Cybersecurity Directory

Cyber security in accounting

Modern accounting is a work based on dozens of e-mails and information from customers, which must be very well secured. The accountants make a lot of transfers on a daily basis on specified dates. Working under time pressure, they can easily lose their vigilance by opening a fake e-mail, transferring money to the wrong number or downloading a viral document to the disk. And the risk of attacks is still growing. Such a trend was noted in 2019 by as many as one in five companies, according to the report “Cyber Security Barometer 2020” prepared by KPMG.

The EU also fights the wave of threats by organizing such events as the European Cybersecurity Month (ECSM). The aim of the event is to promote cybersecurity and raise awareness of the dangers lurking in the Internet. The ECSM slogan “Cyber security is our shared responsibility” clearly shows that in many organizations every employee is of great importance in maintaining and following procedures.

We take part in the European Cyber Security Month, because education in this area is extremely important. In the situation of common remote work, also in accounting, this year’s motto of the event “Think before you click” has gained even more importance.

What types of social technicians are most vulnerable to accountants? Below are some of the most popular types that they face during their daily duties:

Accounting engineering
Accountants are most exposed to a method of manipulation called social engineering or sociotechnique. It is often chosen by cybercriminals who not only use their interpersonal skills, but also human mistakes and trust in people and institutions we know well. The intricate fraud plans are built on human reflexes and habits – the behavior is controlled by carefully designed e-mail, voice and SMS messages.

Phishing is a method that involves creating fake websites, sending e-mails and SMS messages to steal important information. Messages may seem completely harmless, remind you of an upcoming update or contain a request to confirm the data. They usually inspire trust and are prepared in a very similar way to emails from known and credible organizations. It is worth remembering, however, that such messages are not addressed only to one, but to many people.
Spear phishing, or targeted phishing. This option is more dangerous than classic phishing because the target of the attack is a specific person working in a specific position, e.g. as a chief accountant. Before cybercriminals attack, they collect information about the victim so that the message seems to be as reliable as possible. Emails may contain, for example, invoices for participation in a conference that is yet to take place.
Malware and ransomware. It is malware that can be installed on accountants’ computers and mobile devices through inattention or ignorance (opening a fake e-mail, downloading an infected file). This way, cybercriminals get to important data and information. More and more often hackers also use blackmail – they block access to invoices and data, demanding money (ransom) to access them again.
Vishing, i.e. scamming confidential information over the phone. Criminals scam information on the phone, impersonating someone else. More sophisticated scammers also use voice changers to hide their identity and change their voice to female or male.
Security at home, i.e. while working remotely, must not be forgotten either. Especially now vigilance in this area becomes especially important because employees are not able to verify emails received as quickly as in the office. Meanwhile, unusual orders or instructions can cost the company a lot. It is worth checking the address of the sender of the message and consider how often we receive e-mails from a given person. If in doubt, it is best to verify the authenticity of the message with colleagues and superiors and pass on information about an attempt to defraud the data to others.

How can accountants prevent attacks?
The accounting industry requires special attention to security and knowledge of procedures. Accountants make more transfers and process huge amounts of information, so they will always be more vulnerable to cyber-scams. Having up-to-date knowledge about this subject they will be able to defend themselves more effectively.

Among the basic principles of protection, the verification of sender’s identity should definitely be distinguished. Emails may also ask for an urgent response, so if in doubt, it is best to contact the person concerned by phone. Let’s also avoid clicking on suspicious links in e-mails or text messages and pay attention to who we let into the company building – explains Krzysztof Wojtas.

It is worth creating your own security policy concerning the use of computers, systems and mobile devices. It does not have to be an extensive document written in technical language – it is important that the instructions are clear and understandable to everyone. It can also provide for backups. If the employees of an accounting office do it e.g. once a week, they will still be able to perform their duties in case of an attack. In addition, if we have a problem with building such a policy, a good starting point will be the TYPE and recommendations relating to data security.

What other rules can accountants implement to improve security in an accounting office?

The vast majority of our clients are online users, so we as the service provider are responsible for security. The only thing that remains on the client’s side is to verify and check whether the correct page is opened, i.e. with an SSL certificate. In the case of local versions, where the entire burden of infrastructure maintenance and security policies lies with the customer, the situation is different. In both cases, however, it is possible to define some common actions to increase the level of protection. It is password management, operating system updates, use of modern antivirus programs and vigilance when using IT systems and mail – explains Marcin Kloc, IT Administrator in BrainSHARE IT.

The analysis of attack vectors allows to identify the most sensitive elements of the infrastructure and select appropriate protection tools. A very important element of the network infrastructure in an enterprise is the firewall, or firewall.

Firewall allows you to filter traffic and allow only the one that is known to us, in a specific direction, to specific ports and addresses. The firewall is developed by UTM class devices, which give the possibility of more effective network protection also on higher layers. These devices are designed mainly for small and medium companies – adds Marcin Kloc.

It is also worth to make sure that the so called “security environment by assumption” was created in the accounting office. What does it mean? More or less, that every employee should have access only to the data that is necessary for him/her to perform his/her duties. If a hacker hacks into one person’s computer, the rest of the data will be safe. Controlling employee access to information will make it much easier to maintain order in exceptional circumstances.

There is no doubt that although we now have access to modern tools to protect our data, it is best to be aware of the risks and know how to defend ourselves against them. The techniques of manipulation are based on human nature, so often attacks by fraudsters are successful. However, this can be combated by educating and informing about the risks lurking online. It is also worth realizing that everyone should inform their superiors, the bank or the police about all suspicions of an attack as soon as possible. Only a quick reaction gives the possibility to act effectively.

New European Union Laws on Cybersecurity

In today’s computerised world, where almost everything from small private matters to serious business ventures depends on the efficiency of IT networks, cyber security has grown to become the most serious challenge facing administrators and users of IT networks. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures for a high common level of security of information networks and systems within the Union (NIS Directive) is the EU response to this challenge. It is being implemented in EU by the Act on the National Cyber Security System.

The Act covers primarily the so-called key service providers and digital service providers. The former are service providers that are key to maintaining “critical social or economic activity”. Digital service providers, in turn, are companies providing services by electronic means within the meaning of the Act on Providing Electronic Services (excluding micro and small businesses).

Services considered as key are indicated in the executive regulation to the Act. In turn, digital services covered by the regulation of the Act are indicated in an annex to the Act and include:

Internet trading platforms,
Cloud computing services,
search engines.

The Act imposes an obligation on digital service providers to apply technical and organisational measures to ensure an appropriate level of cyber security. A wider range of obligations applies to key service providers. Entities recognized as such by virtue of an administrative decision (and placed on a list kept by the Minister in charge of administration), will be obliged:

Implement a security management system in the information system used to provide services, designate a person responsible for maintaining contact with the entities of the cyber security system,
report and handle incidents, i.e. events that may adversely affect cyber security,
conduct at least once every two years information systems security audits, etc.

As it results from the above, the key to the functioning practice of the Act will be the executive acts, indicating, among others, the directory of key services, as well as decisions concerning the recognition of key services as operators. This practice will show to what extent the Act will actually burden the market with further obligations, which, although probably necessary, will certainly mean (further) significant financial and organisational burdens.

Penal sanctions are provided for violations of the new Act: fines for entities covered by the Act in the amount of up to 50,000 EU , as well as fines for individuals – holding managerial positions – who have not fulfilled their duties (up to 200% of monthly remuneration).

Cyber Security at Home Office

Remote working and corporate cyber security
Due to the threat from the coronavirus pandemic and governmental recommendations, many people are switching to remote working. Thus, the issue of cyber security becomes important for companies – resources must be available for those working from home, but at the same time well protected. The risk increases when there is a lack of security, but also when the existing ones are mismatched.

According to the World Economic Forum report, cyber attacks are one of the five biggest threats in 2021. This also applies to companies: according to research, as many as 45% of companies suffer financial losses because of it. At the same time, in last year only 36% of commercial entities had a strategy of protection against cyber attacks.

These issues are becoming more and more important now that a large part of the staff, for fear of the coronavirus, work from home. Entrepreneurs should remember three elements: risk, reputation and ransomware.

What are the threats to companies?
The growing number of devices connected to the Internet and attacks aimed at them as well as the popularisation of cloud solutions or remote working are new sources of risk for companies. According to the CERT report, the biggest threat to companies is ransomware – malicious software that blocks access to a computer system or encrypts data stored in it, and then demands a ransom for its restoration. This may paralyse all business activities of the company for a long time.

Not only financial losses
Companies are required to carefully safeguard sensitive data, especially personal data. Their leakage may result in legal liability and penalties or financial loss. The cost of cyber attacks to companies in 2019 rose to $4 million. The WEF predicts that by 2021, cyber crime will already cost global economies 7 billion dollars.

Losses are not only caused by downtimes and disruptions in the functioning of companies. Also important is the loss of reputation and image, i.e. trust and loyalty of customers or contractors, crucial for the functioning of any business.

Risk minimization
Each company should enable employees to securely connect to the company’s systems and resources through a VPN and control the resources made available. A key element of protection is risk assessment and minimization. Therefore, companies should have a clear plan of action in case of an attack or violation of data confidentiality. This will allow them to react quickly and minimize losses. It is also important to educate staff on precautions and suspicious activities, especially emails, which should raise their alertness.

Due to the threat of coronavirus epidemic and government recommendations, many people are switching to remote work. The issue of cyber security is becoming important for companies – resources must be available for those working from home, but at the same time well protected. The risk increases when there is a lack of safeguards, but also when the existing ones are mismatched. Therefore, it is important to introduce solutions tailored to the resources and capabilities of the company. Contrary to popular belief, they do not have to cost much, nor do they require a whole staff of IT employees. A good supplier will provide advice, service or 24/7 remote technical support and proactive monitoring of the infrastructure.