Protecting Yourself Against Data Theft

Protecting Yourself Against Data Theft

by Michael Ehart, CISSP, etc.

There has been a rash of reporting of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.

The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft is undetectable and unprosecutable, because unlike physical theft the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night goggles and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder and no painting. 

The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.

So what do you do to keep your data secure? The threats come in three flavors, and there are steps that you can take to protect yourself from each one.

1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just because they can. These are the folks that firewalls were invented to thwart, and I assume that you have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff hire someone who does. A competent IT security consultant can set up security for most small offices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.

2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.

3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" or "The safe was left open" or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office. 

Once again, if you don't know about this stuff contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your data disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.

Michael Ehart is a Certified Information Systems Security Specialist (CISSP) and carries certifications as a HIPAA Professional and HIPAA Security Specialist (among other things). Visit Michael Ehart's HIPAA blog Comply With Me

Finance and Accounting Support in Franchise Systems

Finance and Accounting Support in Franchise Systems

There has always been somewhat of a love/hate relationship between franchise operators and their franchisees.  While many entrepreneurs elect to leverage a known brand, documented operating procedures, and combined purchasing power that is often a benefit of a franchise operation, the reluctance to “open the books” to the franchisor is largely based upon a fear that “big brother” will use the information to take advantage of the business owner.  

Logic would indicate that both parties would recognize the validity of sharing financial and business performance data for the benefit of the entire system, where benchmark data and performance comparisons can become the basis of tremendous business intelligence.  But some franchisors, as their networks expand in size, find that their success in selling units begins to outweigh their concern for individual unit performance, and the brand value creates sufficient momentum to overcome a few bad business experiences.  Especially in larger systems, the franchisors don’t often consider the benefits of providing back-office and accounting support for their franchisees, because they simply don’t feel they have to. Reliance on quality accounting and financial data, however, may begin to take on an entirely new meaning, given the nature of the economy right now. 

High unemployment and low consumer confidence have caused spending decreases which have impacted even the strongest of established businesses.  With credit markets being as tight as they are, business owners are unable to obtain the financing required to expand their businesses when required, to new locations or with additional personnel.   The 2010 Franchise Business Outlook[1]  suggests that, even as the economy starts to recover, franchised small businesses will continue to face these financing struggles.  The forecast is for “a slow recovery with marginal increases in the number of establishments, jobs and output.”

Looking to Washington for help, a number of small business organizations, along with The International Franchise Association, are “calling upon Senators to include more provisions in new job creation legislation to help small businesses access credit.” [2] The fear is that if credit access for small business isn’t made available now, the best opportunity to create sustainable business and subsequent job growth will be lost.  Reliance by small businesses upon credit is unquestionable.  

According to the IFA, “the depletion of [SBA loan] funds last fall is proof that the SBA programs were, and continue to be, critically important for our nation’s credit-worthy entrepreneurs”.  However, without sound business accounting and provable data, even the most business savvy entrepreneur may find their business “unbankable” and must therefore rely upon personal credit guarantees to support business growth.

Possibly the strongest point in the argument for franchisors facilitating accounting and financial management assistance to the franchisee centers on Item 19 of the FTC and state Franchise Disclosure Documents (FDD)/Uniform Franchise Offering Circular (UFOC).  Item 19 is the Earnings Claim, which are estimates or historical figures detailing sales, expenses, and income a prospective franchisee might realize as the owner of a particular franchise.

The Earnings Claim is often considered to be the single most important factor in buying a franchise.  As with purchasing any business, it is critical to have a realistic and supportable projection of sales, expenses, and profits earned.  Particularly in a case where a potential new franchisee has no experience running a business, or no applied experience in that particular type of business, the earnings claim becomes the only guidance available.  Unfortunately, the only source for this information is the franchisor itself, which often introduces doubt as to the veracity of the data.  It is difficult to determine which could raise more doubt about the sincerity of the franchisor: using unverifiable data, or not providing an earnings claim at all.

When a franchisor elects to provide services to their franchisees, such as back-office accounting support or financial management oversight, then the opportunity to obtain data for the earnings claim, performance benchmarking, and royalties verification become realistic goals.  Further, the ability to verify and substantiate the data can prove invaluable in a tough franchise market where buyers want good, verifiable information, and Item 19 helps sell units.

Offering accounting support to small business owners isn’t a new concept, but the technology to facilitate a truly seamless relationship has only become available in recent years.  As Internet and Web-based application services emerged on the market, businesses flocked to them in order to gain the benefits of anytime, anywhere access to applications and data.  However, the poor performance and lack of features left some business users without the tools they needed to handle all their requirements efficiently, so many returned to manual or local PC-based systems. 

CPAASP offers a technology model which adapts trusted and proven software and systems to a cloud-based, collaborative online working model.   This technology model allows the businesses to continue use of applications with the functionality required to support the business, but improves the IT environment by managing and securing the systems within a secure facility, and utilizes the resources of the service provider to facilitate the ongoing management and support of the systems.  

Owners are able to retain their investments in software applications and processes, while introducing new efficiencies and flexibility in their working model.  The evident benefits are the ability to access information from any location, to have multiple locations work seamlessly together, and to allow outside accountants or other service providers to work seamlessly in the organization.  

CPAASP cloud-based solutions offer centralized management and administration, professionally-secured systems, and deliver reduced costs of IT management, predictability in ongoing IT costs, and an improved ability for the business owner to focus on the business.  Further, the solutions delivered allow for the integration of data with reporting systems designed to assist in the translation, analysis, and comparison of data from a single business to an entire franchise system.

In summary, the franchisor market must look more closely at the fiscal management and reporting systems of their franchisees, and provide avenues to better-address accounting and bookkeeping responsibilities in order to gain credible performance data and useful benchmark metrics.   Only through the ongoing participation of accredited accounting and financial personnel can the business financial data provide the information – and the insight – required to support aggressive business growth in this difficult economy.   

The key is seamless integration, and the technology solution is the cloud-enabled model.

J

---

[1] Report that measures the economic impact of franchising in the United States, prepared by PricewaterhouseCoopers (PwC), and commissioned by the International Franchise Association Educational Foundation.  http://franchise.org/uploadedFiles/Franchise_Industry/Resources/Education_Foundation/2010%20Franchise%20Business%20Outlook%20Report_Final%202009.12.21.pdf

[2] Franchise.org Press Release http://www.franchise.org/Franchise-News-Detail.aspx?id=49246



 

QuickBooks POS in a Hosted Environment

QuickBooks Point of Sale in a Hosted Environment

Retail operators and multi-location store owners often face difficulties in attempting to bring cohesion to their accounting, financial, and operational data.  In so many situations, the retail location –  where inventory is sold and money is exchanged – is far-removed from the administrative location where the financial systems and business reporting exist.  It seems that the best case scenario is to create a means for the remote (retail) locations to operate with real-time access to centralized customer, inventory, and financial data from a primary source. Application hosting services can provide this centralization,  and a platform for standardization, of systems.  Further, the application hosting model can deliver security and managed service which ensures that the systems are available and performing as required. 

Even though hosted applications and centralization of the systems and processes in a POS environment may appear to be the right answer, there are caveats and considerations that speak to the realities of today’s technologies.  These caveats should be strongly considered prior to undertaking any reformation of systems and processes relating to the retail locations.

The first fundamental reality which must be addressed is connectivity.  While a retail or store location may enjoy Internet or network connectivity, there should be great consideration given to the wisdom of connecting these locations only and exclusively via remote access systems.  Retail is a dynamic business, and the sale is made when the customer is ready and willing to buy.  Any retail location must be able to process this sale in order to meet the immediacy of customer demand.  If the systems in use are exclusively accessed remotely, then the connectivity to those systems become of paramount importance in the ability to do business.  At the very minimum, any remotely-served retail location should have redundant connectivity options, with local personnel being familiar with the connection failover process.

A second strong consideration for a hosted or remotely-deployed POS or retail system is local device support.  Devices, such as card readers, scanners, cash drawers, receipt printers, etc. typically require local PC/computer drivers in order to function.  When served by a remote system, this connection between the host and the local devices may not function.  Limited device support for POS hardware can significantly impact the location’s accuracy and efficiency.

Another area of consideration for POS and retail systems centralization is integration or synchronization of POS data with core accounting and financial data.  Depending on the software solution in use, this integration may require that the POS software/data and the financial software/data reside on the same computer and/or within the same network.  This may be one area where a hosted implementation may offer a great deal of benefits, but the benefits to be derived are often a function of the design and behavior of the applications integrating.

QuickBooks Point-of-Sale, for example, was designed for use on a single-user PC environment.  The application is not well-suited to a hosted deployment for multiple users, as the software only allows one instance of itself to run on each computer. While there is a “multi-store” option for this solution, the option requires all stores be connected via a LAN/WAN connection to the same network. RDS (remote data sharing) functionality might possibly be used to allow communication between locally-run POS locations and the “master location” at a hosting service provider, but this method of communication has previously been found to be somewhat problematic and platform-specific (see notes following relating to multi-user/store configuration and Vista OS).  Further, the potential poor performance of RDS connections often negatively impacts the value of the integration.  RDS was designed to be utilized in a local network (LAN), and not as an IP-based solution for communication via an Internet connection.

In many cases, the suitable answer is to keep the POS systems running on the local computers and network, and run the financial applications and the POS integration at the host.  With an installation of the QuickBooks financial application and the point-of-sale solution with the hosting service provider, the core financial data is able to be secured and protected in the virtual environment without risking lost productivity (and lost sales!) due to connectivity failures at the retail locations.  The end-of-day process at each location is to then move a copy of the POS data file to the host system, where it would be integrated with the QB financial data.  In environments where is is desirable to have the POS systems reading customer and/or inventory data directly from the QuickBooks financial data files, the recommendation is to keep an available copy of the financial data file in the POS network, on the local computers.  This copy of the data file provides the point-of-sale systems with necessary customer and product information, and would be copied/updated during the same end-of-day process where POS data is moved up for integration on the host system. 

This process is very similar to the way in which a localized system might be utilized, where the POS application runs at the front counter and the accounting application and data run from a back-office system.  In this scenario, many businesses elect to simply log off from the front counter system so that they can launch the POS application from the back-office computer, and then integrate the POS data with the QB financial data on that same computer.  Even in remote network configurations (WAN configuration), this is often a method which delivers better performance and stability than utilizing the remote data sharing service.

J 

CRM Solution Gets High Marks from QuickBooks ProAdvisors

Results CRM offers robust features, yet is simple to use for small business users

Results CRM Solutions offer more functionality and features than most CRM solutions oriented for small businesses.  In most cases, a robust solution like this would require lengthy configuration and training efforts in order to make the system useful.  With Results CRM, however, a business can be up and operational within minutes.
 
The solution was recently reviewed through Intuit's ProAdvisor program, and got a rating of 9.75 out of 10!

From the review:
Results is extremely full-featured. Products with this level of functionality often have a complex architecture making them hard to learn and use. With Results, navigation and search functionality are simple and allow you to easily and rapidly access the data you desire.

CPAASP offers offsite hosting option for ACCTivate! users

Alterity recently entered into a partnership with CPAASP, a hosting services provider. This partnership gives users interested in hosting ACCTivate! offsite, the option to host on CPAASP's hosting platform, InsynQ. InsynQ is the only hosting platform that can host both ACCTivate! and QuickBooks®.

If hosting offsite is an option for your business, InsynQ managed application hosting can deliver the flexibility, performance and protection your business deserves. For more information visit CPAASP.com.

Benefits of utility computing technology
One of the easiest and most affordable ways to prevent loss in the event of a disaster is to use utility computing technology to duplicate business assets and processes. Learn how utility computing through application service providers and other methods can put key business assets out of harms way, in an article from CPAASP.com.  Read..

Using a Service to Host QuickBooks and Other Software

Having QuickBooks “hosted” is far different than using the QuickBooks On-line edition.

The QuickBooks Online version does not have the same features and functionality as the Desktop version of QuickBooks – while having QuickBooks “hosted” by a reliable service provider allows you the best of both worlds – anytime, anywhere access to your fully functional QuickBook Pro, Premier or Enterprise desktop software!

Read more at Sunburst Software Solutions

The Changing Landscape of Information Access

Helping Businesses Make Wise Choices

InsynQ, Inc. is one of the founders of the Application Service Provider industry, and clearly recognizes that the rules regarding information security are changing.

Conceptually, cloud computing creates new challenges for information security professionals, because sensitive information may no longer reside on dedicated hardware. Where physical security was once a primary element of data access, virtualized services and remote accessibility have redirected the discussion to more ethereal areas.

How can enterprises protect their most sensitive data in the rapidly-evolving world of shared computing resources? Vulnerabilities have been found in the cloud and software-as-a-service models, raising the question of cloud computing's impact on security and the steps that will be required to protect data in cloud environments. Particularly when it comes to integration of services and data sharing amongst cloud solution providers, who, exactly, is in control?

While the concepts of centralized processing, shared computing resources, and subscription-based services are not at all new, many of the technologies being applied today are new. When we consider the fact that new vulnerabilities are still being discovered in older software and systems, why would we assume that new cloud computing tools and services would be immune?

Cloud computing and software-as-a-service technology models often shelter the user from the realities of the systems (hardware, software, networking, etc.) that comprise the service. Before investing your business in a fully cloud-based solution, make certain that you fully understand your risks and how they might be mitigated.

As Sun Tzu wrote in the Art of War,  " If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

Joanie