Blake shares his thoughts on the first year of the Accounting & Finance Show LA under new management, then David & Blake discuss the latest accounting news, including: NetSuite's outage this week that prevented many businesses from accessing their ERP for almost a whole day, Google's hardware multi-factor authentication program that has prevented 100% of phishing attacks on its huge workforce, the recent breach of ComplyRight (a large 1099 processor), and why Hector Garcia's popular QuickBooks-focused YouTube channel was suddenly deleted without any warning. (We still don't know).
Stories in this episode:
Google: Security Keys Neutralized Employee Phishing — Krebs on Security
Human Resources Firm ComplyRight Breached — Krebs on Security
Cloud Accounting Podcast E25: All the ways the cloud can fail you: NetSuite goes down, why you need multifactor authentication, ComplyRight breached, and YouTube bans Hector Garcia
: Welcome to The Cloud Accounting Podcast, a show for accountants using technology to make their jobs more strategic, and impactful. I'm Blake Oliver-
: And I'm David Leary.
: So, David, how was your week?
: Pretty good. I don't think I did anything. I was watching you on social, though. I think you did something this week, right? You traveled very far?
: Yeah, I traveled very far to downtown LA, which, it's not a trip that you make, unless you have a good reason to go there, from the San Fernando Valley. I was with FloQast, at the Accounting & Finance Show LA, which was at the Convention Center, downtown, on Wednesday, and Thursday.
: They moved that show, then, cuz I think before, it was always at the Hilton, at the airport.
: Yes, it used to be at the Hilton, at the airport; this time, at the Convention Center. Interesting event. I've never been to a conference where everything was all in one room. All of the keynotes, all of the breakout sessions were all in small areas within the expo hall, in the different corners of the expo hall. During the keynote, it was fine, because only one person was speaking, but during the breakout sessions it got pretty noisy, because you had people competing, basically, to be heard.
: What I did like about it was that there was tons of traffic, people going to meet with the vendors, see the booths, because you had to do that in order to get from one place to another. It was kinda nice, too because you could go, and peek in on a session, and just listen for a little bit, but, if you didn't want the CPE, or you weren't really that interested, you could just walk away. I like the informal nature of it. I like that a lot.
: Did you speak at all, or did you just work with the FloQast booth, and Mike?
: No, no booth duty for me. I was speaking at ... I spoke in the afternoon on the first day, and we talked about best practices for the month-end close - our favorite topic at FloQast, and it was great. We got grouped up ... It was originally a 30-minute presentation, and because of the CPE requirements, we combined forces with a consultant, named Chris Doxey over on the East Coast. She shared her best practices about process, from her amazing career with big companies and midsize companies. It ended up being really great.
: It sounds awesome. It's interesting, cuz I know that show is in a transition year. I think it's moved from one owner, to a new owner. I think that was the same with the New York City one, as well. From a branding perspective, I think they're coming on strong. I've definitely noticed that every photo always has that same background, you know-.
: The blue background.
: Is it called Accounting Technology NYC, or Accounting Technology LA? Is that ...?
: Accounting & Finance Show LA; Accounting & Finance Show NY [crosstalk] It's free. We forgot to mention the most important part is that the whole model is that anyone can go for free. It's free CPE. I think that having everything all in one room is what makes that possible, because it's probably very affordable to put it together. I like it. This is part of a trend, where CPE tends to be going toward free, it seems like.
: Maybe that'll be a whole 'nother topic one of these days. In the meantime, while you're going to conferences I feel like tons of stuff happened this week. Last week was short, and sweet; we knocked out three new stories like nothing. I feel like there's just a lot of stories that happened this week, so if you want, we can jump in.
: Let's do it.
: First, I guess we'll jump in. NetSuite had an outage this week. I don't know if you saw that?
: Yes. We have a ton of customers on NetSuite, so, we were very, very aware of that. Over seven hours - all day, for some folks.
: Does this affect even your app? Your app can't communicate to NetSuite, through the APIs?
: I'm not sure if affected the API, but, definitely, if you're on FloQast, and you're using NetSuite, you really can't do anything without having your ERP. It's hard to do reconciliations, and whatnot. This is just one of those things that's inevitable, when you're in the cloud, and we just have to accept it as a reality. Ideally, it wouldn't be a whole day, but you're going to have unexpected downtime. My feeling is that it's just worth it, anyway, even if that happens.
: The problem with these outages is that, sometimes, the response by the company isn't the best, and the customers are left in the dark. Unfortunately, NetSuite didn't communicate on social media about what was going on, or what was happening. They didn't even acknowledge that there was an outage until they had fixed it, at like 7:00 or 8:00 p.m. Pacific Time.
: There were people on Twitter complaining about this, getting upset. I'd be upset, too, if I didn't know anything. It actually reminds me of when the power went out, here in LA, and LA DWP wasn't telling people when it was gonna come back on.
: I think that's a learning curve, right? I remember we had a really bad summer ... It might've been 2012? Maybe even 2011. Just a bad set of circumstances. We lost the data center in San Diego. We actually had ... A mistake was made in the data center. Something got shut off. Then, literally two weeks later, a car crashed in some power inverter, in San Diego, and knocked the data center out again.
: I don't think we were really - as a company, Intuit - was really good at communicating outages.
You're right, it's a learning curve, where you have to be open, and transparent, and explain, "Hey, here's what's happened. Things are down. You're not crazy. Something is not working, and we're working on it to get it fixed," and build that confidence back up. Plus, it helped ... It forced us to become multi-redundancy, and obviously, we talked about it last week, which is last week's news, right? Which is [inaudible] moved to Amazon, etc.
: Yep, and I think this is a lesson for not just developers of software, but it's common sense for anyone, if you're a CPA in private practice, or, I should say public practice. You go on vacation, you wanna make sure that you let everyone know that you're not gonna be responding to their emails immediately, or if you're all day at a conference, put up that away message.
: Just be in communication, when you're not available, or you're not able to get work done. It makes people a lot more comfortable. Definitely don't ... There was kind of a funny thing that happened on their Twitter, which is that the same day that they had the outage, the NetSuite team ... Maybe they had pre-scheduled this tweet. They tweeted out a story called "Four Common Causes of a Sluggish eCommerce Website." You know your site is sluggish, but what's slowing it down? Here are some common triggers. To do that on the same day that you're having an outage ... Some of the replies to that were kind of both frustrating, and funny, in retrospect.
: Yeah, and I think that's the lesson to be learned of pre-scheduled social-media tweets. They very quickly can be out of context. Some major event in the world happens, and you look like a fool.
: Yeah, turn those off, when something happens. Enough about outages. Let's talk about some fun news in the cloud-accounting world.
: I don't have anything fun this week, so hopefully, you do.
: You don't have anything fun this week?
: No, actually ... Actually, there's one thing that's impressive, but nothing's fun.
: Well, okay, let's go to impressive, then.
: Something that was kind of impressive this week, Google announced ... Everybody knows about security, and phishing, and we've talked about different security breaches that have happened in the past, on this show, before. Google, the last 18 months or so, has been using hardware-based YubiKeys for their employees, and they have not had one of their 85,000 employees have not been phished ... Their password has not been phished, since they started using these hardware-based keys. I thought that was just really, really, really kind of an amazing thing that ... All the Google employees, nobody got successfully phished.
: For those who aren't familiar, what is a YubiKey?
: A YubiKey ... Coincidentally, if people want, we'll put the link in. I happen to have somebody ... We did YubiKeys 101 on the Developer Hangout, earlier today, about two hours ago. I'll get the link to you, so we can stick that in for the YouTube video.
: Essentially, it's a next level of hardware authentication. You think a site with just a password is a low level of authentication; then, if you want to have a site where you sign in, and then it sends you the text, that two-factor authentication? This is kind of like another third level of authentication, where you have to have a physical key. Like I said earlier, I kinda used the analogy, it won't stop your corrupt uncle, who's in your house, from possibly getting a hold of your key, and signing into a website, but it'll stop people 5,000 miles away, on the other side of the planet, from getting in, because they don't have this physical ... It's literally a physical key you put on your key chain.
: It plugs into your USB drive.
: Oh, yeah, sorry. Yes, that's true. I forgot to ... It actually touches your computer.
: Yeah, you don't turn it in a lock. It basically looks like a little USB drive, and you plug it in, and it allows you to log into those websites. The thing that ... I was on the Hangout, this morning. The stat that astounded me was that 81 percent of security breaches occur because of weak, or compromised passwords. Multifactor almost completely mitigates that problem. You still need to be using strong passwords, don't get me wrong, but if you have a weak password, a hacker cannot get in just by guessing your password. They also have to have that key that you physically possess.
: That's what happened with Podesta, in the whole Hillary Clinton emails, and all that stuff. He got phished.
: It's world-history changing, getting phished. That's why I say it's amazing, the fact that nobody was successfully phished, as testament to this next layer of security that ... The reason I reached out ... Actually, before I even saw this news, I was already reaching out to YubiKey, because I know we talked about the Deloitte stuff, and Deloitte's forcing people to have a two-factor authentication on any apps that work with ... Any companies that work with Deloitte, or they're making them use their active-directory-type stuff, or SAML.
: My opinion is for accountants, and small businesses, this is next. You're gonna have to start getting to this next layer of security to protect yourselves. Then, just coincidentally, I had this thing [inaudible] Friday, and then this story broke, this week, which is really amazing.
: For everyone listening, the big takeaway is if you are managing an accounting team, make sure that your team is using multi-factor authentication to log into all of your business-critical applications - email, your ERP, all that good stuff. You can do it with a key, a physical device like a YubiKey, or you can also do it with an authenticator app. There are different apps you can have your team download on their phone, like Google Authenticator, LastPass Authenticator, 1Password has one.
: What that app does is it generates a random code that's synced up with your log-in. In order to log in, you need your password, and you need the code that is currently displayed on your phone. The phone becomes the key. The takeaway: use multi-factor. Do not expose yourself to this huge risk of security breaches.
: I think even two-factor, with the testing, it's always ... Nothing is perfect right. Somebody could always try to break in. No second factor is not great, but if you have second factor, that's great, but then, if you could do a hardware key, or you said an authenticator app, that's another layer. It's something to think about. Especially for accountants, and bookkeepers, and people that are probably listening to this show, you're not protecting your Spotify account, here. You have your clients' data, and you have to take this this extra level of security seriously.
: Yep, definitely.
: I don't know ... Let's hold off on your fun thing, because ... Let's just move on to another article, which is completely security related. ComplyRight, I think many people may have used them for their W-2s, and 1099 processing. One of the parts, I think that's a little ... Their more in-market brand is efile4Biz.com. I think a lotta people are familiar with that as their brand. I know they're on all the app marketplaces. They're on AppStore.com.
: They're an app that integrates with software, but they apparently were compromised, and had a breach. That's an article that we hit in there. Obviously, there's a lot of analysis here, but I don't know how much we can, and can't speak to it, because I'm definitely not an expert on that level of the what the breach is, but I think it's a perfect example of somebody, somewhere, probably did not have the most secure passwords on their stuff.
: Yeah, I'm not totally familiar with what the issue was, here. It sounds like they had ... Their website got compromised, and so the information that companies, or accountants were entering into this website, with Social Security numbers, addresses, amounts for 1099 processing, those got ... That got hacked. It doesn't matter that their database was secure. It's the website interface was not secure.
: I think the lesson here is that it's important to carefully select, and choose your vendors, and make sure that they have some sort of security audit going on, that they're using the latest methods of protecting their website, and their application, because, in this case, it's a lot of critical information - Social Security numbers, addresses - that people can use to file fraudulent tax returns, or steal your identity.
: If you don't already have a credit lock on your account, chances are most people in this country, at this point, have had their Social Security number stolen. It's kind of crazy that this has happened, but there have been so many security breaches, recently, it's likely that you, the listener, you have your Social Security number out there, somewhere.
: I, personally, after one of the latest data breaches, I went, and I put my credit files on freeze at all of the major credit bureaus. I have to opt in to unfreeze it, so that I can get a loan, or whatnot.
: Two perks to that, or two benefits to that. First of all, it's harder for me to actually go open a line of credit, because I have to do something, so I'm less likely to go just open random cards, which is good. Second, is that somebody who has my information, even if they have it, they can't go open up a credit card. They can't go buy something, and get credit, using my information.
: There might be another implication here for accountants, and bookkeepers, because I think what happened is ComplyRight started informing people of the breach, but nobody knew who the hell ComplyRight was. If my accountant, or bookkeeper filed my 1099 with ComplyRight, I don't know. I have no clue. If I get a letter from ComplyRight, stating that there was a breach, and my data was exposed, my first question is, "Who are you, and why'd you have my data?"
: Oh, yeah.
: There might have to be where ... I think maybe accountants, and bookkeepers might have to start thinking about a policy of really disclosing, when you are using these other apps, who might have their data, because people did ... . I think I saw that people didn't know who this company was, when they started getting notified of the breach.
: Right, yeah, that's the complexity is that somebody - your accountant, your controller, a company that you work for as a contractor - used ComplyRight to file your 1099, or send you your 1099. You have no connection to ComplyRight, but your data has been breached, and they have notified you, and you have no idea why you're getting notified now. I'm curious if any of the accountants who have used ComplyRight could face potential liability.
: So far, it's been very quiet in our space. I think I saw one Facebook post about this. I'm actually surprised about it, because-
: Maybe it's just a sign that it's gotten so common, right? We've accepted that security breaches happen, and nobody cares anymore. We should probably just title this episode The Security Episode, because it's been about-
: Complacency wins.
: Yeah, it's been about security breaches, and websites going down - All the Ways that the Cloud can Fail You, today, on The Cloud Accounting Podcast.
: I don't know if you want me to keep going, or if you want to jump into your fun [inaudible] thing? We can-
: I'm just so depressed now. I think I'm just gonna go, and maybe start my weekend early.
: All right, here's something else that's down. Let's just continue on.
: Yeah, let's keep going down.
: Everybody knows about Hector Garcia. If you don't know who Hector Garcia ... I'd bet money that you've probably watched one of his QuickBooks YouTube videos. They've had 3.3 million views, 500-plus YouTube videos. Apparently, this morning, his whole channel just got taken off of YouTube. No warning, no nothing.
: What, like you go to the channel, it's not there?
: Yeah, like, "This channel does not exist.".
: Since 2012, I think, he posted his first YouTube video. He does two to three a week. A) some of it's his business model. He uses those YouTube videos, in a way, to get new clients for his accounting firm. Not only that, tons of other accountants that are out there use his videos to send to a client. Like, "How do you handle a bounced check in QuickBooks?" Hector has a video on that, and they might send that to their client to handle the bounced check in QuickBooks correctly.
: This has a huge ripple effect, I think, in our space, beyond the fact that, okay, they just pull somebody down for no reason, but the fact that who they pulled down, and the volume of those videos, and how many people used those as a resource is a huge ripple effect, and impact.
: Let's be clear, here. Hector is saying that they did not give him a reason for this.
: No phone call, no warning, no indication that this was going to happen. It just got pulled down. Apparently, it was 'breached community guidelines,' or ... I forget the term he used.
: It was some sort of generic ... They gave him some sort of generic notice about breaching community guidelines, but they didn't say exactly what it was. He can't actually get somebody on the phone, so he had to fill out a form, and it looks like it's gonna take him two to four weeks, if they'll even get him back online.
: I think this brings up a great point, and tie this back to all the stuff going on with Facebook, right now, with these tech monopolies that are starting to develop - really, they already exist ... How can we protect ourselves, when so much of our business is all in these platforms? If they go down, then we're done.
: Hector's business ... He might be out of business forever, if they don't put him back on YouTube. Would he go build all those YouTube videos up again? Probably not. Same thing with the NetSuite outage, we gotta figure out, if we're gonna leverage the power of the cloud, how do we protect ourselves?
: I think there's that redundancy thing. I think I saw, even, somebody that was ... Somebody got hacked on Instagram. I think it was a friend of my wife's. She made a really drastic post about it, like how it's the end of the world. I think there's gotta be a perspective on this types of things. Hector, this is his business, and he got ... All his eggs were in one basket, to some extent. Now, videos got taken down, and that's gotta be crazy scary.
: Then, other things that maybe aren't as important, but even still, people are putting all their eggs in one basket, so then, if something happens, that's it. You're right, they're all ... These cloud companies, they're all on these things ... Even our email, and things like that ... People can spin up their own email servers. You can spin up your own website to put your photos on. You don't have to depend on these platforms.
: Here's an idea, as a way that ... Without doing a lot of work, because spinning up your own email server, that's a lotta work. Here's an idea, if you want to sort of create some redundancy in your cloud, you could ... Every time you get an email that has important information that you're gonna save, forward that to another service; forward that into Evernote. That's what I do. I have all my critical emails in Evernote, with information that I really need.
: Another example is if you're uploading videos to YouTube, and you don't wanna be stuck with YouTube, and dependent on them, is also upload them to Vimeo, or another site, or your own site. Save them somewhere accessible, where if you get banned for some reason, you have another option.
: Well, I think even with this podcast, I think I have it ... It automatically gets saved to Dropbox, as we're recording it, but then, I copy them to my OneDrive, as well. Then, you upload them to the internet, right?
: Then you have a copy. You definitely want some sort of redundancy, especially for something that's super mission critical.
: Another great example is if you're a CPA, or a CFO, and you're on your own. You're a consultant. You've got your own firm. Don't rely on channels like LinkedIn, and Facebook for all of your marketing; have your own website, where you own the domain, and you own the hosting, so that that's not gonna go down.
: That's the place where you put everything, and you syndicate it out onto social media, onto these big tech companies that could arbitrarily ban you for any reason. That way, yeah, it still hurts, if you get taken down from Facebook, for whatever reason, some arbitrary reason, but you've got your own website still there, and that's the primary place where you direct people.
: To summarize, you're saying create your own content, host your own content, keep your content under your control, and then propagate it out to these other sites. If one of these sites has a hiccup, they go outta business, they don't exist anymore, your content still exists, and you just have it also existing on seven other places.
: Yes. I would say that, in terms of accounting software, like ERP software, QuickBooks, whatever, is make it part of your month-end-close process, where you are exporting your key data every month into a format that you can back up, and save, and have accessible, in case you need it - at least on a yearly basis, which is what I do. I export my general ledger for my own personal accounting, and tax information into Google drive, every year. That way, if I lose my account, I'm good.
: That's an interesting strategy, and I remember back in the tech-support days, with QuickBooks for Windows ... This is going way back for me. Before you were born, Blake, maybe? I don't know. I remember we'd tell that to customers, like, "Get yourself a notebook. At the end of every month, you make a back-up to the 3-1/2-inch floppies; you put 'em in that notebook. You print out your profit-loss, you print out your balance sheet, and you put that in there for that month. Then, you do the same next month, so you have this always aged back-up, if worst-case-scenario things happen. You keep that notebook somewhere else.".
: If there's a fire, some worst-case scenario, at least you can go back 30 days, and if those discs are bad, or something went wrong, you can go back to 30 days before that.
: You're doing that same model, you're just doing it in a more modern way.
: Yeah, that's a great point. We've been backing up forever. Ever since the invention of the personal computer, people have advised that you back up your data off your hard drive, onto some other media. We were doing it on floppies; we were doing it on rewritable CDs.
: Then, we got in the cloud, and suddenly people thought, "Oh, we don't need to back-up anymore." Not true. You definitely need to have an emergency back-up, and you need to figure out when it's good to do that, have redundant systems.
: Let's say your online store goes out; you're on Shopify, or something, and it goes out. Do you have a way that you could still fill orders, if you had to, for a day or two? What if your point-of-sale goes down in your store? Do you have a emergency way to charge customers? Have a back-up credit-card terminal. If you are not using Square, let's say you're using some other merchant service, have a Square, one of those things you plug into your phone, so that you could charge customers in the event of an emergency.
: Yeah, that's a good point, I think, is how do you ... Not having all your eggs in one basket. You might have to have a back-up merchant-service account, or at least think about it. This is something optional, yes, for you accountants out there. Have you worked with your clients on a disaster-recovery-type situation? [crosstalk]
: If they're retail, and they're point-of-sale goes down, or they can't do ... Their internet goes down, how do they make money? How do they charge customers? They don't want you to put a sign up that's closed. Yeah, this is a good exercise I think accountants could do with their clients, for sure.
: It's a great consulting opportunity. Definitely come up with some sort of service offering around that. If you're not in public accounting; let's say you're in corporate, this exercise still applies to you. You need to make sure that your systems are redundant, in some capacity.
: Actually, that's one of the benefits of cloud storage that I recommend to people, using Box, or Dropbox, for instance, is that you can sync those files to your local hard drive. If those services go out for a day or two, you still can work on the local files, and then they sync back, when it comes back online. We just had that question at the show, and I think that's a great benefit.
: Yeah, I definitely sync my stuff to my local hard drive, 100 percent. Everything's in both spots, for sure. I do have another article, but I wanna, so we can actually have enough time to talk about it, correctly ... I'll just preview it for next week. There's an interesting article from Accounting Today about a career path is longer for women in accounting.
: I want for us to take definite time to talk about it properly, and not rush through it, so let's hold that one off til next week. If you want to jump out ... You said you finally have something fun? Let's just do yours now. I'm done being a Debbie Downer here this week.
: Oh, no, I actually forgot what that was, so ... This was all security. This was all the challenges of the cloud, but how you can protect yourself. Let's leave it at that, this week.
: You promised me this fun thing, and that's it? You're just leaving the listeners hanging?
: I blame you. David, it's your fault. You did too much serious stuff this week.
: I guess people'll have to subscribe, so they don't miss next week. If anybody wants to get a hold of us, what's the best way to get a hold of you?
: Tweet at me. I'm @BlakeTOliver, or connect with me on LinkedIn.
: Okay, or you can tweet at me. I'm @DavidLeary. Please subscribe, so you don't miss next week, because obviously, Blake is gonna find this missing link that's so fun that he promised us a half hour ago that we'd have, and we'll go from there.
: Thanks, everyone. Look forward to talking to you again, David, next week.
: Awesome. Later, Blake. Bye, everybody.