Hello everyone and welcome to Accountants 2.0. I'm Steve Perpich and with me is Ted Williamson.

Hello everybody.

So today we're on step five of our new age accountant's journey into being a new age accountant. Today is about cyber security. It's not just policy to being a new age accountant. Today is about cybersecurity. It's not just policy, it's a lifestyle. So, Ted, I'll just kick right in. What is your view or thoughts on cybersecurity in general?

Well, I think it's important. I think everybody probably thinks that way, but some people probably I think a lot of people think that cybersecurity is just like another thing you have to worry about. That it's really not super important. It's something like a buzzword, something that they have to consider rather than it being part of their culture or part of their company. It's just like an annoying little thing. Let's just say I don't know, it's just like an annoying little thing. Let's just say I don't know Some annoying thing. That is just part of doing business, but it doesn't have to be. It doesn't have to be an annoying little thing. I mean it's not fun. Nobody really. I mean some people love it. Steve loves security.

Well, it's kind of my career before my earlier incarnations, before I got involved with activities.

Yeah, absolutely so, basically, basically, I think, being in the accounting world of dealing with people's finances, it's even more important for us in that world. We are entrusted with people's information. We have to make sure that we protect that information and and that we protect our company overall.

Okay, so inconvenience, but important, and that's why the title of this section is a lifestyle, not just policy. It's almost kind of a contradiction. Kind of a contradiction In accounting, especially, trust and the concept of security for information is critical In the accounting firm. Whether you're a bookkeeper or an accountant, you're being made privy to privileged information that is only for the business owners and the CRA or the IRS and the banks, and that circle of trust has to be maintained. And with modern technology, you know, moving as fast as it can, there's always the opportunity of a misstep. It doesn't have to be inconvenient, it doesn't have to be a, it doesn't have to be a big deal, but there's just some certain steps that you have to follow when you want to be a credible I guess provider of financial services and, as a new age accounting, we actually promote cloud-based platforms. A lot of these platforms actually not a lot, most, I'd say 99% actually do have the standard security that's acceptable for both commercial and institutional levels. It's just a matter of implementing. So there's some steps that you should just follow. First of all, assess your status. What are your risk points? How many people in the staff do you have? What do they have access. To Map that out a little bit and really think, okay, who needs access to what? And then go a little bit beyond the password and the account. Don't have shared accounts, don't have one login for five people's access to a system, especially if it contains financial information. That's a basic. But passwords are now becoming almost a convenience level for access. They're not security. So the absolute minimum is implementing a two-factor security access to whatever platform. Now that could be an SMS text message to verify access Kind of inconvenient. One of the issues with that is you know where is that text message going to? Is it going to somebody's personal phone? Is it the company phone? That's usually the problem with it. But you can also use an authenticator the problem with it. But you can also use an authenticator. And now an authenticator is a piece of software that can sit on your phone and or your desktop that you get a six digit number on there that changes every 30 seconds to use that. But two factor authentication is the absolute minimum. Then the next level is like device level certification where you may have noticed, like for Google, for example, when you go into Gmail on your laptop it'll say open Gmail on your phone. But that's okay because they know it's you. So if anyone else tries to hack your account, they can't. So if you follow those basics one login per person per software, two-factor authentication minimum, and you follow that right to document storage. So when you're storing documents, the access control should be the same level.

So either using a platform that has document control, even something as simple as OneDrive or Google Drive, make sure that the access to each document is or directory is set to those who need to see it. Don't just have it in a big directory and anybody can just go there. And even then some type of audit, auditing, tracking. Both OneDrive and Google Drive, um, have uh, methods of knowing who looked at stuff and who uploaded it, just so you know. It's just a setting, and, and that way you're showing enough due diligence that, if something happened, you were using the best practices the industry have to offer. That's all you can do. You're not in the career of building a whole new encryption system and worrying about that kind of stuff, but just by design.

The other aspect, too, is simply physical access to your assets at the office. Lock doors, don't have passwords written on sticky notes on the screen, that kind of stuff that goes way back to the 1990s, but hey, it's still a thing. The other is end-to-end point, like people working from home. This is why cloud-based solutions are good, because you can control and audit the IP addresses in a lot of these software platforms where only North American IPs can get at your platform for your uses. So anyone offshore they'll set a warning and then you'll know that okay, this is not my employee getting into my system, it's something else and it can be stopped or managed there.

Now the other aspect is and, ted, I've experienced it with some clients in my past but if you have a breach in other words, you get a ransom, cyber ransom demand your system. First of all, never negotiate with them, never, ever give them money, because all you're doing is promoting that industry. They're unlikely to either give you your data back and if they did, it's probably corrupted. So the trust is broken and immediately report the breach immediately to authorities. Actually, you're kind of required now, especially if you're in a position of trust. If you don't report it, you can be subject to sanctions both in the United States and Canada for failure to report a data breach, especially if personal information was compromised.

Now, part of that bravery of telling a cyber attack to get lost is preparation. Make sure your backups are properly done and keep a history or versions of your backups on your cloud services to go back further than, say, 90 days. That way you know you're not saving the virus that caused the attack. If you are using OneDrive and Google Drive one of the advantages they do scan your files for virus. If you're just using a hard drive on a server room and you had a breach, once you break off the communication with the outside world, you're going to have to hire a company to do an audit and do a scan. So that's a dark scenario, but it doesn't really have to be. If you follow these other processes, if you use cloud-based solutions, follow their security recommendations and make sure that you know who's got access to what, you're pretty good.

I think if you have on-premise servers, you are in the dark ages. You should almost, unless you're, you know, a server farm. Yeah, a server farm. You're a $100 million company, which a lot of these companies are, so then you are insane, because they can easily get into your system If they want it. They'll get it um hostage. They can easily just spin up. You know a a day ago now, you just lost a day's worth of data instead, right? So, um, completely agree completely yeah.

so I think it's almost insane to have on-premise um stuff. So obviously not everything's there. So a lot of times, like tax preparation software, you're kind of stuck having an on-premise database. A lot of times you can still get away with having like a cloud-based database that you connect to your on-premise or to your desktop application rather than your cloud-based application, which is great, it still works good. But remember these large companies like, any time that you can, you should be opting into storing your data in a cloud 100%, because they spend millions and millions and millions and millions and millions of dollars to make sure that they stay compliant, that they stay safe for you and for them, because they can be shut down and out of business if a breach is bad enough, right. So it makes no sense to think otherwise.

And there's no way that you can compete with their ability to stay on top of trends, the current cyber attacks. Basically, local storage is only I would only really depend on it. Say, you're using almost like an electronic scratch pad. You bring your files locally, but even then with like OneDrive and Google Drive, yeah, you can have it sync. So really your files are still in the cloud, but they're local for just access while you're working on them.

But it's constantly synchronizing to keep it going, to keep it safe. But it's more for if there's an interruption in a rural area and the internet is unreliable, or the rare occurrence where we have a failure in the internet stuff, like just recently there was some downtime for some of the major platforms so your day won't be interrupted those few hours. But then again, if you're a new age account and your life is structured and balanced, a few hours delay from an internet eruption go get a coffee, do some planning and then it'll all be back online quicker than you can imagine, because these third-party companies with all the data storage and servers they usually bounce back pretty quickly, absolutely, they have all these protections in place to keep them operational and keep you operating.

Yeah. So for ongoing, like in the article I set up on our blog, I talk about audits and constant improvement. If you're really, you know, resistant to having it control your life, an annual kind of just review of who can get at what and just be aware of trends and things. And using the third-party storage A smaller, mid-level size firm you're pretty safe and it doesn't have to be a big dramatic thing for cybersecurity.

Not at all. I mean, really the only thing you need to worry about is who has access to what and password protection. So the other thing is using something. So you're talking about having passwords. You know having a different password for everything is great. So using a password generator or you know password storage, so something like 1Password. We actually were an affiliate for 1Password. So click on that affiliate link in our comments or in our description and you can get a 1Password account and that is great. Your whole team can use it. I'm not trying to do an ad for 1Password here, just so that you know.

Well, I use 1Password. It's a great product.

Yeah, but any password platform is great. So 1Password, bitward and all of them. They are wonderful. You can control your team level. You can generate a password for each one, store it in your thing so you never lose it, have access on your laptop and your desktop and on your phone and you can.

So what I? I used to use um, I used to use bitwarden and I would use that one. I would create all of my own passwords and I'd have my team passwords. So, and each client you know how it's a little bit less now, but you know, years ago every client had their wi-fi password.

If you were to clients, you'd have to figure out what's their Wi-Fi information, how do I get into their instance of QuickBooks Desktop, all that kind of stuff? So I had to store all those passwords for all these different things in order to get into their programs and even sometimes the door code. So you could, you could get into the actual building itself or, for example. But now I'm not saying to do that because cloud-based, a new age accountants don't go to places. They, the only places they go to, are like bora, bora or something like that. That's where you should be, should be working, not at a client's location. But, that being said, a lot of times they still have softwares and things like that that they had to invite you to like their Square account or something like that, and so you have to maybe have a separate password for each one of those softwares or something like that.

So it's very, very good and for convenience in short term. They may not want to implement two factor authentication in those cases.

So the generation of passwords is critical on that case and you can share that with the whole team so that, depending on who's or or um you, you know who's the one that's working on the client. Sometimes it's not one person working on a client. Two or three people have to have to jump into the information to get reports or something like that in order to do the work they need to do. So right, and let me.

Let me qualify that. That's a. That's an operational issue between a new age account and their client. Oh, because I said earlier, one account, one user.

That's ideal. One account one user.

that's ideal, but in reality, when you're dealing with outside entities, they may have a master portal account called accountant and you'll have to enter that way. Therefore, strong encryption has to be in place large passwords that should be generated. Two-factor authentication may not be realistic because it could be a multiple individual. So my recommendation at that time is either the client when it's not the period where you should be working on it, if you're not constantly accessing this client for well, if you're constantly accessing this client for operational things, you should actually have an account and set up properly. Actually have an account and and set up property but.

If it's worse, it's just tax season or whatever.

Um, they could even just disable the account temporarily and then re-enable it when, when it's time to get in there and they can be. I I don't like to disable the 2fa. What I do is I actually create, like we use google. You can do it in microsoft too so in google I'll just create a, a group in there, and all the people that are assigned to that client I'll put into that group. So it'd be like client one, two, three and then all of the users in my firm who are assigned to that client.

I would put them there so that when you do 2FA or like multi-factor authentication through email, then all of them will get it. Or I can use like a joint text number that so sadly, everybody gets that right. So everybody who gets the number or who's assigned to a number will get that. But if you use our one company, a20 Connect, and you're in our platform and you can create all kinds of numbers, so you can you can again parse those numbers and you can create all kinds of numbers so you can again parse those numbers for each client if you really needed to.

That's right With VoIP systems, and especially with SMS. With VoIP, like our platform, those type of two-factor things become much more flexible and easy to do. So, again, that's a great best practice and that's actually how we do it.

So yeah, but still secure. Remember that, like that's the important part. We don't want to get around security, but we have to play within. So sometimes you have to play with it to make a client happy, right? So we're not getting around it.

Well, that's great. Well, I think we covered all the topics for cybersecurity that we'll want to. For those who are thinking this is inconvenient Such an exciting topic to talk about.

Yes, but we can talk about cybersecurity more or other topics. If you join our community on LinkedIn or Facebook Accounts 2.0 community we're always available to respond to messages and, as it grows, we're going to have more regular get togethers just online there. But for now, you know we're pulling out these, putting out these podcasts and wanting people to join our community. Unless you have something else to say, ted, we're going to sign off and move on to the next steps.

Yeah, I mean I'm curious to see what other people are doing. So what are you doing? Comment on the video on YouTube or whatever podcast platform you're on Like? Let us know what are your best practices to deal with cybersecurity, to protect your clients, protect your firm. I would love to know that and again, I would say like and subscribe and stay in the know.

Excellent, all right, everybody. Have a great day and see you soon. See you soon, thanks.