Security in Cyberspace: The age of technology and the accounting profession

IAB reporter Santiago Bedoya-Pardo speaks to My1Login CEO, Mike Newman, to discuss the future of cybersecurity in the accountancy profession.

In the age of increased interconnectedness and undeniable technological dependence, security in cyberspace is a greater concern than ever before. This is a reality across multiple sectors, ranging from social media sights handling personal data, to governments dealing with state secrets – and the accountancy profession is no exception.

Criminals in the cyberspace follow money, making those in the profession top targets for their attacks. Accountants hold multiple pieces of information that are ultimately key to accessing sensitive data, ranging from Government Gateway to client bank accounts. Either by means of phishing or password cracking, accountants are constantly at risk of cyberattacks.

However, they are fully aware of this. According to a Caseware study published earlier this year, investing in technology has become a key priority for the profession in 2024. With technology expertise in particularly high demand for internal audit departments, it’s clear that audit firms are looking to build teams equipped to deliver the audit of the future. When exploring the skill sets departments sought, data science elicited 18% of responses, while IT audit and cybersecurity garnered 15% and 12%, respectively. Artificial intelligence secured 9% of responses, while fraud examination was the most sought non-technical skill (10%) with ESG polling at 8%.

With the risk of cyberattacks now a reality that must be faced on the daily, a question materialises – What can accountants do to protect themselves against these threats?

In order to find an answer for this, IAB sat down with My1Login CEO, Mike Newman, to evaluate and explore both the threats being faced by those in the profession and the strategies and tools available to them in the quest to counter these. Newman has been in the technology industry for almost 30 years now, most of which has been spent working with UK-based PLC organisations. Newman reflects on what drove him to found My1Login, jokingly reminiscing on being asked to remember “yet another password”. Seeking to offer enterprises a better solution than depending on the memories of their workforce, Newman decided to eliminate this need, putting enterprises “back in control” of these key pieces of information, “eliminating” a wide array of security risks and maximising their efficiency.

Mike Newman, CEO, My1Login

Santiago Bedoya-Pardo (SBP): In light of the profession operating increasingly in cyberspace, what do you think is key to understanding the nature of cybercrimes threatening accountants? And how can we expect these attacks to evolve in the future?

Mike Newman (MN): In order to do this, we need to first understand the biggest area of risk for accountancy firms – which is typically the way that they manage, control, and share access to Government Gateway services, and HMRC services. When looking at Government Gateway, especially their accounts system, firms are often authenticating using a user ID and a password. However, in most firms, you will have large teams of individuals that need access to these accounts, turning them into shared accounts – yet there is no real mechanism to go about this securely.

Companies will often store this information, these passwords and ID’s, on spreadsheets or Word documents which are then put in servers to facilitate access to these large teams. Needless to say, this poses a major risk. Not only is this data stored in servers that are widely accessible and liable to cyber-attacks, but individuals leaving the organisation might still retain access to it, which shouldn’t be happening.

Additionally, there may be efficiency issues. Both accountants and tax professionals using Government Gateway will have to go through what is a very cumbersome process, first having to figure out what account they need to log in to with HMRC, then having to source the login details for that account on their organisation’s server, which may be a process that is not particularly user friendly. Once they’ve managed to access this information and insert their login information, they’ll have to then authenticate their login, which creates a real problem in relation to efficiency.

Dr. Karim Mansour, Director and Chief Trainer, Tadawul Academy

SBP: In light of this, what specific measures and cybersecurity strategies could organisations implement to tackle these issues? What approaches are essential for protecting this sensitive information from unauthorised access or theft?

MN: The key cybersecurity measures would typically be to have effective identity and access management tools in place. Unfortunately, the way most organisations have sought to address this has been to employ exclusively Microsoft tools to control most of it. This is great for the core business applications that accountancy firms use, it works well for Office 365, Salesforce, and other SAS products.

The real challenge for firms, however, is to ensure that they have equally robust cybersecurity and single sign-on measures in place for all the other applications accountants may be using. This would include Government Gateway, bank accounts, clients bank accounts, payroll systems, and all of these other platforms we may not classify as core applications. This is the area in which accountancy firms really need to bolster their cybersecurity strategies. By implementing identity and access management solutions, together with tools like single sign-on, they can do away with these high levels of risk.

SBP: These solutions come through as strategies that companies may seek to implement in order to avoid high risk situations in the long term – How should they approach high-risk incidents in real time? If they have identified a security breach which may jeopardise sensitive data, what immediate steps could they take to mitigate the impact of a cyberattack?

MN: Fortunately for firms, there is a wide array of incident management plan templates that are offered by cybersecurity providers, and these can and should be used as the basis for an incident response. They should also aim to steer towards looking at the National Cyber Security Centre guidelines, and furthermore referring to the Information Commissioner’s office. By adopting these steps at the face of an incident, firms can be provided with both a legal and practical perspective that will outline the specific steps that the organisation should take as a result of an incident.

SBP: How do cybersecurity regulations affect the way in which accounting practices roll out these strategies to ensure they meet compliance requirements?

MN: In addressing access to various applications, particularly within accountancy firms, compliance is a significant concern. Currently, many firms lack a secure auditing mechanism to track shared access to accounts, which poses a fundamental compliance issue. The system we offer through My1Login offers a solution by providing a comprehensive audit trail, enabling firms to identify individual users accessing shared identities and applications.

Additionally, as regulations increasingly mandate the use of multi-factor authentication (MFA) for accessing applications, our system assists firms in meeting these requirements. Despite the lack of MFA support in many applications used by accountancy firms, our platform allows configuration policies to ensure users pass a multi-factor challenge before accessing credentials for sign-in.

SBP: Could you offer more details on the specific characteristics behind the applications and platforms offered by My1Login?

MN: Essentially, our system is designed to streamline user access to services, making it effortless for them. Once implemented, users can navigate directly to the desired application without needing to engage with My1Login directly.

For example, on the Government Gateway login page, users are presented with a user-friendly list of permitted identities or accounts, which can be named according to their preference (e.g., Client A, Client B). By simply clicking on the desired identity, My One Login automatically logs them in, eliminating the need for users to remember passwords and reducing the risk of phishing attacks. Sharing access is also made simple, requiring just a few clicks to grant access to team members or groups. Overall, the system offers a straightforward user experience.

SBP: You’ve mentioned the risk of phishing attacks, and how the accountancy profession may be prone to such attacks due to a lack of awareness around the risk of phishing at large. How would you describe this risk in the context of accountancy? And what are the most prevalent phishing tactics used to target the profession?

MN: What professionals in accountancy need to take into account is that phishing manifests in various forms, often appearing as emails from seemingly legitimate sources such as Microsoft Office, banks, or even HMRC. These emails will typically urge recipients to click on links under various pretexts, like accessing documents or updating passwords. Clicking on these links redirects users to spoofed websites mimicking genuine ones, where they're prompted to enter login credentials. This grants malicious actors access to the user's account.

However, with an effective identity management solution like My1Login, phishing risks can be completely mitigated. By configuring the system so users don't need to know their passwords, phishing attempts are rendered ineffective. If users don't possess passwords, they cannot fall victim to phishing attacks.

SBP: While these solutions may be out in the market, not all professionals in accountancy will necessarily be proficient in the use of these tools. What strategies can be employed to train professionals on cybersecurity awareness?

MN: This is a key issue, with security boundaries existing around training and awareness. Relying solely on users as the last line of defence in the event of an attack poses inherent risks. Instead, our approach involves empowering users with control over their defence, supplemented by systems to reinforce security measures. This two-pronged strategy combines training with robust systems, reducing dependence on human adherence to policies or training.

SBP: While the profession may have these solutions at hand now, the horizon of cybersecurity is one experiencing constant change. Looking ahead, what are the emerging cybersecurity challenges that you anticipate will have the most significant impact on accounting? How should professionals and technology providers prepare for these coming challenges?

MN: Accountancy firms are increasingly transitioning their services to the cloud, including migrating their core directory from Active Directory to Microsoft's cloud-based directory, Azure Active Directory. Concurrently, there's a significant shift away from traditional on-premises applications towards cloud-based ones. This trend is driven both by the firms themselves and their clients, who are adopting cloud-based payroll systems and other cloud services. However, this transition also expands the attack surface for malicious hackers targeting accountancy firms.

To address this growing risk, firms should consider implementing effective single sign-on and enterprise password management systems. These measures can help mitigate the increasing security threats associated with the ongoing transition to cloud-based services.

Newman’s perspective sheds light on the pressing cybersecurity challenges facing the accountancy profession in 2024. With cybercrime threats evolving and phishing attacks targeting sensitive data, it's evident that accountants must adopt robust cybersecurity measures. Implementing identity management solutions, single sign-on, and enterprise password management systems can bolster security efforts. Moreover, ongoing training and awareness initiatives remain crucial in navigating the ever-changing cybersecurity landscape. By embracing these strategies, accountancy firms can better protect themselves and their clients from cyber threats in the future.

Main image: Mike Newman, CEO, My1Login