It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.

::Together With Financial Cents::

Redefining how accounting firms get work done.

I have a blog category dedicated to security. I am by no means an expert, but I follow security articles, conversations, and protocols closely because I am always looking to pass on simple-to-action yet effective security ideas.

One of the things I do when vetting apps to see if we can partner is to have them complete a rigorous intake form. It includes sections on what compelling problem they solve, how support works, what their marketing looks like, who their competitors are, and, of course, what security protocols they have in place. I want to know if my name is behind an app, that it brings value to the accounting community and SMBs. Knowing their security measures is critical to me.

Here are some security measures I ask if they have in place. 

Of course, there’s way more to an app’s security plan than the ones below, but these are the minimum elements you should look for.

In alpha order, not importance order.

One: Bank-level encryption

What does this really mean?

“Bank-level security is what banks or financial institutions use to encrypt and protect financial data and personal information using standard industry tools and technology. This security includes protecting data at rest, securing data in transit, maintaining operational procedures, and regulating administrative access to data and information. At the same time, different banks vary in the specific types of security measures they implement.”

Two: DDoS prevention and mitigation 

A DDoS attack is like an unexpected traffic jam clogging up the digital highway and preventing regular traffic from arriving at its destination. You should care about DDoS prevention protocols because a DDoS attack can cause our cloud-based apps to go down. And that is mightily inconvenient, no?

Three: Data storage location(s)

It is critical that data be stored in multiple locations and in countries that comply with your ethics and insurance.

Four: Geopolitical considerations

I realize this may be a “Kellie-thing” and that I should read less world news in the morning, but I consider some things related to where an app is headquartered and how their employees are dispersed.

• Cultural fit for security consciousness and value alignment

• Employees working locations and geofencing policies

• Geographical/political/social situation of employees

• Geographical/political/social situation of head office and/or key C-Suiters

Five: Integrations 

Many companies have strong security policies that an app needs to have before it can integrate and partner with them. Below are a few such integration partners that force apps to have their security-ducks in a row.

• Google

• Listing on the Intuit App Store 

• Microsoft

• Zapier (this changes depending on what the triggers and actions are and how many users have connected a particular app)

Six: Internal security policies

Just as you must secure your business to the best of your abilities, you need to consider the app's internal policies.

• Corporate passphrase implemented

• Data redundancy policies (for their corporate data, not client data)

• Employee security training

• Least privilege access for their employees

• Password manager implementation and policies

Five: Log in options

You need to ensure that your apps have login settings that create friction for the baddies to get in.

• Forced secure string password 

• Of course, this should be easy cause you are using a password manager, right?

• Magic link

• Passkey

• Two-Factor Authentication (2FA)

• Preferably multiple options such as an authenticator, email and SMS

Six: Log out options

I recently had my computer in for a computer-wellness visit, and I was a dork and forgot to log out of one of my Chrome “people” and a few apps, but it was easy to do from the parking lot on my mobile—whew!

• On browser close

• On tab close

• “Remember me on this device” settings

• Remote device logout

• Timed log-out options

• QBO, you can change settings

• Account and Settings > Advanced > Other preferences > Sign me out if inactive for > toggle 1, 2 or 3 hours

Seven: SOC2 compliance

Certificates are preferred but can be long and expensive to obtain, so even if they aren’t certified, it is still a solid security indicator if they are compliant.

Eight: User permissions

Least privilege is a critical element of a security policy, meaning you need to allow your team (and clients) to access only the bare minimum of what they need in your apps. Look for granular permission levels and ease of removing individuals from your apps.

Knowing that your apps take security seriously is mighty important. 

We are not just using them for our businesses; as accounting professionals, we are the guardians of our clients' sensitive data. Vet your apps for their policies by searching their websites and asking for whitepapers.

It’s a crazy time for bad actors and hackers. The risks are monumental, and I often hear the adage, “It’s not a matter of if you will be comprised, but when.” But all we can do is the best we can do, and a great start is making sure your apps have at least these eight key security elements in place.

15% off discount code: BLOG

Join Your Peers Here

Intuit Connect Las Vegas 2024

October 28 - October 30, 2024

I am a co-host of a session - First impressions: crafting an effective welcome guide for new clients - with the one and only Nayo Carter-Grey.

Simply yours, Kellie :-}

::Shameless Call To Action::

I sell bookkeeping templates, standard operating process handbooks and client guides.

15% off discount code: BLOG