All the ways the cloud can fail you: NetSuite goes down, why you need multifactor authentication, ComplyRight breached, and YouTube bans Hector Garcia

Blake shares his thoughts on the first year of the Accounting & Finance Show LA under new management, then David & Blake discuss the latest accounting news, including: NetSuite's outage this week that prevented many businesses from accessing their ERP for almost a whole day, Google's hardware multi-factor authentication program that has prevented 100% of phishing attacks on its huge workforce, the recent breach of ComplyRight (a large 1099 processor), and why Hector Garcia's popular QuickBooks-focused YouTube channel was suddenly deleted without any warning. (We still don't know).

Stories in this episode:
Subscribe: 
Transcript:

Blake Oliver:
Welcome to The Cloud Accounting Podcast, a show for accountants using technology to make their jobs more strategic, and impactful. I'm Blake Oliver- 
 
David Leary: And I'm David Leary. 
 
Blake Oliver: So, David, how was your week? 
 
David Leary: Pretty good. I don't think I did anything. I was watching you on social, though. I think you did something this week, right? You traveled very far?
 
Blake Oliver: Yeah, I traveled very far to downtown LA, which, it's not a trip that you make, unless you have a good reason to go there, from [00:00:30] the San Fernando Valley. I was with FloQast, at the Accounting & Finance Show LA, which was at the Convention Center, downtown, on Wednesday, and Thursday.
 
David Leary: They moved that show, then, cuz I think before, it was always at the Hilton, at the airport.
 
Blake Oliver: Yes, it used to be at the Hilton, at the airport; this time, at the Convention Center. Interesting event. I've never been to a conference where everything was all in one room. All of the keynotes, all of the breakout sessions were all in small areas within the expo hall, [00:01:00] in the different corners of the expo hall. During the keynote, it was fine, because only one person was speaking, but during the breakout sessions it got pretty noisy, because you had people competing, basically, to be heard.
 
What I did like about it was that there was tons of traffic, people going to meet with the vendors, see the booths, because you had to do that in order to get from one place to another. It was kinda nice, too because you could go, and peek in on a session, and just listen for a little [00:01:30] bit, but, if you didn't want the CPE, or you weren't really that interested, you could just walk away. I like the informal nature of it. I like that a lot.
 
David Leary: Did you speak at all, or did you just work with the FloQast booth, and Mike?
 
Blake Oliver: No, no booth duty for me. I was speaking at ... I spoke in the afternoon on the first day, and we talked about best practices for the month-end close - our favorite topic at FloQast, and it was great. We got grouped up ... It was originally a 30-minute presentation, and [00:02:00] because of the CPE requirements, we combined forces with a consultant, named Chris Doxey over on the East Coast. She shared her best practices about process, from her amazing career with big companies and midsize companies. It ended up being really great.
 
David Leary: It sounds awesome. It's interesting, cuz I know that show is in a transition year. I think it's moved from one owner, to a new owner. I think that was the same with the New York City one, as well. From a branding perspective, I think they're coming on strong. [00:02:30] I've definitely noticed that every photo always has that same background, you know-.
 
Blake Oliver: The blue background.
 
David Leary: Is it called Accounting Technology NYC, or Accounting Technology LA? Is that ...? 
 
Blake Oliver: Accounting & Finance Show LA; Accounting & Finance Show NY [crosstalk] It's free. We forgot to mention the most important part is that the whole model is that anyone can go for free. It's free CPE. I think that having everything all in one room is what makes that possible, because it's probably very affordable to put it together. I [00:03:00] like it. This is part of a trend, where CPE tends to be going toward free, it seems like.
 
David Leary: Maybe that'll be a whole 'nother topic one of these days. In the meantime, while you're going to conferences, I feel like tons of stuff happened this week. Last week was short, and sweet; we knocked out three new stories like nothing. I feel like there's just a lot of stories that happened this week, so if you want, we can jump in.
 
Blake Oliver: Let's do it.
 
David Leary: First, I guess we'll jump in. NetSuite had an outage this week. I don't know if you saw that.
 
Blake Oliver: Yes. We have a ton of customers on NetSuite, so, we were very, very [00:03:30] aware of that. Over seven hours - all day, for some folks.
 
David Leary: Does this affect even your app? Your app can't communicate to NetSuite, through the APIs? 
 
Blake Oliver: I'm not sure if affected the API, but, definitely, if you're on FloQast, and you're using NetSuite, you really can't do anything without having your ERP. It's hard to do reconciliations, and whatnot. This is just one of those things that's inevitable, when you're in the cloud, and we just have to accept it as a reality. Ideally, it wouldn't be a whole day, but you're going [00:04:00] to have unexpected downtime. My feeling is that it's just worth it, anyway, even if that happens.

The problem with these outages is that, sometimes, the response by the company isn't the best, and the customers are left in the dark. Unfortunately, NetSuite didn't communicate on social media about what was going on, or what was happening. They didn't even acknowledge that there was an outage until they had fixed it, at like 7:00 or 8:00 p.m. Pacific Time. There [00:04:30] were people on Twitter complaining about this, getting upset. I'd be upset, too, if I didn't know anything. It actually reminds me of when the power went out, here in LA, and LA DWP wasn't telling people when it was gonna come back on.
 
David Leary: I think that's a learning curve, right? I remember we had a really bad summer ... It might've been 2012? Maybe even 2011. Just a bad set of circumstances. We lost the data center in San Diego. We actually had ... A mistake [00:05:00] was made in the data center. Something got shut off. Then, literally two weeks later, a car crashed in some power inverter, in San Diego, and knocked the data center out again. I don't think we were really - as a company, Intuit - was really good at communicating outages.
 
Blake Oliver: Yeah. 
 
David Leary: You're right, it's a learning curve, where you have to be open, and transparent, and explain, "Hey, here's what's happened. Things are down. You're not crazy. Something is not working, and we're working on it to get it fixed," and build that confidence back up. Plus, it helped ... It forced [00:05:30] us to become multi-redundancy, and obviously, we talked about it last week, which is last week's news, right? Which is [inaudible] moved to Amazon, etc. 
 
Blake Oliver: Yep, and I think this is a lesson for not just developers of software, but it's common sense for anyone, if you're a CPA in private practice, or, I should say public practice. You go on vacation, you wanna make sure that you let everyone know that you're not gonna be responding to their emails immediately, or if you're all day at a conference, put up that away message. 
 
Just be in communication, when you're [00:06:00] not available, or you're not able to get work done. It makes people a lot more comfortable. Definitely don't ... There was kind of a funny thing that happened on their Twitter, which is that the same day that they had the outage, the NetSuite team ... Maybe they had pre-scheduled this tweet. They tweeted out a story called "Four Common Causes of a Sluggish eCommerce Website." You know your site is sluggish, but what's slowing it down? Here are some common triggers. To do that on [00:06:30] the same day that you're having an outage ... Some of the replies to that were kind of both frustrating, and funny, in retrospect.
 
David Leary: Yeah, and I think that's the lesson to be learned of pre-scheduled social-media tweets. They very quickly can be out of context. Some major event in the world happens, and you look like a fool. 
 
Blake Oliver: Yeah, turn those off, when something happens. Enough about outages. Let's talk about some fun news in the cloud-accounting world.
 
David Leary: I don't have anything fun this week, so hopefully, you do. 
 
Blake Oliver: You don't have [00:07:00] anything fun this week?
 
David Leary: No, actually ... Actually, there's one thing that's impressive, but nothing's fun. 
 
Blake Oliver: Well, okay, let's go to impressive, then.
 
David Leary: Something that was kind of impressive this week, Google announced ... Everybody knows about security, and phishing, and we've talked about different security breaches that have happened in the past, on this show, before. Google, the last 18 months or so, has been using hardware-based YubiKeys for [00:07:30] their employees, and they have not had one of their 85,000 employees have not been phished ... Their password has not been phished, since they started using these hardware-based keys. I thought that was just really, really, really kind of an amazing thing that ... All the Google employees, nobody got successfully phished.
 
Blake Oliver: For those who aren't familiar, what is a YubiKey?
 
David Leary: A YubiKey ... Coincidentally, if people want, we'll put the link in. I happen to have somebody ... We did YubiKeys 101 on the Developer [00:08:00] Hangout, earlier today, about two hours ago. I'll get the link to you, so we can stick that in for the YouTube video. Essentially, it's a next level of hardware authentication. You think a site with just a password is a low level of authentication; then, if you want to have a site where you sign in, and then it sends you the text, that two-factor authentication? This is kind of like another third level of authentication, where you have to have a physical [00:08:30] key. Like I said earlier, I kinda used the analogy, it won't stop your corrupt uncle, who's in your house, from possibly getting a hold of your key, and signing into a website, but it'll stop people 5,000 miles away, on the other side of the planet, from getting in, because they don't have this physical ... It's literally a physical key you put on your key chain.
 
Blake Oliver: It plugs into your USB drive.
 
David Leary: Oh, yeah, sorry. Yes, that's true. I forgot to ... It actually touches your computer.
 
Blake Oliver: Yeah, you don't turn it in a lock. It basically looks like a little USB drive, and [00:09:00] you plug it in, and it allows you to log into those websites. The thing that ... I was on the Hangout, this morning. The stat that astounded me was that 81 percent of security breaches occur because of weak, or compromised passwords. Multifactor almost completely mitigates that problem. You still need to be using strong passwords, don't get me wrong, but if you have a weak password, a hacker cannot get in just by guessing your password. They also have to have that key that you physically possess.
 
David Leary: That's [00:09:30] what happened with Podesta, in the whole Hillary Clinton emails, and all that stuff. He got phished.
 
Blake Oliver: Yep. 
 
David Leary: It's world-history changing, getting phished. That's why I say it's amazing, the fact that nobody was successfully phished, as testament to this next layer of security that ... The reason I reached out ... Actually, before I even saw this news, I was already reaching out to YubiKey, because I know we talked about the Deloitte stuff, and Deloitte's forcing people to have a two-factor authentication on any apps that work with ... Any companies [00:10:00] that work with Deloitte, or they're making them use their active-directory-type stuff, or SAML. My opinion is for accountants, and small businesses, this is next. You're gonna have to start getting to this next layer of security to protect yourselves. Then, just coincidentally, I had this thing [inaudible] Friday, and then this story broke, this week, which is really amazing.
 
Blake Oliver: For everyone listening, the big takeaway is if you are managing an accounting team, make sure that your team is using multi-factor [00:10:30] authentication to log into all of your business-critical applications - email, your ERP, all that good stuff. You can do it with a key, a physical device like a YubiKey, or you can also do it with an authenticator app. There are different apps you can have your team download on their phone, like Google Authenticator, LastPass Authenticator, 1Password has one. What that app does is it generates a random code that's synced up with your log-in. In order to log in, you need your password, and you need [00:11:00] the code that is currently displayed on your phone. The phone becomes the key. The takeaway: use multi-factor. Do not expose yourself to this huge risk of security breaches.
 
David Leary: I think even two-factor, with the testing, it's always ... Nothing is perfect right. Somebody could always try to break in. No second factor is not great, but if you have second factor, that's great, but then, if you could do a hardware key, or you said an authenticator app, that's another layer. It's something to think about. Especially [00:11:30] for accountants, and bookkeepers, and people that are probably listening to this show, you're not protecting your Spotify account, here. You have your clients' data, and you have to take this this extra level of security seriously.
 
Blake Oliver: Yep, definitely.
 
David Leary: I don't know ... Let's hold off on your fun thing, because ... Let's just move on to another article, which is completely security related. ComplyRight, I think many people may have used them for their W-2s, and 1099 processing. One of the parts, I [00:12:00] think that's a little ... Their more in-market brand is efile4Biz.com. I think a lotta people are familiar with that as their brand. I know they're on all the app marketplaces. They're on AppStore.com. They're an app that integrates with software, but they apparently were compromised, and had a breach. That's an article that we hit in there. Obviously, there's a lot of analysis here, but I don't know how much we can, and can't speak to it, because I'm definitely [00:12:30] not an expert on that level of the what the breach is, but I think it's a perfect example of somebody, somewhere, probably did not have the most secure passwords on their stuff.
 
Blake Oliver: Yeah, I'm not totally familiar with what the issue was, here. It sounds like they had ... Their website got compromised, and so the information that companies, or accountants were entering into this website, with Social Security numbers, addresses, amounts [00:13:00] for 1099 processing, those got ... That got hacked. It doesn't matter that their database was secure. It's the website interface was not secure. I think the lesson here is that it's important to carefully select, and choose your vendors, and make sure that they have some sort of security audit going on, that they're using the latest methods of protecting their website, and their application, because, in this case, it's a lot of critical information - Social [00:13:30] Security numbers, addresses - that people can use to file fraudulent tax returns, or steal your identity.
 
If you don't already have a credit lock on your account, chances are most people in this country, at this point, have had their Social Security number stolen. It's kind of crazy that this has happened, but there have been so many security breaches, recently, it's likely that you, the listener, you have your Social Security number out there, somewhere. I, personally, after one of the latest data breaches, I went, and I put my credit files on freeze at [00:14:00] all of the major credit bureaus. I have to opt in to unfreeze it, so that I can get a loan, or whatnot. Two perks to that, or two benefits to that. First of all, it's harder for me to actually go open a line of credit, because I have to do something, so I'm less likely to go just open random cards, which is good. Second, is that somebody who has my information, even if they have it, they can't go open up a credit card. They can't go buy something, and get credit, using my information.
 
David Leary: There might be another implication here for accountants, and bookkeepers, because I [00:14:30] think what happened is ComplyRight started informing people of the breach, but nobody knew who the hell ComplyRight was. If my accountant, or bookkeeper filed my 1099 with ComplyRight, I don't know. I have no clue. If I get a letter from ComplyRight, stating that there was a breach, and my data was exposed, my first question is, "Who are you, and why'd you have my data?" 
 
Blake Oliver: Oh, yeah. 
 
David Leary: There might have to be where ... I think maybe accountants, and bookkeepers might have to start thinking about a policy of really disclosing, when you are using these other apps, who might have [00:15:00] their data, because people did ... I think I saw that people didn't know who this company was, when they started getting notified of the breach.
 
Blake Oliver: Right, yeah, that's the complexity is that somebody - your accountant, your controller, a company that you work for as a contractor - used ComplyRight to file your 1099 or send you your 1099. You have no connection to ComplyRight, but your data has been breached, and they have notified you, and you have no idea why you're getting notified now. I'm [00:15:30] curious if any of the accountants who have used ComplyRight could face potential liability.
 
David Leary: So far, it's been very quiet in our space. I think I saw one Facebook post about this. I'm actually surprised about it, because-
 
Blake Oliver: Maybe it's just a sign that it's gotten so common, right? We've accepted that security breaches happen, and nobody cares anymore. We should probably just title this episode The Security Episode, because it's been about-
 
David Leary: Complacency wins. 
 
Blake Oliver: Yeah, it's been [00:16:00] about security breaches, and websites going down - All the Ways that the Cloud can Fail You, today, on The Cloud Accounting Podcast.
 
David Leary: I don't know if you want me to keep going, or if you want to jump into your fun [inaudible] thing? We can- 
 
Blake Oliver: I'm just so depressed now. I think I'm just gonna go, and maybe start my weekend early.
 
David Leary: All right, here's something else that's down. Let's just continue on.
 
Blake Oliver: Yeah, let's keep going down.
 
David Leary: Everybody knows [00:16:30] about Hector Garcia. If you don't know who Hector Garcia ... I'd bet money that you've probably watched one of his QuickBooks YouTube videos. They've had 3.3 million views, 500-plus YouTube videos. Apparently, this morning, his whole channel just got taken off of YouTube. No warning, no nothing.
 
Blake Oliver: What, like you go to the channel, it's not there?
 
David Leary: Yeah, like, "This channel does not exist.".
 
Blake Oliver: Wow. 
 
David Leary: Since 2012, I think, he posted his first YouTube video. He does two to three a week. A) some of it's his business model. He uses those YouTube [00:17:00] videos, in a way, to get new clients for his accounting firm. Not only that, tons of other accountants that are out there use his videos to send to a client. Like, "How do you handle a bounced check in QuickBooks?" Hector has a video on that, and they might send that to their client to handle the bounced check in QuickBooks correctly. This has a huge ripple effect, I think, in our space, beyond the fact that, okay, they just pull somebody down for no reason, but the fact that who they pulled down, and the volume [00:17:30] of those videos, and how many people used those as a resource is a huge ripple effect, and impact. 
 
Blake Oliver: Let's be clear, here. Hector is saying that they did not give him a reason for this.
 
David Leary: No phone call, no warning, no indication that this was going to happen. It just got pulled down. Apparently, it was 'breached community guidelines,' or ... I forget the term he used.
 
Blake Oliver: It was some sort of generic ... They gave him some sort of generic notice about breaching community guidelines, but they didn't say exactly what it was. He can't actually get somebody on the phone, so he had to fill out a form, [00:18:00] and it looks like it's gonna take him two to four weeks, if they'll even get him back online. I think this brings up a great point, and tie this back to all the stuff going on with Facebook, right now, with these tech monopolies that are starting to develop - really, they already exist ... How can we protect ourselves, when so much of our business is all in these platforms? If they go down, then [00:18:30] we're done. Hector's business ... He might be out of business forever, if they don't put him back on YouTube. Would he go build all those YouTube videos up again? Probably not. Same thing with the NetSuite outage, we gotta figure out, if we're gonna leverage the power of the cloud, how do we protect ourselves?
 
David Leary: I think there's that redundancy thing. I think I saw, even, somebody that was ... Somebody got hacked on Instagram. I think it was a friend of my wife's. She [00:19:00] made a really drastic post about it, like how it's the end of the world. I think there's gotta be a perspective on this types of things. Hector, this is his business, and he got ... All his eggs were in one basket, to some extent. Now, videos got taken down, and that's gotta be crazy scary. Then, other things that maybe aren't as important, but even still, people are putting all their eggs in one basket, so then, if something happens, that's it. You're right, they're all ... These cloud companies, they're all on these things ... Even our email, and things like that ... People can spin up their own email servers. You [00:19:30] can spin up your own website to put your photos on. You don't have to depend on these platforms.
 
Blake Oliver: Here's an idea, as a way that ... Without doing a lot of work, because spinning up your own email server, that's a lotta work. Here's an idea, if you want to sort of create some redundancy in your cloud, you could ... Every time you get an email that has important information that you're gonna save, forward that to another service; forward that into Evernote. That's what I do. I have all my critical emails in Evernote, with [00:20:00] information that I really need. Another example is if you're uploading videos to YouTube, and you don't wanna be stuck with YouTube, and dependent on them, is also upload them to Vimeo, or another site, or your own site. Save them somewhere accessible, where if you get banned for some reason, you have another option.
 
David Leary: Well, I think even with this podcast, I think I have it ... It automatically gets saved to Dropbox, as we're recording it, but then, I copy them to my OneDrive, as well. Then, you upload them to [00:20:30] the internet, right? 
 
Blake Oliver: Yeah. 
 
David Leary: Then you have a copy. You definitely want some sort of redundancy, especially for something that's super mission critical.
 
Blake Oliver: Another great example is if you're a CPA, or a CFO, and you're on your own. You're a consultant. You've got your own firm. Don't rely on channels like LinkedIn, and Facebook for all of your marketing; have your own website, where you own the domain, and you own the hosting, so that that's not gonna go down. That's the place [00:21:00] where you put everything, and you syndicate it out onto social media, onto these big tech companies that could arbitrarily ban you for any reason. That way, yeah, it still hurts, if you get taken down from Facebook, for whatever reason, some arbitrary reason, but you've got your own website still there, and that's the primary place where you direct people.
 
David Leary: To summarize, you're saying create your own content, host your own content, keep your content under your control, and then propagate it out to these other sites. If one of these [00:21:30] sites has a hiccup, they go outta business, they don't exist anymore, your content still exists, and you just have it also existing on seven other places.
 
Blake Oliver: Yes. I would say that, in terms of accounting software, like ERP software, QuickBooks, whatever, is make it part of your month-end-close process, where you are exporting your key data every month into a format that you can back up, and save, and have accessible, in case you need it - at least on a yearly basis, which is what I do. I export my general [00:22:00] ledger for my own personal accounting, and tax information into Google drive, every year. That way, if I lose my account, I'm good.
 
David Leary: That's an interesting strategy, and I remember back in the tech-support days, with QuickBooks for Windows ... This is going way back for me. Before you were born, Blake, maybe? I don't know. I remember we'd tell that to customers, like, "Get yourself a notebook. At the end of every month, you make a back-up to [00:22:30] the 3-1/2-inch floppies; you put 'em in that notebook. You print out your profit-loss, you print out your balance sheet, and you put that in there for that month. Then, you do the same next month, so you have this always aged back-up, if worst-case-scenario things happen. You keep that notebook somewhere else." If there's a fire, some worst-case scenario, at least you can go back 30 days, and if those discs are bad, or something went wrong, you can go back to 30 days before that.
 
Blake Oliver: Yeah. 
 
David Leary: You're doing that same model; you're just doing it in a more modern way.
 
Blake Oliver: Yeah, that's a great point. We've been backing up forever. Ever [00:23:00] since the invention of the personal computer, people have advised that you back up your data off your hard drive, onto some other media. We were doing it on floppies; we were doing it on rewritable CDs. Then, we got in the cloud, and suddenly people thought, "Oh, we don't need to back-up anymore." Not true. You definitely need to have an emergency back-up, and you need to figure out when it's good to do that, have redundant systems. 
 
Let's say your online store goes out; you're on Shopify, or something, and it goes out. Do you have [00:23:30] a way that you could still fill orders, if you had to, for a day or two? What if your point-of-sale goes down in your store? Do you have a emergency way to charge customers? Have a back-up credit-card terminal. If you are not using Square, let's say you're using some other merchant service, have a Square, one of those things you plug into your phone, so that you could charge customers in the event of an emergency.
 
David Leary: Yeah, that's a good point, I think, is how do you ... Not having all your eggs in one basket. You might have to have a back-up [00:24:00] merchant-service account, or at least think about it. This is something optional, yes, for you accountants out there. Have you worked with your clients on a disaster-recovery-type situation? [crosstalk] If they're retail, and they're point-of-sale goes down, or they can't do ... Their internet goes down, how do they make money? How do they charge customers? They don't want you to put a sign up that's closed. Yeah, this is a good exercise I think accountants could do with their clients, for sure.
 
Blake Oliver: It's a great consulting opportunity. Definitely come up with some sort of service offering around that. [00:24:30] If you're not in public accounting; let's say you're in corporate, this exercise still applies to you. You need to make sure that your systems are redundant, in some capacity. Actually, that's one of the benefits of cloud storage that I recommend to people, using Box, or Dropbox, for instance, is that you can sync those files to your local hard drive. If those services go out for a day or two, you still can [00:25:00] work on the local files, and then they sync back, when it comes back online. We just had that question at the show, and I think that's a great benefit.
 
David Leary: Yeah, I definitely sync my stuff to my local hard drive, 100 percent. Everything's in both spots, for sure. I do have another article, but I wanna, so we can actually have enough time to talk about it, correctly ... I'll just preview it for next week. There's an interesting article from Accounting Today about a career path is longer for women in accounting. I want for us to take definite time to talk about it properly, and not rush through it, so let's hold that one off til next week. [00:25:30] If you want to jump out ... You said you finally have something fun? Let's just do yours now. I'm done being a Debbie Downer here this week. 
 
Blake Oliver: Oh, no, I actually forgot what that was, so ... This was all security. This was all the challenges of the cloud, but how you can protect yourself. Let's leave it at that, this week.
 
David Leary: You promised me this fun thing, and that's it? You're just leaving the listeners hanging? 
 
Blake Oliver: I blame you. David, it's your fault. You did too much serious [00:26:00] stuff this week.
 
David Leary: I guess people'll have to subscribe, so they don't miss next week. If anybody wants to get a hold of us, what's the best way to get a hold of you? 
 
Blake Oliver: Tweet at me. I'm @BlakeTOliver or connect with me on LinkedIn.
 
David Leary: Okay, or you can tweet at me. I'm @DavidLeary. Please subscribe, so you don't miss next week, because obviously, Blake is gonna find this missing link that's so fun that he promised us a half hour ago that we'd have, and we'll go from there.
 
Blake Oliver: Thanks, everyone. Look forward to talking to you again, David, next week. [00:26:30]
 
David Leary: Awesome. Later, Blake. Bye, everybody.
 
Blake Oliver: Bye. 
 

Copyright (c) 2019 Blake Oliver