RoseRyan VP Pat Voll recently weighed in on a recent debate that posed the question “Is your data more secure in a data center or in the cloud?” CFO published her bylined article alongside other data-security experts in one of its monthly Square-Off virtual panels. Pat’s take: Companies need to focus on the “who” rather than the “what” when looking at where they store their information. See below for an excerpt of Pat’s article:

Ultimately, you are responsible for the protection and security of your data, regardless of where it is stored. Where your data is safest depends on your company’s own internal processes, infrastructure, controls, training, and discipline, and those of your cloud provider.

Consider this fact: The most common reason companies suffer from a data breach is because of an employee error. In a recent survey by the Association of Corporate Counsel, 24% of in-house lawyers blamed employee error for a breach at their company. That’s higher than phishing attacks (12%), third-party access (12%) and lost devices (9%).

A mishap by an employee could happen no matter where the data resides—on-premises or in the cloud. To tamp down the risk, it is essential that companies take a hard look at their internal processes, including periodic training for all employees and robust on-going monitoring of controls, to ensure policies and procedures are being followed.

CFOs can’t pass off the responsibility for data security to the IT department and hope it’s getting done. Similarly, you can’t assume the vendor has adequate controls and procedures in place. It’s not only the right thing to do—it’s increasingly becoming an expectation.

To read the article in its entirety, go here.

For the past couple of years, emerging growth companies have been reaping the benefits of cloud computing. The momentum of small startup companies using innovative technology to make their business processes more efficient can be seen everywhere.

As a financial consultant specializing in emerging growth companies, I have been particularly amazed at the positive impacts that the “paperless” office and cloud computing are having on my clients every day. Gone are the gray stainless-steel filing cabinets packed with invoices, checks and receipts. My files are stored in the cloud and accessible from my computer wherever I go.

In an ever-constant quest for improvement, I’m continually changing and fine-tuning our accounting and finance processes. That includes turning to the myriad of cloud applications, such as, Expensify and Right Networks, that provide high-speed, low-cost solutions. They make me, and my clients, more efficient and effective. Best of all, I can control and implement these applications myself—no need to rely on the IT department. And the tools can scale down to meet the needs of a startup company.

Having recently attended webinars and presentations by finance executives across a variety of industries, I think it’s clear that cloud technology is transforming the way accounting and finance must do business—but we seem to be the laggard adopters. Only 3 percent of our potential market is in the cloud, compared to a healthy 35 percent for sales and other services businesses, and about 20 percent in HR fields.

We cannot afford to ignore the time- and cost-saving benefits—not to mention the accuracy and convenience of, say, being able to compile original financial documents for financing due diligence or an audit at the click of a button.

It’s time for finance to embrace the change and deliver better, faster information to company executives. We need to take advantage of cloud technology if we are to shed the image of being the “work horse” department, and make full use of our analytical expertise and partner up with internal corporate functions to provide more meaningful and timely information that will impact the company’s bottom line.

We must be ready to re-educate, re-learn and re-invent the future.

Keeping track of a zillion passwords and user IDs is a fact of working life, made even more complicated by all the devices we use. Because I work with different clients it’s even harder, because that almost always requires using a lot of secure applications. When I started with my current client, I received a three-page Excel spreadsheet of applications I needed logins for. I tried to make the user IDs and passwords easy to remember, but there were just too many—and each application required different user ID and password conventions. It wasn’t efficient (or particularly safe) to enter login information on the spreadsheet and keep it current and portable—I work on the client’s computer as well as a laptop, and the last thing I need was another password to secure the spreadsheet.

Most of us have probably used sticky notes—in our wallet, taped to a computer or pasted into a notebook—or virtual stickies littering our desktop or smart phone. And we all know that isn’t secure. This problem has even been in the news; one recent story is NPR’s “Prevent Your Password From Becoming Easy Pickings (Or PyPfbEp).”

I solved my problem with two simple solutions.

The first is a password manager or password wallet. These cloud-based apps store login information for all sites or applications and are accessible with one master password. Log in to the wallet app and it does the rest, bringing up the application login screen and autofilling the fields. It increases security, saves time and is easy to use. It’s also portable—because the app is cloud-based, one license covers all your devices, including cell phones.

These apps have been around for several years. There are many to choose from—check out this comparison from TopTenReviews. I use RoboForms: it’s simple and inexpensive at $9.95, and it works on all my devices.

The second solution is choosing a strong master password for my wallet app that I can remember. (Amazingly, the most commonly used password is “123456.” Avoid it.) Experts also say to avoid using actual words and birth dates, among other things. They suggest using the first letters and numbers of a phrase that you will remember. For instance, for “My #2 son’s middle name is Alex” the password would be M#2smniA.

I’m not that technically savvy, and I installed my password wallet in less than 10 minutes. It saves me a lot of time and frustration, plus saving a lot of sticky notes!

RoseRyan was recently the victim of a bizarre crime: thieves stole the main circuit breaker for the entire building. We lost all power for almost an entire week while the repairs were made.

Ask yourself: if my building lost power for a week, what would the impact be?

If this had happened to us three years ago, we would have been dead in the water—no email, no file sharing, no telephones, no web presence. We would have been reduced to phone trees to tell our employees about the disaster.

As it turned out, we lost only landline phone service and a scheduling system. Not that this wasn’t painful—it was. But it could have been much worse. How were we able to sustain most of our critical business applications without power? We had outsourced most of them already.

No small company can afford the redundancy that larger companies can. Having geographically separated backup systems just isn’t in the picture. But Google has them. So does By outsourcing to companies like these, small businesses can pool resources and enjoy economies of scale that give them access to services that once only larger companies could afford.

Enterprise Gmail is one such big win for us. If we had still been using our own Microsoft Exchange server, we would have been dead—business would have stopped for the week. Not only did Gmail save the day in an emergency, but also all the day-to-day headaches that accompany email management have gone away because we let the experts handle it. If you run a small company and you’re still hosting your own email server, you’re making a huge mistake. You’re paying too much in staff time, equipment and licensing while getting too little in return.

Admittedly, outsourcing is not a panacea. You have to do your homework. Outsourcing to a poorly run company can be worse than doing it yourself. Part of the reason we still have our own phone system is that I haven’t found an outsourcing vendor that I am happy with. But think of it this way: by prioritizing outsourcing you make it a strategic problem to be solved instead of an ongoing tactical issue. As a rule of thumb, the more strategic you can be, the better off you are. Make the big decisions and stick to your core competencies. We aren’t an email hosting company, so we shouldn’t be doing it if at all possible.

The hard part is letting go of some control, but you have to get over it. Google does our email, and we have to trust them with a critical business system. Knowing we had email even when our office had no power was much more comforting than a false feeling of control.

The bottom line is this: find companies you can trust and outsource as much as you can.

You don’t cut your own hair, do you?

Author Matt Lentzner is RoseRyan’s IT guru (as you may have guessed).

I hear a lot about the many virtues of moving to the cloud. There are a lot of reasons this makes sense—among other things, the cloud can provide greater efficiencies, reduce costs, enhance productivity, remove geographic barriers and improve disaster recovery. And with so many cloud-based applications available and more hitting the market constantly, it definitely is the way of the future (if not the present).

But the articles I’ve read tend to focus on the benefits, and working in the cloud is not without risks. You don’t control the platform, and your company’s critical data (about employees, finances, customers, etc.) is being stored outside your premises with a third party. Even though someone else is managing your data, you are still responsible for what happens to it. Here are a few risks to consider:

Data location. Where is your data being hosted? Data protection and privacy regulations in many countries specify where certain employee data can be physically located. Also, different countries provide different legal protections, so if your provider moves its data center to another country there could be serious consequences for you.

Data ownership and migration. What happens to your data if you switch vendors or if a vendor goes out of business? Will it disappear? Will it be deleted securely? Will it cost to transfer your data from the vendor at the end of the contract?

Security. What controls are in place for transmitting data to your cloud provider and storing data securely? Is customer access secure? How are security breaches handled, and how soon are customers notified? (Ask for a SOC2 report to help assess data protection and security.)

Reliability. Industry standard uptime is greater than 99 percent. Does your provider meet that? How often is maintenance performed? How are customers notified of scheduled down time? What is the disaster recovery plan? Are full backups taken at least daily? Are there redundant sites and systems?

Integration. Evaluate how well the application integrates with existing applications (both in the cloud and at your location).

If you’re moving to the cloud, be smart—weigh costs and benefits, and evaluate options carefully. If you have an enterprise risk management (ERM) program in place, make sure the cloud is part of your strategy. Know what your risks are and address them up front; if something goes wrong you may be looking at business disruptions, damage to your reputation, lost customers and more. You don’t want to be surprised.

Don’t have an ERM program? Learn more about ERM for midsize companies in our latest report, ERM: Not Just for the Big Guys.

Facebook did things right in its S-1 disclosures relating to data protection and privacy as it relates to business risk. Among other things, the myriad disclosures warn investors of risks related to unfavorable media coverage of its privacy practices and concerns about privacy, sharing and security. They also note that unauthorized access to or improper use of user information could damage Facebook’s reputation and result in legal or regulatory action, which could be expensive and require Facebook to modify its business practices. (This has happened before, as the disclosures point out: last year a 20-year settlement agreement with the Federal Trade Commission required the company to establish and refine policies related to user data and privacy settings, submit to privacy audits every two years and take other measures.) The company says complex, evolving laws and regulations for privacy and data protection could harm its business.

This seems to be as it should be—at least for the SEC, which last fall issued disclosure guidance on cybersecurity risk that all public companies should be aware of (private companies should take note too). But while Facebook followed this disclosure guidance, these disclosures are aimed protecting investors; they reveal the potential effects of problems after the fact. That’s not reassuring to Facebook users.

As more and more data moves online and into the cloud, companies need to actively protect their customer data. Cyber attacks happen with increasing frequency, and only the big cases (like last month) are publicized. It’s critical: our finances, medical records, credit cards, employment, passwords and other aspects of our personal lives are online. Companies that don’t take data protection and cyber security seriously are gambling with risks that may be very expensive or change how they do business.

At least some relief may be in the works. The Federal Trade Commission will soon release its final staff report of recommended controls and standards for the online protection of consumers’ privacy. The report is expected to expand the scope of what may constitute consumer data and propose sweeping new standards.

It’s unlikely, however, that U.S. regulations will be as stringent as the proposed Data Protection Directive issued Jan. 25 for the European Union. Those regulations would apply to anyone processing data in the EU—including those outside Europe who offer goods or services to EU citizens. Key points include:

  • Significant fines for organizations that don’t follow basic knowledge/consent obligations or requirements to adopt good policies and procedures
  • A requirement to appoint a data protection officer who must ensure that the organization adopts good data governance policies and procedures
  • Regular data protection audits and privacy impact assessments
  • A requirement to notify data protection authorities within 24 hours of a data breach

We’ll be watching to see if the FTC grasps the severity of problem and fully addresses the need to protect consumer information.

Whether it does or not, companies should pay full attention to both their privacy and data protection measures and their disclosures around it. Building customer trust and goodwill takes a lot of corporate resources; losing that trust can have a significant adverse impact to any business. With better protections in place, transparency and disclosure will follow more easily—and those companies will be trusted more by customers and investors alike.