BTerrell Group Blog

Super Powers of the Cloud: The Security of Concur’s Cloud

Posted by Info Info on Wed, Jun 11, 2014

by Concur

 

This entry is part 4 of 4 in the series Super Powers of The Cloud. Previous entries can be found here.

Mobile app security is a concern for most app users, especially with the seemingly daily news stories of data breaches striking large companies. And it’s not just large companies being affected. For every security breach story that breaks, many more go untold. Symantec reports that companies with fewer than 250 employees were the focus of 31 percent of all cyber attacks in 2012, up sharply from 18 percent in 2011. 

It’s understandable for app users to feel unsure about the security of mobile apps, especially if these mobile apps require them to input sensitive information. And let’s face it; no one wants to feel vulnerable.

Like superheroes need capes and armor, app developers and app users need to know their environment is secure before they can wholeheartedly focus on doing superhuman work. Security is the platform upon which all productivity and collaborative benefits of apps can spring forward. Without security, all the perceived benefits of mobile apps can quickly become a mirage.

For example, Starbucks recently promised to tighten security on its IOS app because of a multitude of mobile app breaches. Because the app contained security flaws – including a lack of encryption, no password protection, and a clear-text data file that is easily exposed – the convenience benefits can be easily offset by security concerns, rendering the app useless for many users.   

Concur’s investment in security

Perhaps a more concerning trend than the amount of apps being hacked is the amount of companies who don’t seem to care about security.

This certainly is not the case at Concur, where mobile app security is a top priority. The Concur Trust Platform with PCI Compliance, ISO and SSAE 16 certifications are combined with data encryption and remote wipe capabilities, ensuring a secure solution for all users. And for those who argue that traditional, paper-based expense tracking is more secure, how is carrying around a stack of receipts and paperwork more secure than a locked, password-protected phone?

Concur’s mobile app security does not allow sensitive credit card data to be stored on the mobile device when transactions are conducted. What this means is that the most sensitive client information (e.g. credit card info) is housed only in Concur’s secure data center, not on the mobile device. Whether clients use Concur’s web-based service or mobile app, they can rest assured their information is safe.

If you’re considering mobile app usage to increase capabilities, productivity and employee satisfaction at your business – but are concerned about mobile app security implications – rest assured that Concur’s top priority has been, and will continue to be, the security of our users.

Expenses affect every part of your company. Learn why more organizations are leveraging Concur’s automated expense tracking solutions to not only address mobile app security, but financial security as a whole. Don’t wait, fix it.

Tags: security, cloud, concur, expense tracking

Creating IT Process Standards

Posted by Info Info on Thu, May 29, 2014

by Chris Karnes

As new employees join the company and other employees leave, do you have processes in place for enabling access for onboarding employees and denying access for exiting employees? Are there multiple logins and systems (Office 365, domain login, phone systems, office printers, etc.) that your new employee needs in their daily functions? Most of us rely on the IT department to do this. But, what happens if you have a single IT employee, and that’s the employee that just left? Do you have the processes documented so that you can disable and/or remove the various user accounts for the former employee and create the new accounts for any incoming employee? Improving and creating processes are critical for completing things efficiently, as well as tightening the security surrounding your business files.

Onboarding a New Employee

describe the imageDocument your processes, and review them periodically so they are updated as your technology changes. Your documentation can be as simple as a Word document with the first page listing what every new user would need. The following pages detail how to setup each account using screenshots and a brief explanation of the requirements. If your business has domain access for networked servers, Office 365 with email, Intacct, Sage CRM, a VoIP phone system, and a Multifunction Office printer with the ability to email scanned items, each system needs to be set up for everything to work correctly. The scanner won’t email if you don’t set up the Office 365 account since the user won’t have a valid email address, and the employee can’t log into their computer if you haven’t set up their domain access.

With so many logins and setup for one new user, you need a standard for creating usernames. Three of the most commonly used standards are first initial last name, first name last initial, and firstname.lastname. Use the same user name standard across as many accounts as possible to avoid having an employee email address of john.smith@xyz.com while his domain login is jsmith@xyz.com. That gets confusing, time consuming, leads to failed logins (and accidently lock someone out of their account), and leads to mistakes, such as John giving a prospective client the wrong email address. Software such as Intacct and Sage CRM may be administered by multiple or different people who specialize in that specific software. They must be aware of the company username standards. My personal favorite is firstname.lastname. You occasionally may have two people with similar first and last names, but most of the time there will be a slight difference in spelling between them, for example John Smith and Jon Smith. If two people have the exact same spelling, include a middle initial for the newest employee (jon.z.smith).

Deleting Access for Exiting Employees

You also want to create and document a standard for how to deny access for employees leaving the company. Do you want to disable, delete, archive, forward, or monitor the email account? If that employee had several projects in progress and the departure was sudden, you may not want to delete or disable the account, as any client attempting to email your company have their email denied. You want to reset the password and either forward the emails to another employee or manager to review, or add that mailbox to an employee’s mailbox until you communicate the new contact to clients. Same goes with the phone extension. You need to document how to forward the extension to another employee’s extension, while taking the physical phone offline. This will help ensure that you do not accidently drop the ball while transitioning as you always have someone monitoring any incoming contacts from clients. Then document how to delete or disable the employees’ domain account and remove them from the multifunction office printer.

 

If you don’t know what the processes are, or if they are documented, get with your IT department and ensure these are set up so that those with administrative access can properly handle adding new users and removing former employees. If they are not, make sure to create these processes and document them. 

Tags: Information Manager, security, IT process

Debunking the Myths of Cloud-based Accounting Solutions: Security

Posted by Keith Karnes on Mon, Jul 01, 2013

Over a period of time, we will address several of the issues or concerns raised about viability of cloud-based accounting (ERP) solutions.

Myth #1: Security is a problem with Cloud ERP

Debunking the myth that the cloud is not secureWell, that depends on the vendor and the controls that are in place in the cloud, just like security with an on-premise or hosted solution depends on the safeguards in place locally.

I am not certain whether it can be determined which solution is inherently more secure, rather the question is what resources are brought to bear on the security issue and how thoroughly are they enforced and practiced.

Here are just a few of the security features that a well-designed cloud-based ERP solution provider has in place:

Application Availability
  • Tier 1 Data Center
  • 7x24x365 monitoring
  • Mirrored RAID storage
  • Standby servers
  • Redundant network components and power supplies
  • Parallel redundant generators
  • Separate Herakles Disaster Recover backup site
Application and System Integrity
  • Tightly restricted access to production data (physical and virtual)
  • Real-time activity log tracking
  • Data redundancy built on Oracle infrastructure
  • Full daily backups to multiple remote locations
  • Transaction data backed up every 30-minutes
  • Option available to user to restrict user login to acceptable IP ranges

These are only a few of the details of security for a particular cloud vendor, Intacct. The focus here is to show that immense resources are invested specifically in security … certainly more resources than all but the largest Fortune-level enterprises can invest, yet due to the serving of many clients, the resource cost is effectively spread.

As you evaluate the relative security of the cloud versus your local security, be sure to do a thorough, honest evaluation.

More detailed information about Intacct’s Software as a Service: Performance, Availability and Security can be found here.

Tags: security, Intacct, cloud, cloud erp, cloud accounting software

Cloud Computing: Good or Bad?

Posted by Meredith Gooch on Thu, Nov 19, 2009

As cloud computing continues to gain popularity, it is also accompanied with the expected, healthy skepticism. When a firm decides to incorporate cloud computing into its business, it must decide if the cloud computing benefits will outweigh the costs and risks, such as security. A recent report, "Cloud Computing: Benefits, Risks, and Recommendations for Information Security," conducted by the European Network and Information Security Agency (ENISA), points out the advantages and disadvantages of cloud computing and gives advice on how to avoid risks. Read More...

 For a condensed version, Click Here

- Chris Firra, Sr. Consultant

Sources:

European Network and Information Security Agency (ENISA). "Cloud Computing: Benefits, Risks, and Recommendations for Information Security." enisa.eu. November 2009. <http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assesment/>

Whitney, Lance. "Report: How Risky is Cloud Computing?" news.cnet.com. November 20, 2009. <http://news.cnet.com/8301-1001_3-10402398-92.html?part=rss&subj=news&tag=2547-1_3-0-20>

Tags: cloud computing, security, advantages, disadvantages, risks, information system

Why You Need to Change Your Passwords Regularly

Posted by Meredith Gooch on Thu, Aug 13, 2009

A recent breach of a local church’s bank account has raised awareness over the proper use of security measures. Having gained illegal access to the church’s bank account using legit security codes and passwords, a hacker was able to withdraw over $170,000 via the Internet. Only $30,000 was recovered from the bank - the remainder of the amount never to be refunded.

Incidents such as these emphasize the importance of reviewing your internal financial procedures at your firm as well as securing your own personal accounts. One precaution a bank has taken involved installing programs that change passwords every 30 seconds. On the less extreme end, you may want to consider implementing a regular process to amend and change your codes and passwords every few weeks. The costs of having a security breach far exceed the costs of regularly changing your passwords. Embezzlement of this sort can lead to further fraud and even identity theft. Other steps you can take include limiting access to bank accounts and seeking advice from your bank and insurance carrier for ideas to keep this from occurring to you.

- Brian Terrell, CPA and Managing Partner

Tags: change password, bank fraud, security