Hacking the AIS
Based on the conducted research, the paper will review the extent, to which the companies’ accounting information systems are exposed to the potential threats of hacking. It will evaluate the level of responsibility of the company and its software provider in terms of the effectiveness of the response to the security breach. It will also prove the need for establishing additional regulations as preventive measure and provide recommendations for businesses to secure their systems and assets.
Removal of the information protection from the corporate computer networks will cause the breakdown of 20% of medium-sized companies in a few hours. 40% of medium and 16% of large companies will collapse in a few days. 33% of banks will crash within 2-5 hours, 50% of banks – in 2 to 3 days (PwC, 2014). Companies’ servers and their information systems need daily protection. The growing threat of hacker attacks forced the companies to seek out new ways to protect their databases. More and more organizations increase their preparedness against cyber attacks proactively rather than respond to the incident that had occurred. They are becoming aware that they bear responsibility not only for their IT security but for their business partners’, too. This understanding is the major cause of many of their efforts. The level of responsibility of the company to produce effective means of response to the security threats is defined by three major factors. The first one is the senior management performance. The second factor stands for the company’s provision for preventive, detective, and corrective controls. And the third one is related to the reliability of the organization’s framework tools for strategic analysis. These factors are directly related to the extent, to which the vulnerable information, including the company’s intellectual private property and the collected data about customers and business partners, is exposed to the threat of hackers’ attacks. The performance of senior management plays a vital role in ensuring the effectiveness of the organization’s information security. It is the company’s executives who constitute the security culture. They indicate and assess the value of information resources. The top managers can best understand the impact of potential threats risks to such resources and the means of appropriate response that is associated with possibility of security breaches. Their support of the prescribed informational policies has a significant overall effect on the behavior of the company’s employees. The degree of reliability of preventive control is measured by the amount of organization’s activities that involve the following: raising awareness and similar trainings, as well as safe computing practices for employees; successful compilation of user access control systems, such as authentication and authorization; physical access control to the restricted areas; and network control over the remote access to the company’s information resources. The detective controls are associated with sophistication of the intrusion detection system and frequency of system security reports. Finally, the corrective controls usually consist of the information security breach response plan and the response team. The cost-effective time-based model is usually applied by security concerned businesses as a strategic tool for analysis of the mentioned types of control within the company. It helps to define the ones that are most exposed (Romney, Steinbart, Mula, McNamara, & Tonki, 2014, pp. 422-445).
However, the company’s performance cannot be evaluated based on the severity of security means alone. Its level of responsibility is internally connected to the company’s business operations that could be affected by overprotection. This fact leads to the belief that “security objectives cannot be achieved through following a purely technically focused strategy. Instead, companies must adopt a balanced socio-technical approach that emphasizes equally the importance of technology and of the socio-organizational context as key elements of an effective security strategy” (Kayworth & Whitten, 2010, p. 172). Thus, it is important, in order to achieve the appropriate ability of prevention and response, for the top management and information security executive personal to realize that protection of information is not merely technical issue but a major matter of business.
The development of the adequate accounting software or information security department may be off-limits for some companies. Therefore, it is sometimes in their best interest to outsource the IT accounting services by arranging contracts with professionals from third parties (Whitman & Mattord, 2012, p. 448). It is important to remember that such outsourcing service suppliers manage the infrastructure of informational security or certain segments of its system’s processes but are not responsible for the development of corporate information security policy or requirements to the system of thereof, although the supplier must follow them. The provider, thus, should be chosen deliberately in accordance with its ability to comply with the company’s rules. Its subsequent activities with the information system should be observed and controlled on the regular basis by the initial organization’s information security executives as the provider’s actions may provide for additional threats of confidentiality disclosures. But, in reality, the accounting outsourcing often guarantees secrecy of the business and its clients. The reputation of a professional provider that supplies services for many companies can easily be spoiled by even the slightest hint of violation of confidentiality agreements on its part. The employees of the mentioned supplying company have access only to those documents and information that are made available for them for processing. Thus, the client company controls the information flow and can regard the related risks of hacking. It presents the outsourcer with only those documents it considers necessary. However, because of the very nature of hacking, the client companies bear the lion’s share of responsibility. It does not seem possible to control internal processes of the service provider organization. Non-compliance with the commitments that have been prescribed by the initial agreement and compensation for damages caused by the breach of security are the only possible charges. While the peculiarity of the related damages may be of such scale that preventing them would be easier than eliminating the consequential catastrophe. For example, the outsourcing of accounting information systems in the banking sector is highly critical. The loss of control over the stored customers’ personal data can result in overall cessation of the bank’s activities. Additionally, such loss is difficult to prove, especially in terms of lost revenue. All this indicates that compensation for damages does not provide for restoration of the client company’s property sphere. In this regard, the issue of information security in the organization’s relations with third parties is of great importance. And it is the responsibility of the initial company to find the right balance between the optimization of its business processes and information security.
Rapid development of information technology has made it impossible to provide absolute full protection against potential attacks. With time and resources any measure of preventive control can be bypassed. Besides, the overly strict control is burdensome and may negatively affect successful performance of the business. Given this and the fact that the detective controls need time to detect the hostile hacking activity, additional means of preventive control that protects the most sensitive information are necessary. According to Andress (2014), the operation systems have issues that require the most of the additional attention. They are addressed by the way of implementing the set of hardening and mitigation steps (Andress, 2014, p. 202). Minimizing the number of optional programs and removal of all unused programs, as they are targets for potential attack, is the necessary step in decreasing information security risks. It is then followed by the enhanced system of user accounts management and the improved approach to the company’s software design.
A few recommendations for businesses to secure their operation against hackers could be suggested. Basic safety precautions should be followed consistently. Official data show that most accidents occur due to violation of the elementary principles of security (Whitman & Mattord, 2012, p. 7). The lack of timely software updates is often a source of major problem. Also, the senior management should make provision to obtain the systematic reports reflecting performance of the company’s information security system. They will enable management to knowingly apply proactive measure in accordance with the constantly changing rules of the game.
The level of security awareness should be constantly updated among the company’s employees, including the staff of information security department. The exclusive use of traditional instruments of prevention and detection of threats is a notable problem. Many of the security teams rely on the remedies on the basis of signatures and do not engage in an independent search for more subtle indicators of security breaches. Besides that, there is a widely spread misconception that compliance with regulatory requirements is sufficient to ensure safety. Most regulatory requirements represent a minimum set of security standards, which is not of a sufficient level.
The use of desktop computers for personal matters should not be allowed. Users do not need to install and use the third-party programs that are not related to the working process. Same applies to the use of personal devices and gadgets within the corporate network. Smartphone or a USB drive connected to the employee’s office computer can be infected by a virus, which subsequently spreads through the corporate network. It is also necessary to limit visits to the sites completely unrelated to the performance of employees’ official duties.
It is clear by now that securing the company’s accounting information system is not merely a technical issue but the matter of business. And the senior management plays a key role in successful execution of the organization’s security strategy. Moreover, in case of involvement of third parties, such as outsourcing software providers, the client company still bears the major amount of responsibility for security of its business and confidentiality of its clients. The imposition of additional regulations as preventive measures is mandatory due to the improbability of the perfect security system and a tremendous speed of changes of information technologies. Partial recommendations to ensure data integrity and safety of businesses against hackers have been suggested.