Table of Content:
Cybersecurity in the Accounting Field
Like most finance-driven fields, accounting contains some very private and important personal information. Whether the accountants do personal or corporate finance, they have access to information that can be used for all types of fraud, identity theft, and any other fraudulent activity. As the internet has matured, many accountants and accounting firms have moved to a digital model where they provide accounting services online. Companies like TurboTax and QuickBooks are just two examples of modern accounting software that can be delivered online. With this modern convenience come cybersecurity threats that previously didn't exist in the industry. Not only do accounting companies need to protect their websites, but they also need to be mindful of their web applications and all the other risks of conducting business online.
Cyberthreats to Accountants
Let's look at some of the common cyber threats relevant to an accounting business:
Web Application Attacks: As mentioned above, many accounting firms have moved from strictly in-person to offering online services. This can include filing taxes, business accounting and other services that people and companies need. These applications are publicly accessible over the internet and therefore are potential entry points into the company's internal network if configured incorrectly. Web Application attacks like cross-site scripting, SQL Injection, Command Injection and others are a big threat vector for accounting companies.
Secure Communications: When customers send financial information over the internet, the information must be sent securely, with strong encryption, to avoid that information being intercepted and read by a third party. Failure to do so can lead to data leaks, and it would fall under the responsibility of the accounting firm for not implementing the proper technical controls.
Data Breach Lawsuits: In some industries, such as retail, a customer's data breach may simply be an inconvenience with no real impact on the customers' daily lives. But the finance industry is an area where a single data breach can lead to identity fraud, financial fraud and other implications that can cost your clients financial harm. To recoup those losses, they will often elect to file lawsuits, and that can be extremely to the accounting firm.
Insider Threats: Employees within your company have a vested interest in leaking company data and helping cybercriminals compromise your network. They can be disgruntled employees, members of hacker groups or simply employees that want to make extra money by compromising the company they work for. They are challenging to deal with because they are already inside your company's network perimeter.
Top Vulnerabilities for Accounting Firms
1. Human Error
A study by Kaspersky suggests that as much as 90% of data breaches are caused by human error. This can be things like using public wifi at a Starbucks that allows data to be interpreted, falling for phishing emails, sending the wrong information to the wrong person or any other type of mistake. The company's human element is by far its biggest risk when it comes to cybersecurity.
2. Weak Passwords
This is a common weakness across many organizations. Passwords are the first line of defense for your organization's accounts, and you must ensure that your password policy mandates the use of strong passwords. This typically means having passwords at least eight characters long, using uppercase and lowercase letters, and using numbers and special characters.
3. Weak Encryption
When dealing with sensitive information like social security numbers, it's important that your organization uses strong encryption and implement it across your organization to ensure that unauthorized users cannot access this information. This means having encryption in transit and encryption at rest, as required.
4. Web Application Misconfigurations
For any organization using a web application to offer services, it's important to have your web apps tested for security vulnerabilities and have those vulnerabilities remediated by professionals. Organizations like the OWASP top 10 provide information on the latest web application vulnerabilities that organizations should be aware of.
5. Poor Access Management
Access management is about ensuring that employees only have access to the resources they need to do their job and nothing beyond that. This is known as the principle of least privilege. It helps to reduce the likelihood of insider threats or negligent employees leaking data because they will be limited in the information they can access.
Conclusion
Accounting, like many other industries, has sensitive information that needs to be protected from hackers. What makes accounting unique is how the services are offered. Many companies like TurboTax and Quickbooks have online services and websites that act as potential entry points for a cyber attack. Accounting firms must take the proper steps to ensure they are not easily breached. For more tips on how to secure your business, subscribe to our newsletter!