In today’s digital era, the need for cybersecurity is a global concern, and cyber threats have become a growing risk to all businesses. In the accounting domain, cybersecurity has become an integral part of the daily operations of accounting professionals and accounting outsourcing companies. With a new cyber breach being reported almost every week and impacting accounts outsourcing and bookkeeping outsourcing companies worldwide. In one of the most high-profile cyber-attacks of our times, Deloitte, a leading global accounting firm, reported an extensive cybersecurity breach in 2017. The attack was via an email server breach, and reportedly, five million emails were exposed along with leakage of other sensitive data, including usernames, passwords, business data, IP addresses and employees’ health records. Thus, cybersecurity has inadvertently taken the centre stage in the accounting domain, with the Delloite incident revealing the extent of damage cyber-attacks could inflict even on accounting outsourcing companies.
Cyber-attacks are intentional, illegal exploitation of computer systems and enterprise networks. To launch these attacks, cybercriminals employ malicious codes and software that modify the computer code, logic or data, thereby resulting in data compromisation, identity thefts and sometimes even system infiltrations. According to a report by Forbes magazine, the global cost of cybercrimes is projected to reach USD 2 trillion by 2019. With such developments set to take the world by storm, small to midsized accounting firms that work with individuals and small clients as well as large international accounting and bookkeeping outsourcing companies that serve global multinationals are looking to strengthen their cybersecurity posture by hiring experienced and skilled cybersecurity professionals.
The benefits of hiring experienced cybersecurity professionals are manifold, and some of these have been compiled and explained below.
Security audits help improve compliance
Similar to the audits conducted by accounting firms for their clients’ company financials, cybersecurity professionals carry out system security audits. Security experts thoroughly examine the configuration and existing security practices while comparing them with the industry’s best practices and the required settings. Security loopholes and glitches are identified and brought to the notice of the accounting companies for redressal. A security strategy is then formulated and seamlessly introduced into the regular practices of accounting companies. As a matter of fact, accounting professionals, these days, are proactively working with security experts to establish better security mechanisms for client companies. For instance, the Association for Chartered Certified Accountants (ACCA) works in collaboration with the Information Systems Audit and Control Association (ISACA) to deliver better security for all ACCA members and customers.
Security awareness training for internal workforce
To tackle security concerns, it is extremely essential for a company’s internal staff to be aware of the practices in place and diligently follow them. A company may have multiple security protocols in place, including antiviruses, daily data backups, firewalls, encryption methods, strong passwords and web browser protocols, but these measures will prove futile if employees are not educated and unintentionally become the victims of phishing emails and social engineering. Thus, security professionals also work with accounting firms to educate their internal workforce about the importance of cybersecurity and familiarise them with the features of the security programs installed and the best practices for preventing unintentional cyber breaches.
Proactively detect and resolve risks and vulnerabilities
Accounting firms have to be extra cautious in their dealings because the government is largely involved in the accounting domain and monitors its day-to-day operations. Accounting companies, now, are held directly responsible by government agencies for exposing customers’ sensitive data. Therefore, it has become all the more necessary for accounting firms to have a security mechanism in place that not only remediates the detected vulnerabilities but also proactively addresses risks that may occur in the enterprise system and network. Large as well as small accounting firms worldwide are now allocating dedicated resources to build strong in-house cybersecurity teams or hire contractors from respected experts to safeguard and proactively protect their customers’ critical information from cyber-attacks.
There are diverse steps that accounting firms can take to protect themselves as well as their clients and develop a strong cybersecurity posture. A few are listed here.
- Regularly updating the operating systems: Automatic updates should be configured for all operating systems in accounting firms. Moreover, computer systems should be turned off at night and rebooted frequently to ensure regular system updates, as system updates are also important for server updates wherein patches are reviewed and updated on a regular basis. It is also important to remind employees, who use their mobile devices to access company data, to update their smartphones’ and tablets’ operating systems automatically.
- Updating the antivirus program: Accounting firms should ensure that the antivirus software used should be configured to automatically check for updates. Not just that, drivers and devices should undergo frequent security scans, and media such as USBs and hard drives that are inserted in the system should also be configured for automatic scans on detection. Large accounting firms can configure their workstations to report the antivirus updates’ status to a centralised server that can release updates automatically as and when required.
- Setting strong password policies: IT teams in accounting firms should implement strong password policies for their employees, mandating the use of at least eight characters which are a combination of lower and upper case letters, numbers and special characters. It should also be mandated that employees change the password at least four times a year, without using the last ten passwords. Employees should also be discouraged from sharing their passwords with anyone, and if required, changing the password whenever deemed necessary.
- Using automatic screen lock: Workstations should be configured in a way that if they are idle for more than a couple of minutes, the screen should lock automatically to keep away any peeping eyes.
- Tracking enterprise equipment: Since accounting firms deal with sensitive data that are of financial value, they should proactively monitor all locations that store the data, such as servers, drivers and even workstations. Even mobile devices, backup systems, thumb drives and cloud locations should be regular monitored. The access to these locations holding extremely sensitive data should be absolutely restricted to only authorised personnel. Accounting firms should use inventory tags and monitor all devices allotted to employees to keep track of firm-owned equipment and devices.
- Encrypting backup data: Accounting firms should encrypt all the data that leaves their premises and also ensure the backup is completed and the data stored is usable. They should also review backup logs on a regular basis for completion. Restoring files randomly to check whether they will work when actually needed is another security practice that accounting companies should implement.
- Connecting securely: The IT teams of accounting firms should educate and train personnel as well as employees on how they should securely connect to the company’s information and data resources using either the virtual private network or other secure connection methods (https: in the address bar of the web browser). Employees should be reminded to not do any confidential office tasks on public Wi-Fi networks. They should be advised to only connect to external Wi-Fi for office work if they are certain that the network is reliable and safe. However, it is better for employees to use a 4G LTE mobile hotspot or connect through the hotspot feature available in their smartphones.