Co-Founder and CTO Reducer
Share this content

Three key security questions every accountant should keep in mind

Stuart Kemp highlights the main questions accountants should ask software partners before choosing an app for their practice. 

3rd Jun 2020
Co-Founder and CTO Reducer
Share this content
Username and password
istock_filistimlyanin_aw

One of the most hotly debated questions in accountancy firm boardrooms is which apps will bring the most benefits and success. Accountants and their clients have both seen huge productivity gains through the introduction of new software. But the digital revolution also brings with it great risks, including data breaches, loss of trust and damage to reputation.

Are accountants asking the right questions before they engage with a new service? We’ve seen some good examples of firms running security due diligence, but all too often it boils down to a box-ticking exercise.

Common questions focus on things like database encryption standards and which versions of cryptographic protocols a web application supports. All worthy things to consider, but they cover a modest proportion of a system’s total security landscape.

To get the full picture, accounting firms should seek to understand if a potential partner has a security culture at heart and assess whether their operations are as secure as their infrastructure.

Here are three important questions that all accountants should be asking their app partners.

How do you manage passwords in your business?

In modern times, we all have dozens of online accounts, each requiring a password. It's no surprise that we resort to reusing passwords, it’s a malaise known as password fatigue. Unfortunately, this means that a hack on any account we use may compromise all of the others.

System administrators typically seek protection through enforcement of password complexity and rotation. However, the National Cyber Security Centre points out that such measures are likely to decrease, not increase, your level of security.

The first part of the solution is two-factor authentication, which should be enabled for all key services, particularly company emails, as it is commonly used as a second factor of authentication for other software.

The second part of the solution is the use of a password manager, a simple service that stores all of your passwords securely. A password manager will help you generate unique, complex passwords for each service you use.

It’s also vital that security officers educate their staff on why password managers are so important. A good exercise for new starters is to have them visit haveibeenpwned.com, which informs users of the data breaches they have been exposed in.

How do you secure your source code and keys?

All applications must contact other software services, whether that be an android app talking to its database back at headquarters, or a web application connecting to a third-party service, like Xero. When applications do this they must authenticate themselves, usually with a key and secret. An application’s user data is at the mercy of how well developers look after such keys.

A common mistake in software development is to hardcode access keys into the source code. Even if this is a temporary measure whilst getting a service up and running, the keys will remain forever in the source code history.

Well-architected systems never have keys or passwords in the code and do not require the distribution of keys across whole developer teams. The use of online vaults like AWS Secret Manager mean that keys can only be accessed by running systems, and the circle of developers trusted with sensitive keys can be limited to just one or two people.

Application source code should be treated as a highly sensitive resource, with all code repositories secured with two-factor authentication.

How do you prevent your business from being phished?

According to the National Crime Agency, phishing continues to be one of the most effective vectors on which to attack a business. Spear-phishing, the highly targeted and customised work of professionals, is anything but easy to spot.

The rise of AI is leading to deep fakes that may be unrecognisable from the real thing. Phone or video calls from your CEO demanding immediate access to an account is a reality that is already upon us. This may not lead immediately to an organisation’s crown jewels, but it's where most hacks start, and the best place to stop an attack in its tracks. 

There is no silver bullet when it comes to defending your business against phishing, but there are plenty of actions that will reduce a business’s risk.

For example, you should think carefully about what data is published on your website, including personal details and contact details of staff. This is particularly true as hackers seek to exploit situations in the wake of Covid-19. Setting up DMARC email security will limit the opportunities for hackers to spoof your company emails.

Training and testing staff on phishing risks isn’t as exciting as enforcing encryption standards, but the history of corporate hacks tells you it's more important. Using endpoint security (computer virus detection) will help limit the risks, as will using up-to-date web browsers.

Most hacks have little to do with deeply technical security issues and have more to do with poor practises and culture. Checklists are here to stay, but next time you’re doing due diligence with a partner app, consider whether you are getting the most out of the interaction. Small changes to your due diligence will help prevent a data breach that can damage your reputation.

Replies (2)

Please login or register to join the discussion.

avatar
By pauljohnston
04th Jun 2020 10:22

So why do you think that part of the solution is two-factor authentication, which should be enabled for all key services, particularly company emails, as it is commonly used as a second factor of authentication for other software.

Experience tell's us that if you introduce two factor that it is either by mobile phone text or by email. To have it by text means that each staff member has to have a mobile phone or a mobile number that reports to email. If either does not work immediately there is a loss of productivity and frustration by the staff member. Microsoft has been known to take 30 mins as has quickbooks.

I do agree a pssword manager is excellent. We introduce it with training when taking on a new member of staff

Thanks (0)
Replying to pauljohnston:
avatar
By CJHolm
04th Jun 2020 11:47

@Pauljohnston - you might wish to look at two factor apps that can be installed on every staff members PC - that way, two factor codes are available instantly. There are several - Authy and Google Authenticator. Authy is reliable and easy to move to another device when upgrading phones or PC/Macs in the future (no, I don't work for them - and they are both free).

Two factor authorisation (2FA) by mobile phone is better than nothing, but can still be compromised, and two factor via email is a poor option. An app would be more secure.

Stuarts recommendation for implementing 2FA is correct. It might be more frustrating for users if the wrong method of 2FA is chosen, but virtually every case of compromised accounts we see relates to individuals who do not use 2FA.

The main trouble arises from staff members who use their work email to register for several services and then use the same password for all of them. When one of those services has a data breach, their password for every other service they use (probably including their work accounts too) is available in the wild, for anyone with the required knowledge to see (and use). Two Factor removes this access to hackers.

Craig

Thanks (0)