Managing Cyber Security Risks in Accounting and Finance

Posted: Apr 14  |  By: Trey Gunn

Cyber security is a massive issue in all industries. In accounting and finance, we generally house a great deal of data on each of our clients. There is a very real threat of identity theft if that data is intercepted or stolen by a malicious third-party. Here, we’ll cover a few ways to ensure that you and your organization are taking proper precautions to protect your clients and yourselves.

Have a Security Policy. Know the Policy.

Every firm needs a written IT policy in place with regular updates to account for changes and advances in technology. Further, staff members need to be aware of the policy and any updates to it in its entirety.

While that may seem fairly obvious, according to a 2015 survey conducted by Pace University and the American Association of Chartered Certified Accountants, 30 percent of respondents felt that they did not have a high level of awareness of their company’s cyber risk management policies and procedures, while 32 percent had no knowledge of company policies on data encryption. That means at least a third of staff feel that they lack the basic knowledge of how to properly transmit, store, and otherwise manage electronic information. Yet, they’re interacting with this data all day long. IT management, in particular, must ensure that the policy exists, is readily available, and is clearly communicated to staff.

Communicate Failures.

The same survey shows that only 17 percent of cyber attacks were routinely reported to senior executives. Less than half of respondents said that they would contact law enforcement in the event of a successful attack. The survey posits that this could be due to effects on stock prices or public trust if a breach goes public. However, failure to communicate at least within the ranks merely serves to perpetuate the problem. Breaches must be regularly communicated to management—at the very least, to the CIO. Firms must conduct regular reviews of systems and controls with management involvement.

It is also wise to communicate failures regularly to staff. This provides context for policies and procedures to help them understand why security procedures are so critical. Workers are often annoyed by a procedure and create work-arounds (i.e. “Password1”). Understanding why the procedure is important can help to mitigate that behavior.

BYOD Issues Are Still a Thing.

Toward the latter part of the last decade, the number of smartphones, tablets, and other employee-owned devices increased dramatically. This meant a rapid multiplying of corporate data onto devices outside of the direct control of the IT department. Simply having corporate email hit a staff’s iPhone was cause for concern. Ten years later, it’s still a major cause for concern.

There are lists of things to consider and a myriad of solutions to this issue. It’s also important to make sure that you’re regularly verifying that they’re sufficient. You also need to ensure that employees are adhering to policies. Even the simplest policy, like requiring all devices be protected by screen lock passwords, must be regularly verified by a manager. Any devices seeking to access corporate data should require authentication and regular re-authentication. Data should be encrypted, business and personal data separated, and corporate data should never be able to be cached locally. All of this requires good planning and effective deployment, stringent and well-communicated policies, and regular follow-up by IT and managers.

Be Proactive.

Finally, IT management and staff need to be actively seeking information and updates on new threats and new solutions. Staff should regularly attend IT conferences and provide other educational opportunities to keep up with the latest issues. Companies cannot afford for their IT staff to go obsolete. A single large IT failure can literally collapse the entire organization.