arthead - stock.adobe.com
8 tips to improve cybersecurity for accounting
CISOs must establish clear policies about approved AI tools and acceptable data use. Learn additional ways CFOs and CISOs can improve their company's accounting cybersecurity.
Various cybersecurity threats can compromise accounting operations, but CISOs and CFOs can take steps to help ensure their organizations are protected.
Many organizations currently fail to address accounting cybersecurity threats. Financial control systems operate in a threat landscape that is more targeted and sophisticated than it was even a few years ago.
Company leadership often treats security as an IT responsibility instead of a core business function, which can lead to vulnerabilities. Executives must be genuinely engaged in security so technical teams will possess the political and financial backing to properly address issues.
Here are some cybersecurity accounting tips CISOs and CFOs should follow.
1. Crack down on AI use
Finance and accounting staff are likely feeding sensitive data such as payroll summaries, budget forecasts and audit preparation materials into AI tools such as ChatGPT, Claude and Microsoft Copilot. Many companies have not established clear policies and technical controls for the use of AI.
AI platforms vary widely in their handling of data retention, training use and access controls, and many AI tools retain user input by default. Some of them have learning enabled by default, which means the platform is learning from the company's accounting information.
AI tools such as agentic AI make this even more complicated, as they can reconcile accounts, process invoices and generate financial reports. Automation that initiates or modifies transactions changes the accountability chain. Who will be responsible?
CISOs need to establish clear policies about which AI tools are approved and what data should and should not be entered. They should also establish technical controls that flag or block sensitive financial data from leaving through unsanctioned channels. Companies must also create authorization frameworks for agent-driven tools that define the actions the tools can take, who can authorize those actions and what logging and auditing will occur.
CFOs must discuss AI use with their teams and be clear about what is and isn't permitted.
2. Treat reconciliation like a security control
Most organizations view accounting system reconciliation as a purely financial process. In reality, it can also help protect companies.
Journal entry manipulation, ghost vendors and duplicate payments often go undetected for months because companies don't protect their accounting processes.
CISOs should review financial reconciliation workflow structures and whether high-risk transactions are going through anomaly detection and behavioral monitoring. CFOs should ask whether IT, security or employees carrying out an internal audit are independently reviewing journal entry logs and vendor primary file changes.
Separation of duties on paper is often not enough. Controls must be verified technically and reviewed by both parties.
3. Take measures against finance deepfake threats
Voice cloning and video deepfake technology now enable attackers to convincingly replicate a CFO's voice or likeness with minimal source material.
The attack pattern usually begins with an urgent payment request from a legitimate-sounding voice. The transaction is approved, and by the time someone questions it, the funds are gone.
CISOs and CFOs need to implement verification steps that don't rely on voice or video recognition for authentication. Also, any payment authorization, vendor change or wire transfer above a defined threshold should require confirmation through an independent channel. Confirmation methods could include a callback to a known number, a message sent via a secure messaging platform or an in-person confirmation combined with a physical signature.
CFOs should also make it clear to finance employees that financial transactions should never be authorized if they are only based on a call or video request.
4. Build specific controls around M&A and due diligence
The period surrounding a merger, acquisition or financial due diligence process is one of the highest-risk windows an accounting department faces, yet it's rarely treated as a security priority.
During due diligence, large volumes of data are moved to third-party platforms, including AI, and sent to consultants and advisors outside the organization's normal security oversight. An organization's access controls might be loosened in the name of convenience.
CISOs should be involved with due diligence before the process begins, and CFOs should resist pressure to move quickly at the expense of basic security hygiene.
5. Apply security controls to remote finance teams
Remote finance teams can lead to access patterns that are more difficult to monitor than those from in-office workers. The risks from employees working in different locations are predictable and include shared user credentials, broad VPN access and unmanaged device usage.
The accounting function should not be exempt from security standards because it operates across multiple locations or requires flexible work arrangements. CISOs should map every remote access path into accounting systems and close the access points that cannot be justified.
CFOs should also ensure that approval workflows do not shift to informal channels when staff are working from various locations. Changes to approval processes when employees are working remotely could increase the likelihood of payment errors or unauthorized transactions.
6. Treat finance staff departures as security events
Standard employee offboarding procedures often overlook the specific risk profile of accounting personnel.
Finance staff can frequently access banking credentials, payment systems and financial reporting infrastructure, and that access must be terminated immediately when a finance employee departs. Otherwise, former workers can use their continued access to redirect payments, export financial records and create fraudulent vendor accounts.
CISOs should implement controls that enable coordinated revocation of finance system access across systems. CFOs should be notified when employees with elevated financial system access leave the organization and verify that access termination has been completed.
7. Test finance systems appropriately and independently
Vulnerability and penetration testing of accounting and ERP systems deserves its own budget line item, as finance environments contain specialized applications, integrations and access patterns that are often overlooked by broad network assessments.
Independent testing should include examination of the accounting applications, their APIs, authentication mechanisms and the data paths between systems. These environments are often extremely complex and can introduce severe risks beyond the capabilities of basic vulnerability scanners.
The results should be shared with financial leaders as well as the security team and development staff.
8. Close the gaps with tested plans and insurance
Three elements that accounting security programs often lack are an incident response plan that includes finance scenarios, a cyberinsurance policy reviewed by an employee who understands all the details, and a tested recovery process approved by financial leaders.
Generic incident response plans are rare to begin with, and when they do exist, they often don't address payroll outages, wire fraud discovered mid-process, or ransomware locking out accounting staff in the middle of the month-end close. Companies must establish how they will handle those issues when they arise.
Cyberinsurance policies often contain exclusions and notification requirements that are only discovered after a claim is filed, and untested backups are often liabilities rather than assets.
CISOs should include finance-related scenarios in tabletop exercises and confirm that the exercises include both operational and financial effects. CFOs should review their cyberinsurance policy with the CISO and legal counsel to discover what it contains beyond the carrier's sales and marketing promises.
What to do when an accounting cybersecurity incident occurs
Incidents can occur even when security programs are well-designed. However, organizations that experience security incidents often fix the immediate problem and move on without addressing the underlying failures.
A more useful approach is the "five whys" technique. A team might use the five whys technique in the following ways after a ransomware incident:
- Why did the attack succeed?
An employee clicked a malicious link.
- Why did the employee click?
Security awareness training was insufficient.
- Why did that program have gaps?
Training was treated as a compliance exercise rather than targeted risk reduction.
- Why was training treated as a compliance exercise?
Security hasn't received adequate support from management.
- Why hasn't security received adequate support?
Company leadership doesn't understand security risks and how they can affect the organization.
CISOs and CFOs who perform this exercise during tabletop sessions often discover that the answers point upward toward leadership. Companies must first fix governance and accountability, and the proper technical controls will follow.
Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Beaver specializes in performing vulnerability and penetration tests as well as virtual CISO consulting work.
