Much of an organization’s most critical business and employee data passes through the hands of finance and accounting professionals.
It’s one of the main reasons cyberthreats present a significant risk to finance and accounting teams — especially for small accounting firms that are directly responsible for their security. In this blog, we’ll take a look at some of the cyber risks unique to finance and accounting (F&A) teams and what role information security can play to enable F&A teams, and organizations as a whole, to stay secure.
Finance and Accounting’s Critical Role
While an organization’s location and industry influence how a finance and accounting department operates, its mission to steward a company’s financial and tax information remains the same. F&A works with a range of external and internal stakeholders to ensure financial records are accurate, compliant and up-to-date.
Their work is crucial to enable insightful business planning and decision-making. Among other responsibilities, F&A leverages financial information to work with management, the board of directors, investors and regulators to support corporate activity like financing, compliance and mergers and acquisitions. F&A often also collaborates with and sets budgets for internal teams, like marketing or human resources (HR), and monitors return on investment to ensure the proper allocation of resources.
Data Handled by Finance and Accounting Teams
To carry out all these activities, F&A relies on sensitive financial information. That data may include any of the following:
- Bank Account Numbers
- Employee dates of birth (DOB), Social Security Numbers (SSNs), taxpayer information and payroll information
- Corporate officers’ names
- Corporate financial and tax records
- Intellectual property
- Business plans
- Business certificates
- Compliance audits
- Customer data
Vulnerable Login Credentials for F&A Teams
Because all of the above sensitive financial data reflects the past, current and future state of an organization, and this information is regularly stored in accounting software, that software becomes a prime target for cybercriminals. This sensitive information can come from a variety of sources, including customers, employees and third parties, which makes secure and authenticated access a critical component of enterprise security.
Without a way to securely store and use login credentials, however, finance and accounting teams are leaving their software and data unprotected. Storing passwords in non-secure locations — like a browser’s built-in password manager, in a spreadsheet or on paper — opens sensitive financial and tax data to credential-stuffing and account takeover cyberattacks. And when team members have to share credentials, unencrypted methods like email, text message or instant messaging leave login credentials vulnerable to breaches.
In recent years, breaches of popular accounting systems have exposed organizational and customer data on the dark web. Even organizations that partner with accounting firms risk having their information stolen.
With over 80% of breaches resulting from weak or stolen login credentials, IT teams should adopt a solution for enterprise password management to support their F&A department and the rest of the organization.
The Insider (or Contractor) Threat
F&A teams are used to internal accounting controls, which ensure that only authorized personnel have access to sensitive data and that financial information is valid. As with internal accounting controls, F&A teams need a way to restrict access to necessary personnel. If there aren’t protections in place, disgruntled employees can gain or leverage access to critical systems to damage an organization.
Unauthorized access by vendor employees also puts financial data at risk. Contractors or vendors with unrestricted access to critical information add another layer of complexity to protecting login credentials.
Accounting for the Total Cost of Cyberattacks
Bad actors can exact a high toll in the aftermath of a breach, opening fraudulent bank accounts, lines of credit and selling stolen data on the dark web.
According to IBM and the Ponemon Institute’s “Cost of a Data Breach 2022” Report, organizations can expect to pay an average of $4.35 million in the aftermath of a breach. For some industries, like healthcare and financial services, the cost of a data breach is still higher.
Ransomware attacks, which cost an average of $4.62 million per incident, before even including the payment of a ransom, are even costlier than data breaches.
In 2023, the average cost of a data breach is likely to cross the $5 million mark. That figure includes the mounting costs of penalties and litigation in the wake of a regulatory violation. GDPR, CCPA and similar data protection laws carry heavy fines for breaches and inadvertent disclosures.
On top of direct business and regulatory costs, the reputational damage and lost business add to the costs of a cyberattack — whether from ransomware or beach. The exact costs are hard to appraise, but the outcomes speak for themselves. Within 6 months of suffering a cyberattack, 60% of small-to-midsize businesses (SMBs) close up shop.
Segregation of Duties Meets Role-Based Access Controls
There are similarities between the fiduciary duty of accountants and the responsibility of cybersecurity professionals to protect critical information and systems. The shared mindset finds practical resonance in many organizations’ governance, risk and compliance (GRC) departments.
For example, the segregation of duties (SOD) distributes critical responsibilities in finance and accounting to prevent conflicts of interest and any one actor from having excessive influence over an accounting process.
Role-based access control (RBAC) in Keeper Password Manager provides an organization, as well as a finance or accounting team specifically, to ensure user access is compatible with SOD.
When an F&A or GRC team needs to exclude certain users from seeing information, Keeper offers administrative features to restrict access permissions. The enforcement of RBAC policies set in Keeper, like multi-factor authentication (MFA) or IP Listing, ensures that only verified, authorized users are able to access critical accounting information.
IT admins, as well as delegated Share Admins for individual teams, can also tailor login enforcements based on team and individual contributor responsibilities. RBAC also applies to user access to sensitive files or data, ensuring that only the people who need to access information are authorized to do so.
How Keeper Helps Finance and Accounting Teams
RBAC is just one feature in Keeper Password Manager that finance and accounting teams find valuable.
Although the cost of help desk tickets for passwords is often a sore spot of the IT budget, the controller can count on Keeper to efficiently enable their IT team and the productivity of the rest of their organization.
Users only have to remember one password — their Master Password. Once users are verified with any enforcement policies, like MFA, Keeper takes care of the rest.
- The browser extension, KeeperFill®, autofills login credentials on any device — enabling user productivity without compromising security.
Vault-to-vault sharing allows finance and accounting teams to securely send and receive login credentials for critical software, including payroll systems, billing and invoicing tools and enterprise resource planning (ERP) software.
One-Time Share is an especially popular tool that allows finance and accounting teams to share encrypted records without requiring the recipient to have Keeper.
Secure File Storage uses zero-knowledge encryption methods that ensure only the user can access and decrypt storage files. Finance and accounting teams use this feature to protect and store financial records, tax paperwork, critical business plans, bank account statements and other sensitive documents.
Compliance Reports streamlines compliance reporting with HIPAA, Sarbanes-Oxley (SOX), PCI DSS and other regulations that require access-control monitoring and event auditing. In combination with the Advanced Reporting and Alerts Module (ARAM), InfoSec administrators and GRC personnel can track suspicious user activity.
Try Keeper Password Manager for Free
Whether you’re a finance and accounting pro looking for simple and secure password management for your firm or an IT admin evaluating password managers to cover the F&A department, Keeper has solutions to protect your organization’s critical passwords, secrets and information.
We’d be more than happy to connect you with one of our cybersecurity experts. You can also try out Keeper for free for 14 days.