In this riveting episode of the Count Me In Podcast, we dive into the complex world of cybersecurity within the accounting profession. Join us as we sit down with Tom Woolley, CEO of Today CFO and Founder of  Today Cybersecurity, who has navigated the transitions from corporate industry to founding his own cloud accounting firm, and then into cybersecurity for accountants. Discover the biggest challenges faced by organizations today, from integration headaches to the buffet of software solutions. Whether you are a Fortune 100 company or a mom-and-pop shop, you'll gain insights into striking the right balance with technology to ensure information security. With regulations tightening, get ahead of the curve with expert advice and real-world solutions. Don't miss out on this episode – tune in now!

Connect with Tom:
* Website: www.todaycybersecurity.com
* Tom's LinkedIn: https://www.linkedin.com/in/tom-w-2b6256173/
* Facebook: https://www.facebook.com/todaycyber
* Twitter: https://twitter.com/todaycyber_
* Instagram: https://www.instagram.com/todaycybersecurity/
* LinkedIn: https://www.linkedin.com/company/today-cybersecurity/

Full Episode Transcript:
Adam:    Welcome to another enlightening episode of Count Me In. Today we have an exceptionally exciting conversation lined up for you. Our guest today is my fellow podcaster, and an author on Amazon's bestseller list, Tom Wooley. He has expertise in corporate accounting. Spanning sectors like pharmaceuticals, oil, and gas, and now he's making waves in the realm of cybersecurity. 

 

From big corporations to small businesses, the tech landscape is ever-changing, and Tom's insights are here to guide us through it. We'll discuss;

 

Buckle up, as we explore how technology is shaping the future of accounting. Tom, welcome to the show.

 

Adam:            To start off, I just really wanted to, maybe, you can talk a little bit about your background and how you got here.

 

Tom:               Hi, Adam, thanks so much. It's a pleasure to be here. So I've been an accountant for 15 years, in the corporate industry before starting my own firm. I started off in pharmaceuticals, and then went to oil and gas in more of the financial analysis role and a lot of management accountancy. One of the things I used to do a lot of was whenever we would acquire a new company, we had to look at their financial systems. What they had in place, and then integrate them into our SAP financial system. All their historicals, and then get them trained, up and running for the future.

 

So I got a lot of experience, and had a lot of fun working in accounting technology in my corporate career. And then decided that, "Hey, there's a lot of technology to be brought or to be moved over and implemented in the small business accounting world as well. Smaller firms need just as much tech, if not more, sometimes, than the big guys. And with the way the technology world is moving, especially, with everything going over to the cloud.

 

I decided to start my own cloud accounting firm, back in 2015. And, then, when everybody started going remote, in 2020, I decided that was a good time to pivot again and go into cybersecurity, for accountants. And help other people tackle some of those issues that we saw as we transitioned to a lot of people working from home, remote, and just coping with a very wild and flexible world, over the last couple of years.

 

Adam:            Yes, it's been a very wild and flexible world. There's been so many things happening with everybody working from home, and all the challenges that organizations face. And cybersecurity is something that's in the news every day. You see ransomware attacks, and so many different things that's affecting so many organizations. 

Maybe we can start by talking a little bit about what are some of the biggest challenges you see organizations facing, when it comes to cybersecurity.

 

Tom:               Absolutely, there are a couple of things that really hit home. It's how to keep everybody working in a fluid environment. Where you can access all of your information securely. How can you find your clients' information securely? How can you receive it from them securely? We work in a time where we've got so many different communication channels. We have to actually tell our clients what is a safe and good way to get your information over to us. 

 

And when we started transitioning from working in the office to working from home, the biggest challenge that we faced, and that other accountants are facing is–how do you go mobile with all of that? How do you keep it in the cloud and know that it's secure? And, really, importantly, how do we instill that trust relationship with our clients. So that they know that their information is in good hands? And we started looking at so many different software out there. 

 

The second challenge is with a huge buffet of cloud software. Which one goes with which? How does it integrate? And it really came down to what does the process look like, for internally and externally with our clients? And that's what we hear a lot; is which software should I use? 

 

How do I implement it? 

 

There are some all-in-ones out there. Should I piecemeal, together, best in class? And there are just so many solutions. Accountants don't have time for that, especially, during tax season, which has been basically year-round for the last couple of years.

 

Adam:            Yes, I can only imagine. And also the biggest challenge, too, is if you're a Fortune 100 company, you have a lot more financial ability to get a larger software. A big all-in-one software. But if you're a smaller organization, or a Mom-and-pop shop, it's a lot harder to implement those bigger softwares. And, so, trying to find that challenge; how do you balance that depending on which organization you're with?

 

Tom:               Yes, that's a great question. There are smaller softwares like QuickBooks Online and Dropbox, that people, typically, use when they're starting off. All the way up to SAP or NetSuite when they're the Fortune 100. So it really comes down to what is the budget and how customizable does it need to be.

 

Something like NetSuite requires not just getting the software, but hundreds or thousands of hours of customization, and implementation, and training. And what we really want to go for is finding out how the firm is interacting internally, and with their clients. Do they really need something that's super integrated and very expensive? Or can we put together those best practices to make something like OneDrive, Windows, QuickBooks Online, or QuickBooks Desktop, in a hosted environment, work in the same effectiveness as those bigger softwares?

 

Adam:            Yes, there are so many different factors. You almost need a team of people to understand what your organization is doing. 

What your challenges are, and how you're going to be interacting with the different things to know what, if I'm understanding you correct, it's to know what software works best for you.

 

Tom:               Right, I mean, that's the best way to go about it. And that's what I recommend is putting together a committee. Somebody that represents from each department, what their needs are when it comes to implementing a security software, and how they are moving information on a daily basis. One solution for marketing may not be a winning solution for accountants, who are trying to move PDFs every day back and forth to their clients. 

 

So, yes, representing in that committee is a great way to go about seeing what the use case is, what the needs are. And, then, finding the right software solution in, like I said, that sea of what is out there and what they're all capable of.

 

Adam:            Mh-hmm, and then once you actually find a solution. You still need to tap into that committee to say, "Hey, is this actually meeting your needs and is it working right?"

 

Tom:               Absolutely. It's an ongoing commitment to working with those groups, and making sure that implementation goes according to plan. And things change along the way, sometimes, too. So that really helps give a sounding board for, "Hey, this isn't working the way we need it to." Or, "Yes, we're getting good feedback from the rest of the people in the department." And, hopefully, a few trial clients that have opted in to participate, too.

 

Adam:            Yes, because you need, actually, that real-world experience, to see if it's actually working, of course.

 

Tom:               Exactly.

 

Adam:            I think one of the biggest challenges, when it comes to the accounting and finance team, is that working with other parts of the organization can be difficult. Whether it's working with the marketing department, making sure things are meshing together. 

 

How have you, maybe, helped organizations that you worked with, and you're helping them choose files or choose software to use? Have you found that as a challenge, when you're trying to help implement things that they have trouble working with other departments? Or are they coming together, since we're all kind of breaking down those walls, since we're all remote in a lot of ways, too?

 

Tom:               I think it's going a lot more granular than that these days. I would have said, six to seven years ago, an all-in-one integration, everybody using the same platform is the way to go. But what we're really seeing is that there are departments out there that really want to work within their specialties. I mean, marketing, wants to work in Salesforce. 

 

Adam:            Of course.

 

Tom:               The accounting department is not going to want to work in Salesforce, it's not the right place for them. So, really, cybersecurity has become top of mind and top of conversation so much, because as we're trying to move into best in class solutions for different departments and scenarios. Moving that data, safely, has become a real concern. If everybody is working in NetSuite or SAP, or something fully integrated, you don't have to worry about it as much. But when we're looking for the best solution to help people do their jobs, in a rapidly changing, very competitive environment. We want to give them the best software that they can get their hands on, than what they're used to using. 

 

And, so, that's when the technology industry has to step in, and find a way to make that work where it's still secure for everybody. Where they can work from home on their laptop, if they need to. They can have that exact same functionality at their desktop in the office. Where they've got the printers, and the scanners, and the other things that we need to do our jobs, and phone systems, even, too. 

 

A lot of people don't think about the vulnerability on the phone systems. But I want to make calls from my house just as easily as I'm doing it from the office. And I don't want the clients to know if they've got to try me at the office or try me at home. So everything's got to be flexible, and it's got to be seamless internally and externally.

 

Adam:            Yes, and that's not an easy task to do for any organization. Whether you have a one-and-done system or you're piecemealing everything together. It's quite the challenge for any organization. And as I'm thinking about of all this, I know that there's a lot of rules and regulations throughout the government. I know the U.S. government; we had talked about the FTC Safeguard Rule. Maybe we can touch on how that's affecting people's decisions, as they're going down the line.

 

Tom:               Yes, so the U.S. government is really moving in that direction and solidifying a lot of these rules/regulations. To address what has become insurance company concerns, client concerns, and concerns voiced by the Big Four, about how people's data is being secured and moving around. And a lot of large companies have had security challenges, recently, like Deloitte. Where their best efforts are going forward to protecting their clients, and it's a big investment both in time and financially. 

 

So the government's really moving with these FTC Safeguards Rules. The IRS already has the Gramm-Leach-Bliley Act that has been in place for a while now. So we're looking at, both, the enforcement of already existing rules, that are starting to clamp down. And then we're looking at the FTC Safeguard Rule, that was supposed to be implemented already, but they pushed it back. And these rules apply to businesses of all sizes, which is the really important factor here. 

 

Because in the past, a one to two-person CPA shop may not have to worry about a lot of these regulations and the costs that go along with them. But now it's everybody from that one-person show, all the way up to the Fortune 100, like you were saying. So the government is really stepping in and emphasizing how important it is, for people's information to be secure. What they call personally identifiable information.

 

Adam:            Okay, so what does that look like for your accounting Mom-and-pop shop, whether they're a fractional CFO office, or they're an internal accounting team. What does that look like for them, as they're trying to adhere to these new regulations?

Tom:               Yes, it's a challenge because a cybersecurity person is not cheap, from a financial standpoint, it is an investment to go out and get somebody. Somebody that, right now, the demand is already really high for. Salaries are going anywhere between 120 and 160, if you can even find somebody. 

 

Adam:            Wow. 

 

Tom:               Anyone, right now, looking at staffing an accounting firm, is very familiar with how difficult it is to get good people. And we're looking at that same thing, right now, in the IT industry, especially, with cybersecurity, because the demand is just so high. So outsourcing is really their only solution right now. Because it's not as easy as a virus scanner or malware, where you can just toss it on the computer and leave it there. 

 

The FTC safeguards goes above and beyond; into employee training, active threat hunting, and putting Written Information, Security Policy, what they call a WISP, in place. So, for smaller companies, it's a big time and training burden, that really is slipping in there, commitment-wise, with your continuing education every year.

 

Adam:            Mhm, and, so, that's an added burden because as accountants we, like IMA has the CMA certification, if you're a CPA. Everybody knows, if you're in this industry, you need to keep your continuing education credits up. And now, all of a sudden, accountants have to be at least versed in, when it comes to cybersecurity, they need to learn technology. Some people are saying, "Oh, you need to do data analytics."

 

Like, "Oh, you need to have data scientists." There are all these different things that accountants have to do. How can they stay up to date with these things? Obviously, outsourcing that, but what level of understanding do accountants need to have, in order to be at their best to do this? Obviously, they won't be able to be a cybersecurity expert. But what level do you think they need to be at, to best support their organization?

 

Tom:               Yes, I think specialty training is the way to go with this. It's something that we can do on a one to two-day basis, a couple of times. I like to do it with my clients quarterly. Just to let them know what the new ransomware attacks we are looking at, if we've got any vulnerabilities, and it helps us build what we call a cybersecurity culture.

 

Where we're talking about not just training in a one-and-done fashion, but building that mentality, like you were talking about, with y'all skills programs. Where internally we're focusing on ongoing education. Watching for those red flags, in case our computer is doing something weird or we're getting any emails that are suspicious. So these smaller continuing education-type courses, are really the way to go with stuff like that.

 

Adam:            That makes sense, and it seems like, as organizations, we need to keep training our people. To make sure, "Hey, this is what you look for." I know our organization does a yearly cybersecurity training. Where it's like, "Hey, a reminder, look out for these things, look out for those things. If you get an email from the CEO saying, 'Hey, what's our routing account number and account number for our bank account, again?'" Don't do it.

Tom:               Right. The real popular one right now, is a text message or an email from an executive level or someone's supervisor saying, "Hey, I'm in a meeting, I need you to get me iTunes gift cards or some other gift cards for the people here in the meeting, as a marketing. Go get them right now." And it sounds silly right now, but it's happening. I mean, people are falling victim to that every day, it's crazy because it's a numbers game. So you just got to find somebody in the right place, at the right time.

 

Adam:            For sure. And, so, we've talked a lot about organizations, and training, and stuff like that. What can we do personally, on a personal level? Everybody has their own personal accounts. Are there things we all should be looking out for, and being aware of just to protect our own data? Just the other day, I logged into an organization, I forget what institution I logged into. And it was like, "Oh, by the way, we were hacked, but none of your account information has gone out. But your name and email address might be on a list somewhere." And I'm like, "Should I be worried?"

 

Tom:               I'm really glad you asked. Because identity theft is really where a lot of this goes, and I think about it all the time. And I can tell you, personally, I recommend when your computer at home and any other personal device that you've got, always do their most recent updates. A lot of people will hit Not Now, Update Later. But I promise you, they don't make you download and reboot unless it's something pretty critical. 

 

So always do your updates, and don't give anything out over email that you wouldn't tell somebody that they could hold for later. So don't ever send your personal information via email, even if it's in a password-protected PDF, those are not secure. You really want to have it sent through either voice or an encrypted uploader, whenever you're moving that kind of stuff around. 

 

And the other thing is, always keep your virus scanner and your malware scanner updated. A lot of people don't, or they turn it off out of convenience. And, then, the number one thing that I will end on, that everyone is going to hate because even I don't like it. But it really works, is the multi-factor authentication.

 

Adam:            Yes.

 

Tom:               The dreaded—Please send me a text message code or pull the code out of your email, or these authenticator apps that we use, I use Google's, it works really well. It works. I cannot tell you how many times I've gotten a random code in my email, going, "I don't know what that was for or who requested it, but I'm glad it is there."

 

Adam:            Exactly.

 

Tom:               Because even that little one, even if it takes you two minutes, to use the multi-factor authentication. I can promise you it is way better than having to cancel all of your credit cards, file a police report, undo any kind of identity theft. Because it is not a friendly process when we have to go through that. It's very invasive and it is not fun.

 

Adam:            Yes, that doesn't sound like fun at all. And, I agree, multi-factor authentication is annoying, but I think it's very essential. Microsoft has an app, too, I use theirs. But anytime I can set it up, I try to turn it on because I've gotten the same thing that you've gotten. Where I've gotten a text message and I'm like, "Well, I didn't try to log in there." 

                        So I quickly go and change my password and go update those things. And I think it's important to be vigilant about your own personal things, and the more vigilant we are about our personal, it'll help us understand how vigilant we need to be at a corporate level, as well.

 

Tom:               Yes, that's one of my advantages, of going from owning an accounting firm to owning a cybersecurity firm, that works with accountants, is I know the pushback, personally, that I'm going to get from my team when I implement stuff. So when we look at implementing any cybersecurity, we look at; is it necessary and effective enough to warrant the frustration it's going to cause for our employees. And can we make it work as well and seamlessly as possible? 

 

Because I know, from personal experience, if it doesn't work or if it's too complicated, people are going to bypass it. And, so, you might as well not have frustrated them with it at all. And I don't lie to people and say that multi-factor is not a big deal, "It's no problem, just put it in there." It's a pain.

 

People don't like it. There's a lot of pushback with employees and executives, whenever we go to implement this. And I always drink my own Kool-Aid, so I know I don't tell anybody, "This is going to be completely frustration free." I tell them, "It's absolutely necessary, but it's only the level of necessary that we need to stay safe."

 

Adam:            Yes, sometimes, inconveniences help us stay safe, and I think it's balancing that. And I like what you said, is it worth the people's headache to help us keep us safe and trying to balance that, especially, in making those choices as an organization.

 

Tom:               Exactly.

 

Adam:            Yes. Well, Tom, it's been really great talking with you, getting to know you, and I really appreciate the expertise that you share with our audience, today. I know that they're going to find it beneficial as they're going on their journey, and their organization, and personally as well.

 

Adam:            Thanks, Adam, the pleasure has been all mine. I hope your audience and your listeners, really, get something out of this. I hope it was helpful.

 

Announcer:    This has been Count Me In, IMA's podcast, providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in, for more relevant accounting and finance education, visit IMA's website at www.imanet.org.