The speed with which organisations across the UK have adopted the Software as a Service (SaaS) model is impressive. Yet many businesses are still wary of taking this route for critical financial information. And for good reasons. There are serious issues about where information is stored – whether it is located in Europe, for example – and the robustness of security procedures adopted by vendors.
Indeed, while many vendors will tout strong back end security processes – and leverage the security investment of the hosted data centre – many are failing to put in place rigorous front-end security requirements. Passwords, for example, are often weak.
As accountancy firms across the UK look at new ways to add value to the client relationship, growing numbers are exploring the potential of Software as a Service (SaaS) based financial software. In addition to streamlining processes to drive down costs, the SaaS model allows firms to adopt subscription based added value services, such as rolling cash flow forecasts, proactive advice on profitability or tax planning or real time access to scanned invoices.
Given the growing market competition and pressure on margins this opportunity to transform the client relationship is compelling. The subscription based model minimises the investment required, removing the need for internal IT expertise or server infrastructure. Furthermore, subscription costs are incredibly low and the monthly pay as you go approach enables accountants to embrace a new business model.
So far, so good. But how confident are clients about the security of data that is stored in the cloud? How easy is it for the accountancy practice to allay fears about the corruption or loss of business critical financial data or explain the compliance and governance implications of the shift from on premise to SaaS approach?
According to a recent study from Ventana Research, organisations are concerned about data consistency, data integration, data quality and data governance. And users in finance and supply chain ranked lowest at 8 percent and 6 percent respectively in support of cloud-based functions.
However, over the next 12 months, 34 percent of businesses reported they plan to support finance with cloud-based applications. It is, therefore, critical that these organisations understand the questions they need to ask potential suppliers about the quality of their security processes and procedures but also ensure that every aspect of the business, not only the cloud based finance solution, safeguard critical information.
For example, organisations are understandably concerned about where data is located, with growing numbers unwilling to opt for US data centres, even those approved under the Patriot Act to securely store European data. However, companies need also to consider how they are sharing sensitive client data. Despite concerns over Government access to information, many are increasingly using cloud based file sharing services – which are hosted in the US, raising concerns regarding compliance and data security.
It is also important to check out the quality of security being deployed at the data centre. Most SaaS providers will leverage third party data centre resources to store clients’ data – it is the most cost effective approach. But data centres vary significantly in the level of investment in data security and availability and not all conform to the European standard for data centres or do the minimum required.
Issues to consider include not only essential physical security but also real time monitoring tools and intrusion detection techniques; as well as the robustness of back-up and failover solutions to ensure no data loss and deliver the promised 24×7 access to information.
In addition to the quality of the data centre, it is essential to ascertain the commitment of the SaaS vendor to strong security. Security pledges are a key component of every sales offer; therefore companies need to ensure that the promised levels of security and data management are consistently delivered. For example, is the organisation audited every quarter by a trusted third party robustly assessing the depth and quality of both process and technologies employed to safeguard this critical financial data?
Does the company employ an intrusion detection service to ensure security policies are continually evolving in line with the changing threat landscape? And what is the company’s policy towards front end issues such as passwords? Most companies have good back end security processes in place, leaving hackers to focus on compromising staff in order to gain access to passwords.
Common examples include searching through bins to find out about staff and targeting USB sticks with, for example, information about holidays or sporting events, towards specific individuals. Anyone who breaks the corporate policy and uses the USB stick will have key logging software uploaded onto their machine and their password will be immediately revealed.
These are issues that every organisation – from accounting practice to clients – needs to address. Always shred paper before disposal; ensure staff never use unsolicited USB sticks; and, critically, enforce strong passwords that are changed at least monthly, preferably every week.
Accountants also need to consider the legal requirements for data storage. The essence of the SaaS model is total flexibility, allowing companies to easily move between suppliers. But what happens to the data if the company unsubscribes? With a legal requirement to retain information for at least seven years, it is essential to ensure the vendor will comply with that need.
There is no doubt that the trend towards SaaS-based solutions will continue to grow. And, for accountants, it provides an excellent opportunity to cut costs and move into new areas of subscription based services that will add revenue and build strong, trusted client relationships. But this vision can only be realised if clients are totally confident in the security and integrity of sensitive financial data – companies need to ensure choice of SaaS vendor is as much about secure infrastructure as product quality.