Security and information sharing: what you should know about QuickBooks

Sharing financial information comes with both benefits and security concerns. On the one hand, sharing financial information can facilitate collaboration and enable faster decision-making. Business leaders need easy access to accurate financial data to help them make more informed decisions about investments or resource allocation. Additionally, sharing financial data with team members can help them understand the financial health of the organization and align their work with the organization’s goals.

On the other hand, sharing financial information can expose the organization to risks such as data breaches, identity theft and financial fraud. If financial data falls into the wrong hands, it can lead to significant financial and reputational damage to the organization.

To weigh the benefits of sharing sensitive financial information with security concerns, it is important to take a risk-based approach. This involves considering the value and sensitivity of the financial information being shared, the potential risks associated with sharing it, and the controls that are in place to mitigate those risks. One of the critical factors is where the information is stored, as well as how its shared.

In this blog post, I’ll examine some of the issues that I’ve heard from QuickBooks users about various QuickBooks versions and the challenges around:

• Information sharing using spreadsheets
• Managing versions
• Unique QuickBooks challenges

Spreadsheets Are Security Headaches

QuickBooks has Service Organization Control (SOC) 2 Type II certification. While QuickBooks in-and-of itself might be secure, there are major security concerns regarding spreadsheets, and QuickBooks users are dependent on spreadsheets. In a recent survey of QuickBooks users conducted by CFO Dive, 75% of more than 160 CFOs interviewed said spreadsheet use is a source of frustration for their teams. That gives you a good indication of how prevalent spreadsheets are among QuickBooks users.

Some of the security concerns surrounding spreadsheets include:

• Unauthorized access: If the spreadsheet is not properly secured, anyone with the link or access to the shared folder can view or edit the data.
• Lack of version control: This makes it difficult to track changes and this leads to confusion and errors
• Compliance Issues: Depending on the type of data stored in the spreadsheet, there may be compliance issues that need to be considered, such as regulations around data privacy or confidentiality. This is especially true for financial data.
• Unintentional changes: Shared spreadsheets are prone to inadvertent changes when multiple users are editing the same data at the same time.

As well, spreadsheets are vulnerable to malicious attacks, and these may include:

• Malware: Malware is software designed to harm your computer or steal data. Spreadsheets can be infected with malware, and this can spread to other computers when the infected spreadsheet is shared.
• Phishing: Phishing is a technique used by cybercriminals to trick users into providing sensitive information, including login credentials or financial data. Cybercriminals use spreadsheets to distribute phishing scams by sending an email with a malicious link to a spreadsheet.
• Macro viruses: These infect spreadsheets by embedding malicious code into the programming language used by the spreadsheet application. Once infected, the macro virus can spread to other spreadsheets or compromise the user’s computer.
• File format vulnerabilities: Spreadsheets are vulnerable to security vulnerabilities within their file formats.

There are several reasons why QuickBooks user depend on spreadsheets, as follows:

• If the company has multiple entities, many QuickBooks users utilize spreadsheets for consolidations and intercompany eliminations. This is because QuickBooks can only track one entity. In some cases, QuickBooks users will create a fictitious entity for consolidation, but that means exporting all the data from the separate instances and then importing it into the fictitious entity. Either way it’s a messy process and there are opportunities for errors, omissions and lost data.
• QuickBooks reporting can only build reports on a single dimension like location, department, customer or project, so you’re stuck with two choices: deal with limited dimensional insights or use a workaround by creating segmented accounts for every variable and combination. Neither of these options give QuickBooks users a multidimensional view of the metrics that matter. These options can also leave its users poring through a lengthy spreadsheet that requires endlessly scrolling through the account codes and numerous tabs to manually comb through to find the right data. This makes it unwieldy to join tables, create custom calculated fields or use pivot tables to get insight into the data.
• Many QuickBooks users download data from the application and then dump it into spreadsheets to create charts and graphs to help share information. This presents challenges including data-set selection for the representation. This is a manual process and creates opportunities for errors.

Older Software is a Security Concern

Another security issue facing QuickBooks Desktop users is vulnerability as the result of not staying current on its releases. This issue is compounded if you’re using a version of QuickBooks Desktop that’s no longer supported. Intuit, like many software companies, supports its most current version and the two previous versions.

Let’s break this down as there are numerous concerns here. If you’re on a supported version of QuickBooks Desktop, you need to stay current on maintenance releases, which may contain security updates. If you’re on an older but supported version, you’ll want to install the most current version to get the most up-to-date security patches. If you’re not on the current release, this can have serious security implications, leaving your system vulnerable to attack and potentially leading to data breaches or other security incidents. It’s important to keep your software up to date to ensure the security and stability of your system. And it should be obvious that unsupported software is troubling at best and disastrous at worst. As well, new software and operating systems may not be compatible with older software versions. This can lead to conflicts and errors that can compromise security.

There are lots of reasons QuickBooks Desktop users don’t stay current on its releases. In its survey, CFO Dive found that 26% of the CFOs interviewed said maintenance and updates when using QuickBooks are concerns. Part of this is the process to stay current:  You need to check the system requirements, back-up all the data, deactivate any add-ons, install the new version, convert the data and then verify the data. That might be fine if you only have one entity, but imagine doing all that for every entity, as well as any fictitious entities. That’s a lot of unnecessary work that can be eliminated using a cloud-native financial management platform that enables easy-to-perform consolidation and intercompany eliminations. QuickBooks Online doesn’t have some of these issues, but the dependency on spreadsheets remains problematic.

Security Issues Unique to QuickBooks

QuickBooks presents some unique security issues. Since QuickBooks is popular and used by many businesses, it’s a prime target for cybercriminals. Attackers may attempt to gain access to QuickBooks files through phishing scams, malware or other tactics.

Because QuickBooks files are used by multiple people within a business, they are often shared among different employees or departments. This can create security concerns if the files are not properly secured, as the files can be accessed by unauthorized users or inadvertently deleted.

QuickBooks backups are often stored on cloud filesharing sites or on external devices, which can create security concerns if they are not properly secured. If backups are not encrypted or are stored on insecure devices, unauthorized users can access them.

QuickBooks integrates with many third-party applications and services. If these integrations are not properly secured, they can provide an avenue for cybercriminals to gain access to your financial data.

Cloud Software and Security

If you’re using QuickBooks Desktop, you have a lot of options in the cloud. One of these is QuickBooks Online, which is a cloud-enabled version of QuickBooks Desktop. But as I’ve pointed out, with either version of QuickBooks, entities require their own separate login and database instance. Rather than a lightweight cloud-enabled version of desktop software, consider switching to a cloud-native platform. These are built in the cloud for the cloud and are highly modular, so it’s relatively easy to add functionality. Their loosely coupled multitenant architecture makes them more future-proofed and cost-effective to deploy than traditionally designed single-tenant systems. As a result, cloud-native applications are generally easier to maintain, develop on, adapt and integrate resulting in:

• Seamless bug fixes and system upgrades
• Shorter periods between major feature releases
• Faster support of new standards and technologies like artificial intelligence (AI)

With well-publicized data breaches over the past years, security is top-of-mind for companies of all sizes. While most data breaches are financially motivated and perpetuated by outsiders, 85% of data breaches are due to a human element such as fat-finger errors, losing a memory stick with unencrypted data, falling for a phishing scam or failing to install the latest software updates. With regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, companies who fail to adequately protect data are subject to financial penalties that can be significant; in the case of GDPR, up to 4% of your company’s global annual revenues.

Beyond penalties and potential ransoms, your firm’s reputation, trusted relationships and long-term revenue become at-risk. Reputable cloud vendors have strict standards in place to keep your data safe by implementing a zero-trust security model or comparable and by continuously investing in the technology and personnel to proactively protect your data at-rest and in-transit.

Cloud-native financial management platforms combine the customizability of an on-premises offerings with the 24×7 access, higher security and lower maintenance of the cloud. Cloud-native solutions deliver the full benefits of the cloud due to their use of cloud technology, de facto standards and open APIs. They are easier to integrate, scale, and adapt, delivering you the confidence and a flexible system to meet your future needs. And best of all, cloud-native financial management platforms make it easier to securely share information using roles-based permissions, advanced reporting and data visualization.

If you’d like to learn more about this topic, check out my discussion with Mike Senecal at cardrates.com as we examine how cloud is a security game-changer for small- and medium-sized businesses.