By Stacey Howard
The rapid evolution of technology, adoption of automation tools, and cloud computing have transformed the way accounting tasks are performed, making them more efficient, accurate, fast, and accessible from anywhere with an internet connection, allowing for remote work and collaboration, thereby improving productivity and responsiveness.
Increased tech adoption, however, comes with increased risk of cyber-attacks.
Flipside of heightened technology adoption
Cyber-attacks and data breaches are 21st century realities that organizations are grappling with. Cybercriminals have been on the rampage targeting accounting firms to steal sensitive financial data and use them for malicious purposes. Some of the high-profile cyber-attacks include Deloitte’s email-server attack in 2017, the phishing attack at Moss Adams, a US-based accounting firm, in 2019, and the cyber-attack of PwC Canada in 2020 that compromised the personal information of approximately 4,000 current and former employees.
According to a Deloitte Center for Controllership poll, “During the past 12 months, 34.5% of polled executives report that their organizations’ accounting and financial data were targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.” And “nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. And yet just 20.3% of those polled say their organizations’ accounting and finance teams work closely and consistently with their peers in cybersecurity.”
Safeguarding accounting and financial data is of critical importance
Accounting and financial data are attractive targets for cybercriminals. Unauthorized access to company’s financial information or sensitive data, bank account numbers, credit card details, and personally identifiable information have the potential to severely wreck business continuity and investor confidence, not to mention significant financial losses, reputational damage, and legal consequences for the company.
Many industries are required to adhere to strict regulations related to financial reporting and data management. Companies must comply with regulations such as the Sarbanes-Oxley (SOX) Act, Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR) etc to avoid penalties and fines. A data breach in these areas can spell doom for the organization.
Whether you are managing an in-house accounting department or employing outsource accounting services, compliance with the regulations is vital.
This article attempts to delve into every aspect of cyber-security including an understanding of its current landscape, round-up of the hi-tech solutions to mitigate cyber risks, best practices of the accounting world in protecting its data and information, and the urgent steps an organization should undertake to safeguard its accounting and financial data.
The current landscape of cybersecurity in the accounting sector
Owing to the sensitive financial information the accounting departments, firms and CPAs have access to, the cybersecurity landscape in the accounting sector has become increasingly complex and challenging. Industry players are grappling with an increased frequency of attacks to gain access to sensitive financial information. Alongside, with the fast evolution of technology, new cybersecurity threats are constantly emerging.
We are now hearing of new threats such as the advanced persistent threats (APTs), which are sophisticated attacks that can remain undetected for long periods. Additionally, attackers are increasingly using artificial intelligence (AI) and machine learning (ML) to develop more sophisticated attacks.
Common, and high-tech cyber-threats organizations, accounting firms and CPAs should guard against:
Common Cyber Threats:
- Phishing – that gain unauthorized access to official communication channels for sensitive information or to install malware
- Ransomware — that encrypts files on computers and provides the decryption key only on payment of ransom money
- Malware — software that harm a computer system, network, or device through viruses, Trojans, spyware, etc.
- Password attacks — automated tools that use multiple password combinations to access a system or network
- Insider threats — from employees or contractors who have access to sensitive information and use it maliciously
High-Tech Cyber Threats:
- Advanced Persistent Threats (APTs) — that use multiple techniques to access systems or networks, and often stay undetected for long periods
- Zero-Day exploits – that take advantage of software vulnerabilities unknown to the software vendor and therefore have no patch available
- Artificial Intelligence (AI) and Machine Learning (ML) attacks — that are more sophisticated and can evade traditional security measures
- Internet of Things (IoT) attacks – that exploit weak security measures for a foothold into a network
- Supply-chain attacks — that exploit vulnerabilities in a third-party vendor’s software or hardware to gain access to a target organization’s network
Key challenges accounting firms encounter when mitigating cyber risks
One primary challenge is the lack of cybersecurity awareness among players in the accounting sector. Even in these heightened risky times, many employees are still not trained to recognize and respond to cybersecurity threats, thereby making them vulnerable to such attacks.
With the advancement of technology, cyber threats are becoming more sophisticated and complex. This makes it challenging for accounting firms – they find it difficult to keep pace with the latest threats and vulnerabilities. The situation is further aggravated in the case of smaller accounting firms that have limited resources to invest in cybersecurity, making it difficult to implement comprehensive cybersecurity measures.
Cyber-risk mitigation – innovative solutions and best practices
The broader question really is how to keep your organization always guarded against cybercrimes. This is akin to ensuring your own safety or that of your loved ones. The preparedness and the readiness should be formidable, covering every possibility, and which that leave no room for lapses.
It is important to note that cybersecurity is an ongoing process. Organizations, as a best practice, should regularly review and update their cybersecurity policies and procedures to address new and emerging threats.
- Develop a comprehensive cybersecurity policy outlining the organization’s approach to security and include guidelines for employees on how to prevent cyber incidents
- Conduct regular security audits to identify weak links in an organization’s network, systems, and applications
- Use strong passwords and authentication to minimize the risk of unauthorized access
- Use advanced endpoint protection to prevent malware infections and other cyberattacks by monitoring and controlling access to an organization’s endpoints
- Invest in data end-to-end encryption through new-age tech such as Blockchain and AI to protect sensitive data in a firm’s network
- Train employees at regular intervals to identify and avoid phishing attacks, use strong passwords, and report suspicious activity
- Deploy access controls to ensure only authorized accesses to sensitive data and systems
- Conduct regular backups so that critical data is not lost in the event of a cyber incident
- Develop an incident response plan to ensure that the organization is prepared to respond quickly and effectively to a cyber incident
- Continuously monitor for cyber threats for swift detection and response to cyber threats in real-time, minimizing the impact of a cybercrime
Effective cybersecurity is an ongoing process
It requires a multi-faceted approach. The future will only bring more sophisticated and complex attacks that exploit emerging technologies and their vulnerabilities. Organizations will have to proactively invest in advanced security technologies, regularly update software and firmware, and train employees on cybersecurity best practices. The need of the hour is to spread the width of awareness, be on constant vigil, ensure robust control to identify loopholes and stay prepared for potential threats.
About the Author
Stacey Howard is an accomplished blogger with over decade of experience in the field of accounting and bookkeeping. With her extensive knowledge and expertise, she has been working as an accountant at a leading outsourced accounting firm Cogneesol. Throughout her career, she has developed a passion for sharing valuable insights and information on various accounting industries through her engaging and informative write-ups. Her contributions to the accounting community have been widely recognized, making her a sought-after expert in the field.
