to do, by the book- walked out of the office, didn't have the opportunity to log into her computer. She went home, they hadn't deactivated her login, all of her logins. She was able to get into the HR system at work and deleted 16,000 resumes from 1800Accountant’s database.

Byron: There you go.

Blake: Massive problem for them that they could have solved by not just walking around the office, but also deactivating her single sign-on as she left.

Byron: That’s right. Yup.

[00:39:56] Password manager

Blake: So, you can't always have single sign-on, unfortunately. Not every app connects to a single sign-on system or the one you're using. So, we also have to have what's called a password manager. And I know I keep saying, “This is the number one thing you should be doing in your firm to protect yourself.” Maybe this is number two, or maybe we're going to switch places, but this is definitely at the top of the list, is having a password manager.

I got to tell you a story, Byron. So, when I first started working as a bookkeeper in this profession, I worked for a CPA- a small CPA. Came into his office, and we were collaborating on a client. He had to pull up a social security number for something related to payroll. He goes into his Outlook, he opens up his contacts, and he pulls up the social security number in the notes field in the contact. And I learned that day, that this is how he kept all of the personal information for all of his clients: all the bank account numbers, all of the social security numbers were in that digital Rolodex in Outlook.

Byron: Wow.

Blake: And what's wrong with that? What’s wrong with that, Byron? I'm going to throw you a softball here.

Byron: Oh man. I mean, give me access to that mailbox, and it's just Pandora's box.

Blake: Right. It's not encrypted. That's the number one thing. And it was the time when Outlook was hosted on his server, in his office, right, unencrypted. All employees had access-

Byron: Oh, yeah. He had a PST file sitting on his desktop, probably on his phone computer.

Blake: So, he could have- you could very easily solve this problem by adding a password manager. Two of the most popular ones are LastPass, my favorite, and 1Password. 1Password comes from the Mac world, now works on both platforms. LastPass comes from the Windows world, now works on both platforms. Coke, Pepsi, take your pick. Whichever one you use-

Byron: Just use it.

Blake: -use it. Put all your passwords in there They're all encrypted by a master password, and single sign-on, ideally, or a multifactor, I should say. And then you can also set up your team, and delegate access to passwords for them. So that when there's an app that doesn't have single sign-on, such as a client's bank login that you have, you can remove, add employees as necessary to that, and manage it all in that system.

Byron: Yeah. You just have to. I am consistently fascinated by the resistance to use some level of password manager. At this point in my life, I don't know a single password that I have. They’re all 13-digit, just gobbledygook passwords.

Blake: Auto-generated.

Byron: Auto-generated. And like you said, the convenience of these apps is, it works in your browser, it works on your phone, that it simplifies your life while creating such an improved level of security to your systems. I just can't imagine anybody at this point in the world, not taking advantage of a password manager.

Blake: So, those are the low-hanging fruit: password manager, single sign-on, VPN, endpoint detection response. You can buy that. These are things that you can manage yourself pretty easy. Something that's next level- let's go up a level here, to the point where we'd probably need to have somebody responsible for IT helping us do this. I wouldn't be able to do this myself.

[00:43:43] Setting up virtual terminals- what are they, why, and how to setup

Blake: And that is setting up virtual terminals for contractors, for employees- particularly, offshore employees, this is a common thing.

Byron: Yup.

Blake: And I know you guys do this at Botkeeper. Can you tell me what is a virtual terminal and walk me through why I would use- what is it, why I would use it?

Byron: Yeah. So, virtual terminals are really, the evolution of Reload access systems. So, think of a Windows operating system that is accessible via browser, but it lives on a server that is in a secure data center, that has all of the security that we're talking about around it, and that is the only device- that device is locked down, and it's the only way that the contractor can then access your corporate data.

So, there's no- you may be accessing that virtual terminal from a personal device, however, it's just like your television, at that point. The only thing that is happening between that personal device and the remote virtual device is just pixels that are being sent back and forth in keystrokes and mouse clicks. But the data itself is not leaving that secure terminal in that virtual space. And to your point, I mean, you definitely need to have some IT knowledge, but if the AWS, Microsoft-

Blake: Amazon Web Services.

Byron: Amazon, I mean, you can go there and purchase a virtual windows computer. A few clicks, have it. Now, it would require some know-how of how to lock that down for your corporate access, but it's become fairly accessible.

Blake: Yeah, this is interesting, and something really worth looking at when we have employees all over the place; we don't have them in a physical office. I worry. I would worry about employees downloading files to their desktop, and then the desktop getting stolen or somebody plugging a USB device in. I guess I have two options here, right? I can either lock down that machine- make that a work provision machine, and lock it down with software, or I could let them use whatever device, and have them access a virtual terminal through that.

Byron: That's right.

Blake: I guess either way, I'm locking it down in one way or another. And I guess the best thing would be if I provided them the computer that I managed, and they had to log in through a virtual terminal. Then you've got layers of-

Byron: Multi-layers, sure.

Blake: I don’t know if we need to go that far as accountants, but certainly, an option.

Byron: Certainly, an option. But to your point, I think these types of setups are just really great, especially if they are temporary employees, temporary staff. Even if you have people who are coming into your office, if you hire seasonal work for things like that, this is not only a really secure way to do it, but frankly, it's less maintenance because you can have that virtual terminal ready, provisioned, everything's set up, secure and ready to go. Turn it on, turn it off, and not have to worry about provisioning that physical hardware every time.

Blake: Yeah, that's nice. Is it slower than if I had a desktop computer, or if I accessed it on my local computer?

Byron: Yeah, a lot of it comes down to bandwidth. I think back in the day when I was in the hosting business, which was effectively doing this same thing, we were using still, a lot of desktop software. So, you would see some performance degradation from when you used to have the server around the corner from you, and you were just accessing it right there, because now, it needs to travel through the internet. But we've found it to be incredibly effective, very little performance issues with our teams that are part of our global team. So, it's really good.

Blake: And you brought up a good point, which is the cloud hosting, which many of us have used for QuickBooks or for tax software, works very much the same way, if not exactly the same way as the virtual terminal. You’re logging into that PC in the cloud that has that desktop software installed.

Byron: Yup. Yeah.

Blake: So, we're already doing it, this would just be doing it for the whole setup, not just for that one app.

Byron: That's correct, exactly. And to your point, the big advantage is the ability to lock down that environment. So, you can't save files out of it, you can't run a clipboard- the data is hardened to that operating system that is in that remote system.

[00:48:38] Backup plan in case things fail

Blake: So, it's always good to have a backup plan in case these things fail. So, that's important. We have to make backups- I think you already mentioned that. We don't have to go into detail about exactly what kind of backups, but I think-well, daily, definitely, right? You don't want to lose more than a day of work. Do them at night so it's not going to disturb anyone.

[00:49:00] Cyber liability insurance

Blake: What about know cyber liability insurance? That's become a hot thing for CPA firms. It's gotten expensive. Do you guys purchase it? Do you have to get that?

Byron: Oh, yeah.

Blake: Do your clients get that?

Byron: Absolutely. So, we have cyber liability insurance, absolutely. A lot of the vendors that all of us work with, they have some level of cyber liability insurance, and then accounting firms need it. So, it's interesting because if you dig into these policies- and I by no means am an expert there, but I have learned a lot about them- is they only have so many layers of protection, of things that they ensure. So, if a breach happens at a service provider, that does not necessarily provide any coverage or restitution to your clients, or your employees of your clients.

So really, at every level in the pipeline, you need to have coverage to ensure that even down to the employees of your firm, or the employees of your clients, have some sort of coverage for whatever type of damages that happen. But it's again, like any level of insurance, at this point. In my humble opinion, it should be a required policy that any business has it, at this point in time.

Blake: Well, especially when you consider the cost of these breaches, as we discussed at the beginning of this. If for a small firm, we're talking six figures, for a large firm, we're talking millions or more. So, I don't know how much- how much does cyber liability insurance cost? Do you have any idea? It’s gotta be worth it.

Byron: It's definitely worth it. I mean, a couple thousand dollars, depending on the size of firm. To your point, it has gone up in cost in the last couple of years, but it is low enough that you probably spend that much on coffee in a year.

Blake: I just used my number one skill, which is Googling, to figure this out. And in my state, Arizona, Google says the average cost of cyber insurance is about $1500 a year, so.

Byron: There you go. That should not be a difficult decision at this point.

Blake: Spend a thousand to save a hundred thousand. Maybe that's the way to think about it. So, anything else here that you want to share with our listeners as a way to reduce their risk further at this time?

Byron: Yeah. I mean we've covered a lot, that's for sure. We've covered a lot. I think the biggest point I would just reinforce is, even if you're not doing full-on training, but driving the awareness, having the conversations, bringing it up, repeating yourself, repeating yourself, repeating yourself, and setting policies.

[00:52:08] Whaling scams

Byron: I mean, one of the things that we didn't talk about frankly, that I'm seeing frequently is the whaling scams. So, I get either a fake email or a fake text message from Enrico, our CEO, on a monthly basis, saying, “Hey Byron, I'm getting ready to jump on a plane. I need you to run out and buy 10 500- dollar Amazon gift cards, scratch off the back, and send me the codes as quickly as possible, for a meeting I'm about to have.” That's one stupid example, but there's other examples of people, scammers, figure now who can wire money, requesting wire transfers.

Blake: Oh, yeah.

Byron: And you need to set a policy that says, you will never take action via text message or email in that way, shape, or form, without voice confirmation. Now, we could talk about whether or not we can fake voices, at this point, but-

Blake: Well, that's a problem. That's a problem now.

Byron: Right? It is a problem.

Blake: So, let's talk about that at the end, because that is a breaking thing that's changed recently.

Byron: That’s right.

Blake: And my advice used to be, use a voice confirmation, but that's changing. But let's dig in more to this because you bring up a great point, which is, these scams where a hacker will impersonate a CEO or a CFO giving an order to a subordinate, saying, “Transfer this money here, do this,” it seems very official. It looks like it's coming from them, because the email has been spoofed, but it's not from them. Or maybe they've stolen their phone number, it's not from them.

And the way that we can defeat this scam is simply, to not use insecure forms of communication for approvals, period. Have a secure channel for approvals, whether that's calling them on a number that you know, a different number, and getting their voice approval, or using a system. And there's all sorts of AP systems. Accounts payable systems now, they handle that sort of thing.

You could do approvals in bill.com. You could do them in a variety of systems, and you could even do it in Slack. Slack is going to be way more secure if it's secured by single sign-on, and do the approvals in Slack, or Microsoft Teams, or something like that.

[00:54:33] Barbara Corcoran scam story

Blake: And there's a great story that just highlights the risk of this, which is Barbara Corcoran. You ever watched Shark Tank, Byron?

Byron: Oh yeah. I know the story, yup.

Blake: It's great. So, in 2020, Barbara Corcoran was the victim of one of these spoofing scams- or you called it a whale scam because they're going after a big transfer. And somebody pretended to be her, and emailed her bookkeeper an invoice, and instructions to wire $400,000 for the purchase of a property in Europe. So, the bookkeeper, thinking it's from Barbara, goes ahead and sends a wire to a bank account in Europe.

And there's a lot wrong with that, other than the email thing. Again, why did the bookkeeper have the authority to wire funds? Why was there no built-in approval process in there? That's a problem in of itself. But that’s- the bookkeeper didn't have a way to confirm with Barbara, Shark Tank lady, to send this money. Luckily, the bank was able to stop it before it got all the way to China, which is where it was headed, because it was going through a layer of banks, but didn't make it. But if Barbara Corcoran hadn't been a celebrity, would this have been stopped? And the answer is probably no, in my opinion.

Byron: Well, yeah. And I can tell you- I don't know if you're familiar with Verne Harnish, author of Scaling Up.

Blake: No.

Byron: CEO of Gazelles. He lost I think about a quarter million dollars on a very similar scam, where they were not able stop it from happening.

Blake: Wow.

Byron: These happen. And again, it doesn't require anything fancy, other than having an agreed upon policy in place as to how we are going to approve these types of things.

Blake: Yep. And there's a ton of choices now. You've got maybe built into your accounting system, maybe you've got a separate system. I mentioned bill.com, you've got Procurify, you've got AvidXchange, you've got Melio. You got- I don’t know if there's any that you guys use that you want to recommend, but that is one thing where we do not lack: options.

Byron: No.

Blake: And of course, you get all the benefits of not having a paper-based, or a manual payables approval process as well.

Byron: Yup.

[00:56:57] Educate yourself and your workplace

Byron: No question about it. So, I think that's the big thing there- just keep educating yourself. I think this conversation is a great conversation. And I think I would say if you're a firm owner and listening to this, share it with your staff, have them listen to it. There's a white paper that we can certainly share out that you authored for us here at Botkeeper to help firms understand many of these topics and more. And you have to- it has to be intentional. You have to be intentional about this. You can't just assume everybody knows because I can promise you that they don’t.

Blake: This is a great white paper that we worked on together. It was the basis for the topics in this episode today, and I encourage our listeners to head to the show notes and download this white paper. Take a look; it's got everything you need to know, all of these best practices we talked about. You could share it with your partners at your firm, or your business, and just take one of these steps.

If you aren't doing any of this stuff, just do one thing to get started, and that'll set you on the right path. And Byron, we should say that if folks are looking for help with bookkeeping, all the services that you provide, the outsourced accounting type services, they can take comfort knowing that you have already considered all of these security best practices.

Byron: Absolutely. I mean, this is super top of mind for us. I know as you were researching it, you talked to our head of security and learned about all the things that we're doing. So, it's a good conversation to have frequently. We're talking to firms who are saying, “What are you doing about security?” And I think it's a great question. So, I hope you know.

Blake: Oh, yeah. I had so much fun doing this white paper, because I got to interview Tommy Law of Botkeeper, your head of security.

Byron: The man was born and named to be head of security.

Blake: His last name is Law. He keeps it in order. This is a man of the law, and he will ensure that no black hat hackers get into Botkeeper. And that gave me a lot of comfort, actually talking with him.

Byron: It’s awesome.

Blake: So, it's so great you have him on the team-

Byron: Yeah, he’s great.

Blake: -and it was so much fun working on this with you, Byron

Byron: You as well, man. I enjoyed the conversation. This has been fun today.

Blake: I hope to have you back again sometime.

Byron: I would love to. You know it.

[00:59:26] Outro

Blake: Thanks for listening. I hope you enjoyed this episode, and that you learned something new. And if you did, wouldn't it be nice to get some CPE credit for it? Well, I've got great news. My new app, Earmark CPE, offers free NASBA-approved CPE credits for listening to podcasts, including this one. Visit EarmarkCPE.com to download the app, take a short quiz, and get your CPE certificate. That's EarmarkCPE.com.

Creators and Guests

Client Data Security: Best Practices to Protect Your Firm and Clients
Broadcast by