The advent of technology has empowered businesses around the world to invest in information systems to simplify processes and improve efficiency of their operations. It is important to revere the transformational effects of modern technology on business operations, but we should also not lose sight of the cybersecurity threats we face. These threats require proactive measures that have stood the test of time.
Cybersecurity threats
The threats of cybersecurity vulnerabilities take many forms. It can either be described as an internal threat originating within the organization or as an external threat against the organization. The internal threats of cybersecurity an organization can be exposed to include the following:
- Intentional threats: This insider threat results from the actions of unscrupulous individuals who deliberately misuse confidential information to conduct malicious activities to the detriment of the organization. This is, however, different from whistleblowing of wrongful conducts within the organization.
- Unintentional threats: This involves employees who expose an organization to cyber threats due to negligence or carelessness in the line of duty.
- Third-party threats: Third-parties are usually service providers to an organization and technically called independent contractors or consultants. They are not employees of the organization but have some level of access within the organization through a contractual relationship.
External cyber-attacks originate from various sources, including phishing scams (through fictitious emails), social engineering by psychological manipulation of people through SMS text messages or phone calls to impersonate them, malware (a malicious software meant to cause harm to a device or network through email attachments, fraudulent links, adverts, or on harmful websites). These cybersecurity threats are designed to deceive targets into sharing sensitive information. Hackers may also employ ransomware attacks and data breaches, pressuring organizations to pay a ransom for re-access to their information or risk the distribution of private data.
Additionally, Denial of Service (DoS) attacks is another type of cyber-security vulnerability which can harm organizations and their clients. The hackers usually target systems, devices or a network and shut them down thereby denying users access to those applications. They usually overload the targeted device or network with traffic until the victims cannot respond or the systems eventually crash. These attacks compromise websites, emails and online account access on the affected systems or networks.
Statistical Perspectives
Recent statistics have revealed growing incidents of cyber-attacks in many industries and accounting firms are no exception. The reasons can be attributed to the fact that accountants have considerable amount of sensitive financial records like tax identification numbers, payroll information, and investment data of clients in their custody. The Australian Cyber Security Centre in their 2021-22 annual cyber-threat report provided some statistics of cyber-crimes in the accounting industry:
- Accounting is part of the sixth most targeted sector in Australia, with 7 per cent of all cyber-attacks;
- The number of cyber-attacks has risen 13 per cent in the past year, which is the equivalent to one every seven minutes.
- Annually, cyber-crime costs small accounting practices an average of $39,555 medium-sized practices approximately $88,406 and large practices $62,233.
In Ghana, the Bank of Ghana (BoG) reported a stark reality of cyber-crimes in the country. The number of cyber/email fraud cases rose from 50 in 2021 to 422 in 2022, representing a staggering increase of 744%. These incidents led to a loss of Gh¢2.6 million in 2021, which increased to Gh¢4.3 million in 2022, reflecting a 65.55% increase.
Investing in Cybersecurity
The fight against cyber-threats requires a holistic data security strategy which must ensure that an organization’s internal and external measures are sufficient. A solid starting point for the strategy is developing a comprehensive cybersecurity policy.
Developing a Cybersecurity Policy
To combat the internal threats, the policy should cover various aspects such as employee training, role-based access controls, incident response plans and cybersecurity insurance. Touching on the employee-training part of the policy, it must be noted that employees can either be part of the defenses against the cyber-crimes or accomplices in the eco-system. Therefore, a strategy in respect to employee-training must ordinarily entail cybersecurity awareness programs which will empower them to follow proper procedures for handling sensitive client data and recognize risks of phishing emails or creating strong passwords.
To ensure restriction to sensitive data or information, organizations need to implement role-based access control systems which must give permissions to employees based on their role/function. These controls must equally be reviewed regularly to prevent breaches when employees change roles and neither should they share those access with their colleagues. Multi-factor authentication can also be enforced through biometric fingerprint scans or a password/code tokens to employees’ dedicated phones to verify their activities.
A cybersecurity policy must also highlight data encryption techniques to beef-up the protection of sensitive data. For instance, Virtual Private Networks (VPNs) can help protect sensitive data by creating an encrypted route that secures data in transit between an organization and its clients as well as other stakeholders. Virtual Private Networks (VPNs) require users to confirm their credentials in an attempt to log in or access the network. This way, it ensures that only duly authorized users are allowed to access the organization’s systems and data, and even if a hacker intercepts a data, they will not be able to read or understand it.
Software Updates
Outdated software is prone to vulnerabilities which cybercriminals can easily exploit to their advantage and access sensitive data of organizations and their clients. To prevent this occurrence, an organization must be proactive to ensure all software, including operating systems, applications, and firmware, is regularly updated with the modern versions from verifiable dealers on the markets. This process should also include regular vulnerability assessments to identify and fix any form of security weaknesses and bugs in the systems.
Dealing with Cyber-Attack Events
As part of the strategies to ensure best practices in cybersecurity risk management, I strongly suggest that organizations put in place a robust disaster recovery plan. It will help provide the roadmap to protect sensitive data if a cyber-attack occurs or there is a disruption from other external factors. The plan should outline the steps that the organization will take to recover from a data breach and restore access to systems and sensitive data. Aside from that, it will also be prudent for an organization to have an on-site and off-site backup installation available so that in an extreme event of data loss during a cyber-attack, critical data can be recovered.
Incident Response Plan
It will be desirable for organizations to formulate incident response plans as part of their cybersecurity strategy and in line with business continuity management standards. This is based on the fact that data breaches could still occur despite the existence of measures to prevent the cyber-attacks from even occurring in the first place. A detailed incident response plan must state clearly the steps which should be taken in the event of a severe incident and include procedures for identifying and containing any breaches, assessing the damage, notifying victims, and recovering from the incident. By having a well-defined incident response plan in place, organizations can minimize the adverse impacts of a cyber-attacks and quickly restore business operations without further hitches.
Emerging Trends
As technology advances, cybercriminals also become more sophisticated in their operations. They are often a step ahead of their targets or victims, and organizations will need to adopt new measures in the short to medium-term to combat the cyber-attacks. In other economies, the new trends for combating cyber threats include the use of artificial intelligence (AI), machine learning (ML) and blockchain. Artificial Intelligence and Machine Learning (ML), for instance, help to identify suspicious intrusions and patterns in data that may indicate a potential attack, and take proactive measures to prevent it.
In the case of blockchain, it provides a decentralized, tamper-proof ledger that can be used to store and share sensitive data securely. This can help prevent data breaches and ensure the integrity of financial records. Based on all these considerations, organizations must, therefore, go with the tide by investing in emerging technologies as part of their holistic strategies to manage the cybersecurity risks and thereby sustaining business operations and give value to shareholders.
BERNARD BEMPONG
Bernard is a Chartered Accountant with over 14 years of professional and industry experience in Financial Services Sector and Management Consultancy. He is the Managing Partner of J.S Morlu (Ghana) an international consulting firm providing Accounting, Tax, Auditing, IT Solutions and Business Advisory Services to both private businesses and government.
Our Office is located at Lagos Avenue, East Legon, Accra.
Contact: +233 302 528 977
+233 244 566 092
Website: www.jsmorlu.com.gh