Cyber security and cloud accounting

How can firms mitigate the risks when employing cloud-based accounting software?

The cloud, perhaps due to its nebulous-sounding nature, is perceived by many as a misty repository of data, vulnerable to attack by shadowy cyber criminals. For accountancy practices, which are responsible for holding clients’ financial information, such threats can be devastating, but they still shouldn’t discount the efficiencies that automation in the cloud can provide. In which case, they need to mitigate the associated risks, and the first step in combating them is to understand where they can arise.

“Threats come from a variety of adversaries with various degrees of motivation and capability,” says Anton Tkachov, chief security architect, financial systems cyber security, at PwC. “They can range from a hacking enthusiast running publicly available tools to nation-sponsored organisations using advanced cyber weapons.”

“Whenever a technology advances, software changes may introduce vulnerabilities in the software itself, which can be attacked, as we saw with the WannaCry and NotPetya ransomware campaigns,” warns Paul Macpherson, head of security at accountancy software company Xero. “Cyber criminals are always looking for a new exploit from which to profit. They create malware to gain access to your systems, hold your data to ransom or steal it. They may impersonate a well-known brand to convince you to click on a link or open an attachment to infect your system. Criminal gangs are making a lot of money from these exploits so they’re not going to stop.”

Interested third parties

However, it may not be your own systems that the criminals are targeting. Weaknesses could appear at any point in the supply chain. “Cloud-based accounting software is provided by a third party, which may not necessarily comply with your own security policy or follow industry security good practices,” says Tkachov. “Even if you’re taking all the right steps to protect your own company, you can’t always be sure others are doing the same, and breaching your suppliers could be a route into extracting your data.”

Jon Lawrence, technical director for assurance at the government’s National Centre for Cyber Security, agrees. In his blog, he writes: “It’s common for providers to make use of a range of third-party services to build their own service, which will inevitably be cloud services themselves. The service you’re using may have been built with cyber security in mind and may be operated by a strong cyber-security team. However, the dependencies they’ve taken on third parties can render these protections nugatory.”

Cloud providers

In reality, cloud-based software is no more or less susceptible to cyber threats than in-house software, but businesses need to understand how the two differ. “The main consideration with cloud-based accounting software is the control lies with the provider and not the business,” says Macpherson. “That’s why it’s important when selecting a cloud services provider to do your due diligence, to ensure you’re using one that meets your security expectations. Look for providers that have had their security controls independently audited by a reputable third party.”

Even if you’re taking all the right steps to protect your company, you can’t always be sure others are doing the same. Breaching your suppliers could be a route into extracting your data

Anton Tkachov, chief security architect, financial systems cyber security, PwC

This can be easier said than done. “It’s difficult for people to evaluate the security status of cloud-service providers,” says Mark Taylor, technology manager, technical innovation in the IT faculty at the Institute of Chartered Accountants in England and Wales (ICAEW). It may not be clear what security protocols are being followed – indeed, not publishing their methods may be part of that protocol. “You could look for larger organisations that are compliant with ISO 2701 certification, which is a well-recognised, global standard and an indication that they put a good deal of effort into their security systems.”

It’s also essential to install the latest upgrades. “Keep all your software up to date with the latest security patches to ensure known vulnerabilities are fixed,” says Macpherson. “You should make regular back-ups of your local data and store it securely, disconnected from the device you’ve backed up. You need to ensure the devices and user accounts you use to access your accounting software are properly protected. Install reputable anti-malware [anti-virus] software.”

Educate the users

To protect user accounts, you must also educate the users. With cloud-accounting software, the shift in focus has to go from ‘hard tech’ to business processes. “The emphasis needs to be on behaviour of staff,” says Mike Goodwin, vice president of product security at Sage Group. “It’s about the simple things. Do staff have good password hygiene? Do they use those passwords on other websites? It’s very important they have an awareness of things like phishing, which can result in them downloading malware. When giving out permissions, do you think about what individuals really need? Can one person cause damage? If you have cloud-accounting software with one login shared across the business, it’s going to open you up to risk because you can’t tell who’s done what. These things are more comprehensible for a typical business owner than the more technical side. It makes the cloud seem like less of a dark art.”

If staff use a given password for multiple accounts, it only needs one to be compromised thanks to ‘credential stuffing’, where a stolen password is plugged into multiple commonly accessed sites. One way of protecting passwords is a multifactoral login – for example, when a code is sent to a registered mobile phone in order to allow access.

Who’s accountable?

So who should be taking ownership and enforcing these processes? This is not, insists Goodwin, an issue for the IT manager. “Security has less to do with technology and more to do with everyone in the business, so it makes more sense to shift ownership to senior management.”

Tkacho agrees. “The business owners are ultimately accountable for making the decisions around security investments and the management of cyber risk. Cyber attacks are now a case of when, not if, so organisations must have a plan to respond to an incident by containing the threat, recovering systems and working with the relevant regulators, partners and customers to limit the damage.”

Data regulations

In the UK, the Data Protection Act (DPA) requires businesses to ensure client data is used fairly and lawfully for limited, specifically stated purposes, and that it’s kept safe and secure. Next year, the General Data Protection Regulation (GDPR), focusing on consumer rights, will be adopted in order to protect data at a much higher level.

“The landscape of cyber security regulations is getting more complex every day,” says Tkachov. “The regulators are keen to ensure that customer data is processed, stored and shared in a secure manner, so they’re continuously working on creating control frameworks at both local and global levels to help firms create more robust security programmes. Non-compliance with these control requirements could lead to fines of up to 4% of firm’s global turnover once the GDPR comes into force from 25 May 2018, so now is the time to act.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top