How small firms can run cost-effective security auditsby
Reducer co-founder Stuart Kemp offers insight into the surprisingly varied and eye-opening security of well-known firms and apps in the accounting industry.
What do Members of Parliament, barristers, airline pilots, doctors and accountants have in common? They are all professions approved by the UK government to countersign a passport application – the most trusted professions.
The reputation of an accounting firm can be damaged through misconduct, as was the case in 2002 when Arthur Andersen lost its license to practice due to auditing fraud. But trust is more commonly eroded through honest mistakes, such as the data breaches at Deloitte in 2017 and Wolters Kluwer in 2019.
Prevention is better than cure, so the largest firms keep a close eye on their security risks. This includes assessing internal systems but it also extends to third party applications and partners.
When a large firm considers working with a new app, it will typically conduct a security audit to ensure their clients’ data will be safe with the partner.
Checking and monitoring security to begin
Security audits differ significantly between firms, but they will usually involve the potential partner completing a questionnaire designed by the firm’s security team. There may also be a degree of technical investigation to validate the partner’s claims.
Needless to say, it can be an expensive and time consuming process for both the accounting firm and the application partner, especially if a dedicated security consultant is employed to help out. It’s no surprise then that small firms do not typically perform a security audit on new partners.
So what can a small firm do to ensure that they only work with partners who can be relied upon to secure their data? The answer is that a lot can be done quickly, simply and cheaply.
What systems can be used for scoring security?
Small accounting firms don’t have the time to become security experts, so it makes sense to rely on those who specialise in the field. This knowledge can be surprisingly easy to access.
A security scanner is a tool that executes automated tests against a website or software platform. A scanner may run hundreds of different tests to check for security weak spots in everything from encryption protocols to email configurations.
A number of companies who offer bespoke security consulting also offer free online security scanners. The best ones turn the results into a simple to understand score such that no technical knowledge is required to interpret the outcome.
The best freely available security scanner is Upguard’s Webscan. To use the scanner, simply type the partner’s website address into the webscan form, and Upguard will perform dozens of automated security checks. The result is a straightforward score out of 950.
The highest scoring apps of those tested were Reducer and Fathom, with a score of 922 and 846 respectively. The majority of accountancy apps score between 700 and 850. A score of less than 700 should be a strong warning sign that there’s a security issue.
What should be done when an app or firm scores poorly?
Raising a security scanner score with a partner should be the basis of an open conversation.
However, if a partner is defensive, seeks to close the conversation without action, or tries to divert attention from the issues raised with excessive technical terminology, it might be time to walk away.
Security improvements are often relatively straightforward to implement, software like Upguard advice on how to remediate any weaknesses.
Upguard provides the most comprehensive freely available security scanner. However, there are a number of other excellent services are available to use.
Security Headers is widely used in the cybersecurity industry to test HTTP security. Grades of ‘A’ or ‘A+’ are rare marks of excellence, whilst the more common results of ‘D’ and ‘F’ should be considered concerning.
SSL Labs by Qualys provide the most detailed analysis of SSL certificates and encryption protocols available. A score of ‘A+’ is excellent, ‘A’ is fine and ‘B’ is worrying. Last but not least,
Sucuri’s Sitecheck is particularly powerful at finding undetected malware and unpatched software on web servers. It’s also the only freely available security that can detect whether a site employs active security monitoring and a firewall.
Building a reputation in accountancy can take a lifetime, and losing it through a security breach can take moments. Small firms have the same security risks as the Big Four, but much fewer resources to keep on top of them.
Free security scanners offer a simple solution to running a security audit on potential partners. The real question though, is whether firms should turn the scanners on their own systems?