Accounting Departments – On the Frontline of Cyberattack Prevention
As accountants and finance professionals, one of our key responsibilities is to highlight and manage financial business risks. And in today’s digital-first work environment, that includes risks involving cybersecurity breaches.
Without implementing cybersecurity measures, businesses risk the loss of revenue, clients, and reputation. Additionally, they experience the costs of reduced employee morale, penalties from regulatory bodies and suppliers, and a lengthy recovery process. As a result, businesses need to evolve cybersecurity measures to include technological advancements and empowerment through awareness and training.
Because of the sensitive and valuable nature of the data that we deal with, accounting systems are especially high on the list of targets for hacking – regardless of if you are a local business or ASX entities.
To manage this risk effectively, cybersecurity policies need to consider all aspects of your accounting technology and resources, including email, servers, cloud solutions and your employees. In this way, your approach becomes an active assumption that a cybersecurity breach will occur, not a passive means to manage and mitigate the impact of the cybersecurity breach.
Here are some essential tips to help your team secure your data, avoid costly downtime, and most importantly, protect your business and your clients.
#1 – Empower through awareness and training
Human error is one of the top risks for cyberattacks – and with phishing, smishing and other techniques becoming more sophisticated every day, it’s easy to see why. Today, cyberattacks look almost the same as genuine communications, working with human psychology to put you in a position where you are reacting and not thinking.
Weak password and a lack of a clear password policy is another key area for awareness and training. After all, 67% of breaches and hacks are due to simple human error or a password being compromised.
Good intentions and uninformed staff are challenges that must be overcome when the risks are so high. And the good news is that training and awareness can transform this weakness into a powerful defence.
Training should include assistance with identifying suspicious communications, how to react if you are concerned that communication isn’t genuine, and what to do if a breach is successful to limit the wider business damage. This also requires strong regularly updating and communicating IT policies that direct teams on how to create and manage strong passwords, use multifactor authentication, and how to secure their devices and networks at work and home rather than working from unsecure public networks at their local café.
#2 – Call the key contact
One simple yet effective technique is to keep your contact list up to date when a change of bank request or “urgent” payment comes through. This way, it’s easy to call the correct contact and follow a set internal process to verify that the request is legitimate.
#3 – Limited payment authorisation
One easy way that dodgy payments get paid is when the wrong person is signing off the authority, or no one is signing it off at all and it just gets paid. It’s always best to have the person who is engaged in the relevant relationship sign off the business expense – even if final approval has been granted by a manager. This is because they will be in a better position to know what the expense is, whether it is legitimate, and so forth.
#4 – Do a quick check of the email address
Check the email address of the sender. It takes just a few seconds, and such a surprisingly basic check can prevent devastating consequences. One thing to look for that is common in scam emails is the use of a .com address instead of a .com.au email address. These emails usually look and feel just like the real thing, but the slightly unusual email address can give them away as a scam.
Scams also often have some additional clues to look for that staff should be aware of. These include poor grammar and typos, pressure to make a suspicious or immediate call to action, requests for private information, suspicious links, mismatched emails/ logos, and different phone numbers to the one you have on record.
#5 – Call the supplier key contact, not the number on the email
If there is a change of bank address, call the key contact that you have on record to confirm the correct. Again, it will take just a few minutes and third parties are generally happy to assist you because it will prevent issues on their side too, especially as awareness of cybercrime is on the rise.
#6 – Implement adequate internal audit tracking techniques
Make sure your accounting software has a tracking mechanism for changes in banking details. This will alert you if system bank account details are changed, allowing you to investigate further. Although it’s not likely to have been the result of a direct hack, it’s also useful to confirm that your team has followed the correct internal process for what to do when a change of bank account details has been received.
#7 – 2-factor ID and system updates for all software solutions
Ensure 2-factor identification is turned on for all applications, devices, and software your financial team is using. This ensures that if a password is lost or compromised, a hacker cannot use it to access your systems or data even if they have a legitimate password in their hands. It might sound frustrating to have this additional mechanism in place, but it is much easier than it sounds when you use a robust password management system. In addition, be sure to update your systems when new IT patches come out, as these updates usually contain security patches to strengthen vulnerabilities that hackers may exploit. This should be applied across all IT systems accounting, IT etc.
#8 – Ensure internal controls are adequate for your business
It’s important to have a distinct separation of duties in your team, wherever possible. For example, someone entering accounts payable should not be the same person approving banking payments. Additionally, you should be applying a principle of zero trust, which means limiting access to systems and data to only those people who require access to perform their role. This means that if a device or employee is compromised, the access the hacker has to your systems is limited by the permissions you have set.
#9 – Review internal processes regularly
Regularly review and audit your internal controls to find vulnerabilities and remember to communicate changes and why they are occurring. The better your team understands why the policy exists and why they need to follow it, the more committed they will be to playing an active role in implementing it. Too often, policies are completed and barely read, or changes to the policy are implemented without giving a reason for it. For policies to be of value, they need to be reviewed, updated, and communicated.
#10 – If in doubt, ask!
Successful cyberattacks often target our unwillingness to question an action or request, putting us under pressure and time constraints so that we act without viewing the request critically. Remember that the cost of a slight delay on a request is nothing compared to the consequences of a data breach or fraudulent payment, so always ask questions – no matter how silly you feel. For team leaders, it’s important to make questioning unusual requests a proactive requirement – and to report suspicious activity to the government whenever possible.
At 2Account one thing we actively do is communicate, and we’re here to empower you to ask the right questions at the right time, helping you become an active force in the fight against the rising threat of cybercrime.
About the Author
Renee is the founder 2account and a proven Chief Financial Officer (CFO), leading the practice and clients by directing administrative and reporting services that are focused on reducing client business risks. At 2account, we work to empower our clients by sharing relevant, insightful content on cybersecurity, accounting best practices, and more through webinars and virtual events to help your business thrive.
Join Renee along with our guest Craig Boyle on Wednesday 2nd March at 11:00am as they take a deeper dive into the current cyber threats circling not just the financial services industry and how you can prepare your business from falling victim to fraud from cybercrime.