July 14, 2021
Published: The Accountant
Most organisations were taken by surprise when the pandemic struck back in early 2020, and those in the accounting sector were no exception.
But the firms that adapted best were those that were already investing in cloud-centric transformation projects, where next-gen applications and infrastructure enabled them to become more agile, support flexible working and deliver enhanced client experiences faster. Like their counterparts across the financial services industry, however, the challenge accounting firms face is that cloud applications can also expose organisations to increased cyber-risk.
Accountants hold a lot of valuable, personally identifiable data and financial information, including tax returns, asset investments, corporate strategies and intellectual property for both individuals and businesses – making them a prime target for cybercriminals. This in itself would not necessarily be cause for concern, but as we discovered in a recent study of IT decision makers across all industries including financial services, there is currently a significant disconnect between headline confidence in security strategies and the day-to-day reality.
The danger of this is heightened in the context of ever-closer regulatory scrutiny on the accounting sector. Reporting of data breach incidents may have fallen in the sector between 2019 to 2020, but that is likely to be more a reflection of improved understanding of legislative small print by corporate lawyers. The cyber-risk is still greater than ever.
Growth incubates risk
Global financial services organisations, including accountants, have been enthusiastic adopters of digital technology during the pandemic. The vast majority told us that the crisis had considerably (46%) or somewhat (42%) accelerated their plans for cloud migration.
But with increased digital transformation comes increased digital risk. That matters even more when you operate in a sector popular for threat actors. Over the past few years we have already seen proof of this in high-profile hits on the likes of MNP in Canada and BST & Co – which was subsequently sued – in the US.
For accounting firms with a large cloud footprint, there are simply more workloads for threat actors to target, more accounts and services to potentially misconfigure and more complexity that must be managed. And while the broader financial services sector may have more to spend on cybersecurity, the fallout can be even greater. Data breach costs in the financial sector are calculated to be the third highest globally, after energy and healthcare – amounting to nearly $6m per incident.
The good news is that accounting organisations do not appear to be complacent to this increased danger. In fact, most (51%) of the financial organisations Trend Micro polled believe that cloud migration has focused their minds more on cybersecurity than previously. The majority (58%) also confirmed that they have implemented specific security training policies to mitigate any risk of user exposure impacting the business.
And this confidence extends to the security posture. Most said they feel fully (36%) or mostly (55%) in control of securing the remote working environment, and a similar combined number (87%) were confident about securing the future hybrid workforce. In addition, over two-thirds felt certain in their ability to see data flows as business-critical information is sent from corporate systems to remote workers.
All this is pretty reassuring on the face of it, but on closer inspection, there may be more deep-seated challenges for accounting firms. Despite confidence in their security strategy, nearly half (48%) of financial sector respondents claimed privacy and security challenges represent a ‘very significant’ or ‘significant’ barrier to cloud adoption – singling out setting consistent policies, a lack of integration with on-premises security tech, and patching and vulnerability management as the top three operational security headaches in this area.
Also of concern is awareness around the shared responsibility model, which defines how far protection from providers (CSPs) extends and what the customer is responsible for. While almost all (99%) of those we polled said their CSP provides ‘more than enough’ or ‘sufficient’ data protection, and 90% were also very or somewhat confident in their understanding of the model itself, the reality is somewhat different. In actual fact, responsibility for data security is 100% the customer’s responsibility in infrastructure-as-a service and platform-as-a-service environments.
It is not difficult to see how such confusion could expose accounting organisations to greater cyber-risk. Assuming your provider is taking care of data security, or any other area for that matter, could lead to under-investment and critical gaps in protection. On the other hand, it could also mean organisations wasting money on security controls that duplicate what the provider already offers.
Security that works
We were also concerned to see that a greater number of financial sector IT leaders believe cloud security adoption makes life more complicated and expensive than those who do not. Over a quarter (27%) think it can also create more siloes, when in fact the right tools can bring IT security and developer teams closer together. Such misconceptions may be based on bad experiences with first generation tools, or simply the result of skills gaps in responding organisations.
Fortunately, cloud security has advanced considerably in recent years and there are multi-layered platforms out there today that promise seamless connectivity into the major CSP platforms. That means powerful, streamlined security and compliance with a high degree of automation to simplify protection while mitigating risk and taking the heat off stretched IT security teams.
Given this, the accounting firms quickest to familiarise themselves with this new reality will set themselves up to be in pole position for digital-powered innovation and growth as they exit the Covid-19 pandemic. There is no time to waste.