Three key security questions every accountant should keep in mind
Stuart Kemp highlights the main questions accountants should ask software partners before choosing an app for their practice.
One of the most hotly debated questions in accountancy firm boardrooms is which apps will bring the most benefits and success. Accountants and their clients have both seen huge productivity gains through the introduction of new software. But the digital revolution also brings with it great risks, including data breaches, loss of trust and damage to reputation.
Are accountants asking the right questions before they engage with a new service? We’ve seen some good examples of firms running security due diligence, but all too often it boils down to a box-ticking exercise.
Common questions focus on things like database encryption standards and which versions of cryptographic protocols a web application supports. All worthy things to consider, but they cover a modest proportion of a system’s total security landscape.
To get the full picture, accounting firms should seek to understand if a potential partner has a security culture at heart and assess whether their operations are as secure as their infrastructure.
Here are three important questions that all accountants should be asking their app partners.
How do you manage passwords in your business?
In modern times, we all have dozens of online accounts, each requiring a password. It's no surprise that we resort to reusing passwords, it’s a malaise known as password fatigue. Unfortunately, this means that a hack on any account we use may compromise all of the others.
System administrators typically seek protection through enforcement of password complexity and rotation. However, the National Cyber Security Centre points out that such measures are likely to decrease, not increase, your level of security.
The first part of the solution is two-factor authentication, which should be enabled for all key services, particularly company emails, as it is commonly used as a second factor of authentication for other software.
The second part of the solution is the use of a password manager, a simple service that stores all of your passwords securely. A password manager will help you generate unique, complex passwords for each service you use.
It’s also vital that security officers educate their staff on why password managers are so important. A good exercise for new starters is to have them visit haveibeenpwned.com, which informs users of the data breaches they have been exposed in.
How do you secure your source code and keys?
All applications must contact other software services, whether that be an android app talking to its database back at headquarters, or a web application connecting to a third-party service, like Xero. When applications do this they must authenticate themselves, usually with a key and secret. An application’s user data is at the mercy of how well developers look after such keys.
A common mistake in software development is to hardcode access keys into the source code. Even if this is a temporary measure whilst getting a service up and running, the keys will remain forever in the source code history.
Well-architected systems never have keys or passwords in the code and do not require the distribution of keys across whole developer teams. The use of online vaults like AWS Secret Manager mean that keys can only be accessed by running systems, and the circle of developers trusted with sensitive keys can be limited to just one or two people.
Application source code should be treated as a highly sensitive resource, with all code repositories secured with two-factor authentication.
How do you prevent your business from being phished?
According to the National Crime Agency, phishing continues to be one of the most effective vectors on which to attack a business. Spear-phishing, the highly targeted and customised work of professionals, is anything but easy to spot.
The rise of AI is leading to deep fakes that may be unrecognisable from the real thing. Phone or video calls from your CEO demanding immediate access to an account is a reality that is already upon us. This may not lead immediately to an organisation’s crown jewels, but it's where most hacks start, and the best place to stop an attack in its tracks.
There is no silver bullet when it comes to defending your business against phishing, but there are plenty of actions that will reduce a business’s risk.
For example, you should think carefully about what data is published on your website, including personal details and contact details of staff. This is particularly true as hackers seek to exploit situations in the wake of Covid-19. Setting up DMARC email security will limit the opportunities for hackers to spoof your company emails.
Training and testing staff on phishing risks isn’t as exciting as enforcing encryption standards, but the history of corporate hacks tells you it's more important. Using endpoint security (computer virus detection) will help limit the risks, as will using up-to-date web browsers.
Most hacks have little to do with deeply technical security issues and have more to do with poor practises and culture. Checklists are here to stay, but next time you’re doing due diligence with a partner app, consider whether you are getting the most out of the interaction. Small changes to your due diligence will help prevent a data breach that can damage your reputation.