< Intro >

– Welcome to another enlightening episode of Count Me In.

Today we have an exceptionally
exciting conversation lined up for you.

Our guest today is my fellow podcaster,

and an author on Amazon's
bestseller list, Tom Wooley.

He has expertise in corporate accounting.

Spanning sectors like
pharmaceuticals, oil, and gas,

and now he's making waves
in the realm of cybersecurity.

From big corporations to small businesses,

the tech landscape is ever-changing,

and Tom's insights are here
to guide us through it.

We'll discuss the rapid shift to remote work.

The challenges of secure information handling.

The complexities of selecting
the right software,

and the impact of new regulations.

Buckle up, as we explore how technology

is shaping the future of accounting.

Tom, welcome to the show.

< Music >

To start off, I just really wanted to,

maybe, you can talk a little bit about

your background and how you got here.

–Hi, Adam, thanks so much.

It's a pleasure to be here.

So I've been an accountant for 15 years,

in the corporate industry
before starting my own firm.

I started off in pharmaceuticals,
and then went to oil and gas

in more of the financial analysis role

and a lot of management accountancy.

One of the things I used to do a lot of

was whenever we would
acquire a new company,

we had to look at their financial systems.

What they had in place,

and then integrate them into
our SAP financial system.

All their historicals, and then get them
trained, up and running for the future.

So I got a lot of experience,
and had a lot of fun

working in accounting technology
in my corporate career.

And then decided that, "Hey,
there's a lot of technology

to be brought or to be moved
over and implemented

in the small business
accounting world as well.

Smaller firms need just as much tech,

if not more, sometimes, than the big guys.

And with the way the technology
world is moving, especially,

with everything going over to the cloud.

I decided to start my own cloud
accounting firm, back in 2015.

And, then, when everybody
started going remote, in 2020,

I decided that was a good
time to pivot again

and go into cybersecurity, for accountants.

And help other people tackle
some of those issues that we saw

as we transitioned to a lot of
people working from home,

remote, and just coping with
a very wild and flexible world,

over the last couple of years.

– Yes, it's been a very wild
and flexible world.

There's been so many things happening

with everybody working from home,

and all the challenges that
organizations face.

And cybersecurity is something
that's in the news every day.

You see ransomware attacks,
and so many different things

that's affecting so many organizations.

Maybe we can start by
talking a little bit about

what are some of the biggest challenges

you see organizations facing,
when it comes to cybersecurity.

– Absolutely, there are a couple
of things that really hit home.

It's how to keep everybody
working in a fluid environment.

Where you can access all
of your information securely.

How can you find your
clients' information securely.

How can you receive it from them securely.

We work in a time where we've got

so many different communication channels.

We have to actually tell our clients

what is a safe and good way to
get your information over to us.

And when we started transitioning

from working in the office
to working from home,

the biggest challenge that we faced,

and that other accountants are facing is–

how do you go mobile with all of that?

How do you keep it in the cloud
and know that it's secure?

And, really, importantly, how do we instill

that trust relationship with our clients.

So that they know that their
information is in good hands?

And we started looking at so many
different softwares out there.

The second challenge is with
a huge buffet of cloud software.

Which one goes with which?

How does it integrate?

And it really came down to what
does the process look like,

for internally and externally
with our clients?

And that's what we hear a lot;
is which software should I use?

How do I implement it?

There are some all-in-ones out there.

Should I piecemeal, together,
best in class?

There are just so many solutions.

Accountants don't have time for
that, especially, during tax season,

which has been basically year-round

for the last couple of years.

– Yes, I can only imagine.

And also the biggest challenge, too,

is if you're a Fortune 100 company,

you have a lot more financial
ability to get a larger software,

a big all-in-one software.

But if you're a smaller organization,
or a Mom-and-pop shop,

it's a lot harder to implement
those bigger softwares,

and, so, trying to find that challenge.

How do you balance that depending
on which organization you're with?

– Yes, that's a great question.

There are smaller softwares like
QuickBooks Online and Dropbox,

that people, typically, use
when they're starting off.

All the way up to SAP or NetSuite
when they're the Fortune 100.

So it really comes down
to what is the budget

and how customizable does it need to be.

Something like NetSuite requires
not just getting the software,

but hundreds or thousands
of hours of customization,

implementation, and training.

And what we really want to go
for is finding out how the firm

is interacting internally, and
with their clients.

Do they really need something that's
super integrated and very expensive?

Or can we put together those best practices

to make something like OneDrive,

Windows, QuickBooks Online,
or QuickBooks Desktop,

in a hosted environment, work
in the same effectiveness

as those bigger softwares?

– Yes, there are so many different factors.

You almost need a team of
people to understand

what your organization is doing.

What your challenges are, and
how you're going to be interacting

with the different things to know what,

if I'm understanding you correct,

it's to know what software
works best for you.

– Right, I mean, that's the
best way to go about it.

And that's what I recommend,
is putting together a committee.

Somebody that represents from each
department, what their needs are

when it comes to implementing
a security software,

and how they are moving
information on a daily basis.

One solution for marketing

may not be a winning solution for accountants,

who are trying to move PDFs,

every day, back and forth to their clients.

So, yes, representing in that committee

is a great way to go about seeing

what the use case is, what the needs are.

And, then, finding the right software solution

in, like I said, that sea of what is out there

and what they're all capable of.

– Mh-hmm, and then once
you actually find a solution.

You still need to tap into that committee

to say, "Hey, is this actually
meeting your needs

and is it working right?"

– Absolutely, it's an ongoing commitment

to working with those groups,
and making sure that

implementation goes according to plan.

And things change along
the way, sometimes, too.

So that really helps give a sounding board

for, "Hey, this isn't working
the way we need it to."

Or, "Yes, we're getting good feedback

from the rest of the people in the department."

And, hopefully, a few trial clients

that have opted in to participate, too.

– Yes, because you need, actually,
that real-world experience,

to see if it's actually working, of course.

– Exactly.

– I think one of the biggest challenges,

when it comes to the
accounting and finance team,

is that working with other parts of
the organization can be difficult.

Whether it's working with
the marketing department,

making sure things are meshing together.

How have you, maybe, helped
organizations that you worked with,

and you're helping them
choose softwares to use?

Have you found that as a challenge,

when you're trying to
help implement things

that they have trouble working
with other departments?

Or are they coming together,

since we're all kind of
breaking down those walls,

since we're all remote in a lot of ways, too?

– I think it's going a lot more
granular than that these days.

I would have said, six to seven
years ago, an all-in-one integration,

everybody using the same
platform is the way to go.

But what we're really seeing

is that there are departments out there

that really want to work
within their specialties.

I mean, marketing, wants
to work in Salesforce.

– Of course.

– The accounting department is not going

to want to work in Salesforce,
it's not the right place for them.

So, really, cybersecurity has
become top of mind

and top of conversation so much,

because as we're trying to move
into best-in-class solutions

for different departments and scenarios.

Moving that data, safely,
has become a real concern.

If everybody is working in NetSuite or SAP,

or something fully integrated, you
don't have to worry about it as much.

But when we're looking
for the best solution

to help people do their jobs,

in a rapidly changing,
very competitive environment.

We want to give them the best software

that they can get their hands on,
than what they're used to using.

And, so, that's when
the technology industry

has to step in, and find
a way to make that work

where it's still secure for everybody.

Where they can work from home
on their laptop, if they need to.

They can have that exact same functionality

at their desktop in the office.

Where they've got the printers,
and the scanners,

and the other things that
we need to do our jobs,

and phone systems, even, too.

A lot of people don't think about

the vulnerability on the phone systems.

But I want to make calls from my house

just as easily as I'm doing it
from the office.

And I don't want the clients to know

if they've got to try me at
the office or try me at home.

So everything's got to be flexible,

and it's got to be seamless
internally and externally.

– Yes, and that's not an easy task
to do for any organization.

Whether you have a one-and-done system

or you're piecemealing everything together.

It's quite the challenge for any organization.

And as I'm thinking about of all this,

I know that there are a lot
of rules and regulations

throughout the government.

I know the U.S. government,

we had talked about
the FTC Safeguard Rule.

Maybe we can touch on how
that's affecting people's decisions,

as they're going down the line.

– Yes, so the U.S. government is
really moving in that direction

and solidifying a lot of these rules/regulations.

To address what has become
insurance company concerns,

client concerns, and concerns
voiced by the Big Four,

about how people's data is being
secured and moving around.

And a lot of large companies

have had security challenges,
recently, like Deloitte.

Where their best efforts are going
forward to protecting their clients,

and it's a big investment
both in time and financially.

So the government's really moving

with these FTC Safeguards Rules.

The IRS already has the
Gramm-Leach-Bliley Act

that has been in place for a while now.

So we're looking at, both, the enforcement

of already existing rules, that
are starting to clamp down.

And then we're looking at
the FTC Safeguard Rule,

that was supposed to be implemented
already, but they pushed it back.

And these rules apply to
businesses of all sizes,

which is the really important factor here.

Because in the past, a one
to two-person CPA shop

may not have to worry about
a lot of these regulations

and the costs that go along with them.

But now it's everybody from
that one-person show,

all the way up to the Fortune 100,
like you were saying.

So the government is really stepping in

and emphasizing how important it is,

for people's information to be secure.

What they call personally identifiable information.

– Okay, so what does that look like

for your accounting Mom-and-pop shop,

whether they're a fractional CFO office,

or they're an internal accounting team.

What does that look like for them,

as they're trying to adhere
to these new regulations?

– Yes, it's a challenge because
a cybersecurity person

is not cheap, from a financial standpoint,

it is an investment to go out and get somebody.

Somebody that, right now, the
demand is already really high for.

Salaries are going anywhere
between 120 and 160,

if you can even find somebody.

– Wow.
– So, anyone, right now,

looking at staffing an accounting firm,

is very familiar with how
difficult it is to get good people.

And we're looking at that same
thing, right now, in the IT industry,

especially, with cybersecurity,
because the demand is just so high.

So outsourcing is really
their only solution right now.

Because it's not as easy
as a virus scanner or malware,

where you can just toss it on
the computer and leave it there.

The FTC safeguards goes above
and beyond; into employee training,

active threat hunting, and putting

Written Information, Security Policy,
what they call a WISP, in place,

So, for smaller companies, it's a
big time and training burden,

that really is slipping in there, commitment-wise,

with your continuing education every year.

– Mhm, and, so, that's an added
burden because as accountants we,

like IMA has the CMA
certification, if you're a CPA.

Everybody knows, if you're in this industry,

you need to keep your
continuing education credits up.

And now, all of a sudden, accountants

have to be at least versed in,
when it comes to cybersecurity,

they need to learn technology.

Some people are saying, "Oh, you
need to do data analytics."

Like "Oh, you need to have data scientists."

There are all these different things
that accountants have to do.

How can they stay up to
date with these things?

Obviously, outsourcing that,

but what level of understanding
do accountants need to have,

in order to be at their best to do this?

Obviously, they won't be able
to be a cybersecurity expert.

But what level do you think
they need to be at,

to best support their organization?

– Yes, I think specialty training
is the way to go with this.

It's something that we can do

on a one to two-day basis,
a couple of times.

I like to do it with my clients quarterly.

Just to let them know what
the new ransomware attacks

we are looking at,
if we've got any vulnerabilities,

and it helps us build what we
call a cybersecurity culture.

Where we're talking about not just training

in a one-and-done fashion,
but building that mentality,

like you were talking about,
with y'all skills programs.

Where internally we're focusing
on ongoing education.

Watching for those red flags,

in case our computer is
doing something weird

or we're getting any emails
that are suspicious.

So these smaller continuing
education-type courses,

are really the way to go with stuff like that.

– That makes sense, and it
seems like, as organizations,

we need to keep training our people.

To make sure, "Hey, this is
what you look for."

I know our organization does
a yearly cybersecurity training.

Where it's like, "Hey, a reminder,

look out for these things,
look out for those things.

If you get an email from the CEO

saying, 'Hey, what's our
routing account number

and account number for
our bank account, again?'"

Don't do it.

– Right, the real popular one right now,

is a text message or an email

from an executive level
or someone's supervisor

saying, "Hey, I'm in a meeting,

I need you to get me iTunes gift cards

or some other gift cards for the people
here in the meeting, as a marketing.

Go get them right now."

And it sounds silly right now,
but it's happening.

I mean, people are falling victim
to that every day, it's crazy

because it's a numbers game.

So you just got to find somebody
in the right place, at the right time.

– For sure, and so we've talked
a lot about organizations,

and training, and stuff like that.

What can we do personally,
on a personal level?

Everybody has their own personal accounts.

Are there things we all
should be looking out for,

and being aware of just to
protect our own data?

Just the other day,
I logged into an organization,

I forget what institution I logged into.

And it was like, "Oh, by the way,
we were hacked,

but none of your account
information has gone out.

But your name and email address
might be on a list somewhere."

And I'm like, "Should I be worried?"

– I'm really glad you asked.

Because identity theft is really
where a lot of this goes,

and I think about it all the time.

And I can tell you, personally, I recommend

when your computer at home

and any other personal
device that you've got,

always do their most recent updates.

A lot of people will hit
Not Now, Update Later.

But I promise you, they don't
make you download and reboot

unless it's something pretty critical.

So always do your updates,

and don't give anything out over email

that you wouldn't tell somebody
that they could hold for later.

So don't ever send your
personal information via email,

even if it's in a password-protected
PDF, those are not secure.

You really want to have it
sent through either voice

or an encrypted uploader,

whenever you're moving
that kind of stuff around.

And the other thing is, always
keep your virus scanner

and your malware scanner updated.

A lot of people don't, or they
turn it off out of convenience.

And, then, the number one
thing that I will end on,

that everyone is going to hate
because even I don't like it.

But it really works, is the
multi-factor authentication.

– The dreaded—Please send
me a text message code

or pull the code out of your email,

or these authenticator apps
that we use, I use Google's,

it works really well, it works.

I cannot tell you how many times

I've gotten a random code in my email,

going, "I don't know what that
was for or who requested it,

but I'm glad it is there."
– Exactly.

– Because even that little one,
even if it takes you two minutes,

to use the multi-factor authentication.

I can promise you it is way better

than having to cancel
all of your credit cards,

file a police report, undo
any kind of identity theft.

Because it is not a friendly process
when we have to go through that.

It's very invasive and it is not fun.

– Yes, that doesn't sound like fun at all.

And, I agree, multi-factor
authentication it's annoying,

but I think it's very essential.

Microsoft has an app, too, I use theirs.

But anytime I can set it up,
I try to turn it on

because I've gotten the same
thing that you've gotten.

Where I've gotten a text message

and I'm like, "Well, I didn't
try to log in there."

So I quickly go and change my password

and go update those things.

And I think it's important to be vigilant

about your own personal things,

and the more vigilant we are
about our personal,

it'll help us understand how vigilant

we need to be at a corporate level, as well.

– Yes, that's one of my advantages, of
going from owning an accounting firm

to owning a cybersecurity firm,
that works with accountants,

is I know the pushback, personally,

that I'm going to get from my
team when I implement stuff.

So when we look at implementing
any cybersecurity, we look at;

is it necessary and effective enough

to warrant the frustration it's
going to cause for our employees.

And can we make it work as well
and seamlessly as possible?

Because I know, from personal experience,

if it doesn't work or if it's too complicated,

people are going to bypass it.

And, so, you might as well not
have frustrated them with it at all.

And I don't lie to people
and say that multi-factor

is not a big deal, "It's no problem,
just put it in there."

It's a pain, people don't like it.

There's a lot of pushback
with employees and executives,

whenever we go to implement this.

And I always drink my own Kool-Aid,

so I know I don't tell anybody,

"This is going to be
completely frustration free."

I tell them, "It's absolutely necessary,

but it's only the level of necessary
that we need to stay safe."

– Yes, sometimes, inconveniences
help us stay safe,

and I think it's balancing that.

And I like what you said, is it
worth the people's headache

to help us keep us safe
and trying to balance that,

especially, in making those
choices as an organization.

– Exactly.
– Yes.

Well, Tom, it's been really
great talking with you,

getting to know you, and I really
appreciate the expertise

that you share with our audience, today.

I know that they're going
to find it beneficial

as they're going on their journey,

and their organization,
and personally as well.

– Thanks, Adam, the pleasure
has been all mine.

I hope your audience and your listeners,

really, get something out of this.

I hope it was helpful.

< Outro >

– This has been Count Me In,

IMA's podcast, providing you
with the latest perspectives

of thought leaders from the
accounting and finance profession.

If you like what you heard
and you'd like to be counted in,

for more relevant accounting
and finance education,

visit IMA's website at www.imanet.org.