5 of the most common accounting cybersecurity threats

1.     AI-powered email threats

Attempted email hacking has matured. AI tools now enable attackers to study earnings calls, imitate leaders' communication styles and send requests during a company's quarter-end close, when employees are busy and approval pressure is high.

It might appear that most CISOs have deployed technical controls to prevent these threats, such as multifactor authentication (MFA), access control policies, domain monitoring and email authentication. However, CFOs must also enforce process discipline, including dual authorization on payment changes, mandatory verbal confirmation for new or modified vendor banking details, and system enforcement of separation of duties.

2.     Ransomware

A ransomware group encrypting critical accounting systems stops payroll, stalls reporting and creates regulatory deadline pressure. One compromised endpoint can become a full ERP outage, especially for internally hosted ERP systems. Backups often exist, but they might not have been tested recently, if at all.

CISOs and CFOs must work together to prepare for ransomware attacks on accounting systems. They should ensure their company is segmenting finance systems from the rest of the network, maintaining offline or permanent backups, and testing recovery realistically in real-world scenarios.

CFOs should ask how long it would take to restore full accounting operations after a complete outage, and if the answer is vague, ensure that those issues are resolved before a ransomware event occurs.

3.     ERP and application vulnerabilities

Most accounting platforms sit inside larger ERP ecosystems with web interfaces, APIs and third-party integrations. Remote access that requires MFA and specifically defined access controls might be layered in. These technical controls are necessary but can lead to security challenges.

Common issues in these environments include missing patches, excessive privileges, weak session controls, integrations that have not been tested since deployment and accounting systems that are no longer supported by the vendor. These vulnerabilities can lead to cybersecurity problems.  

Compliance audits can create a false sense of security around ERP systems. Annual access reviews and documentation of controls do not go far enough; companies must also conduct meaningful vulnerability and penetration testing against finance systems and simulate how the ERP behaves under actual attack conditions. If leaders don't want to invest in it, or if organizations assume that the vendor or hosting provider is taking care of these issues, they might skip these crucial steps.

Every company must have a security committee that sets measurable goals, ensures that independent testing is carried out and holds employees accountable when necessary, and the CFO must have a seat at that table as a decision-maker.

4.     Insider risk and privilege creep

Accounting teams often require higher-level software access, since they add vendors, modify payment details, export reports and adjust journal entries. Accounting employees are also under significant pressure, and risk can arise from fatigue. Other risk factors include poorly designed processes, lack of training and general ignorance involving computer usage.

Another major risk factor is privilege creep if  employees who have left the company never had their system access revoked. CFOs need to be involved with periodic access reviews, and role-based access policies need to be enforced. Logging should be tied to specific high-risk financial actions and users, and human oversight must be involved.

5.     Cloud accounting software

Many accounting environments now run as cloud-based services, and CFOs and CISOs might assume that the vendor handles security. That assumption is usually incorrect and can lead to problems such as disabled MFA and overly permissive or exposed API tokens.

Unless a cloud provider has specifically outlined in a contract that it will take care of security and that security oversight is paid for through specific services, the customer is responsible for it. Company leaders might believe that their job is done because they received a System and Organization Controls report that examines data center controls for third parties. However, it does not present a full picture of security vulnerabilities.

If a vendor, such as an identity provider or ERP integration partner, experiences a breach, its security problem will become its clients' security problem. CFOs and CISOs must follow the old security adage: "Trust but verify." Contracts and questionnaires provide a starting point, but what will matter most is whether a vendor's client has built enough resilience to absorb the impact when a third-party failure affects their accounting environment.

CISOs and CFOs need to evaluate third-party accounting vendors the way they would evaluate any critical business risk. They should ask to see recent vulnerability and penetration testing results, verify MFA enforcement, review access controls, and understand exactly what the "shared responsibility" cloud model means for their company's specific configuration.

Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Beaver specializes in performing vulnerability and penetration tests as well as virtual CISO consulting work.