But despite these benefits, concerns still remain. In the 2013 MYOB and Smithink 2020 Leaders & Laggards Survey when it came to the six main concerns that people have about cloud computing - around 80% of people were still either slightly concerned, moderately concerned or very concerned about the risks. However, what is interesting is that the numbers who were very concerned dropped from around 40% in 2012 to 30% in 2013, so it does appear that confidence is rising.
Given that there are still significant concerns - what can practitioners do to obtain comfort with individual cloud providers so that they can utilise the technologies to improve practice efficiency and client service? As our prime minister has a habit of saying - there's baddies and goodies out there and unfortunately a lot of baddies use the internet as their tool of choice to get to us goodies. So let's look at what vendors should be doing and the questions you should be asking.
- If the provider is utilising data feeds - how secure are those feeds? Do you have to provide internet banking credentials for those feeds? Is the provider using screen-scraping technologies that can be unreliable? Is email being used to deliver the feeds, which should be a concern since email is less secure?
- Can the provider, other customers or other third parties access your data without your permission? How are usernames and passwords protected?
- What has been the provider's track record in systems availability? Read the supplier's service level agreement. What are the limitations of the supplier's service? Are there effective clauses covering disaster recovery, response times and business continuity?
- Does the provider engage external experts to conduct regular penetration testing? While for security reasons companies will not publish the results of these tests they should be able to provide a summary of the number of issues and their severity.
- Where is the data stored? Is it with a reputable provider of infrastructure that utilises strong physical security? If the data is stored outside your local jurisdiction are you satisfied that the security and privacy laws in the country where the data is stored are effective? Does the supplier comply with the security and privacy laws applicable to your business?
- How easily can the data be exported from the system should you wish to terminate the service and/or more to a different supplier? Is there an exit fee to terminate the service? Does the supplier guarantee that your data is removed from the service on termination/your request?
- Does the supplier have effective disaster recovery plans? Is there a disaster recovery site in a different location? How quickly can the supplier switch to the disaster recovery site? How often is data backed up and where are backups stored?
- How is data transferred between users and the service secured? Services should be using SSL technologies to encrypt the data.
- How does the supplier ensure that their service will continue to perform as the number customers grow? What do they do to ensure their system is scalable?
- What happens if the vendor becomes insolvent or ceases business? Can the data be accessed / exported?
- How do scheduled outages occur? When do they normally occur? What notice is provided?
- How often is the application updated to address bugs or to provide enhancements?
- Does the system cater for situations where you make an error and need to rollback to an earlier version of the data?
- Does the supplier vet its personnel to check for criminal records?
- How does the vendor monitor, administer and manage the system and in what jurisdiction do these activities occur? How does the vendor guarantee security of these workstations?
- What is the vendor's policy to notify its customers of any security breaches?
Unfortunately the answers to many of these questions can be quite technical. It maybe worthwhile to engage the services of an IT professional to assist you in assessing the supplier responses.
By conducting this brief review you should be able to gain confidence that the provider has addressed the concerns that you may have about using a particular cloud provider and you can move forward with confidence. Of course, if you're not using a cloud provider and you're utilising desktop software on your own local area network, it would also be a good idea to ask them same questions about your hardware and software implementation. I suspect in many instances you will find that many of the reputable and established cloud providers have stronger security, disaster recovery and reliability.
Cloud computing is a game changer for the profession in how accountants can process data efficiently and provide opportunities for real time information sharing and collaboration with clients. Like everything in business there are risks. It's just a question of ensuring those risks are effectively managed. Dismissing the opportunities without adequately understanding and assessing the risks may leave you in the horse and buggy as others are zipping along in shiny new motorcars.
Do you receive our monthly newsletter? If not, enter your name here and be the first to receive our monthly updates on the accounting industry.