Accounting Information Systems’ Security Threats

A different economy exists that solely relies on information that is unlawfully collected from unsuspecting corporations and business, and then traded to other businesses or institutions to use as they please. Acknowledging that there is a widespread hacking menace is only the first step for various companies that intend to safeguard their accounting and information systems against intruders. Knowledge of how to deal with the problem comes next, while the actual implementation of security features completes the list of steps needed to deal with any loophole in an organization’s systems.

Many managers and all-level employees in companies who are computer literate understand various security and data integrity risks that can be caused by malware, viruses, and other unwanted programs on work or personal computers. Organizations invest millions of dollars in dealing with this problem by acquiring antivirus, firewalls, and anti-malware programs. From a general view of the security situation in any industry, it seems like taking care of intruders by blocking the programs they use is a complete solution. Unfortunately, that is just one of the various mechanisms needed. A permanent vigilance attitude must exist in all organizations, big or small, that are serious about the privacy protection of their data.

For large companies, economies of scale and specialization call for the bulk of their information processing to be handled by a third party systems provider. In such a case, the responsibility of security rests with both the client company and the provider of outsourced data management. Many organizations that fall to hacker traps and end up losing a lot of sensitive information find out that the breach occurs on the weakest link, which is between the two firms. A good example is Nissan, the globally recognized car maker from Japan. In 2012, the company admitted that its employee database was compromised by hackers (Perlroth, 2012). The attackers broke into individual employee computers and were able to get away with passwords and usernames that would enable them to access various features of the company’s information system.

No stolen information was leaked to the public and the company did not disclose whether any information was compromised. The company’s response was commendable. Top management shut all possible open holes in their system and waited a week before revealing to the public that, indeed, there was a breach of security in their systems. The example of Nissan signifies a new wave of hacking attempts at companies that targets data because of its future usage value. For example, the stolen passwords and usernames at Nissan were encrypted and the same key passes could be sold to people who wanted to access various parts of the Nissan internal information system if the hack was undetected (Perlroth, 2012).

Nissan bears the full responsibility of the attack as the compromised system was under the maintenance of the organization. From the released report, there was no mention of a third party organization helping in the management of the employee login details. The response that took less than a week was admirable, although the nature of the attack called for more scrutiny. Data breaches can wreak havoc in seconds as that is the time it takes to transfer files from one geographical location to another. Based on the report by Perlroth (2012), Nissan admitted that the organization was able to only find the source Internet Protocol address after tracing the malware used in the attack. Anything that might have been stolen would not be found and no additional data tempering cases were reported after fixing the loopholes.

New considerations emerge about the hacking breach and the consequences, going by the assumption that the provision and maintenance of the accounting system at Nissan was provided by a third party company. The accounting system provider must use a secure operating system as the base of its software. It is also important to provide a platform that is easy to access and use as non-technical employees would be using the system. This pushes any security features to the backend, such as encryption, and only the necessary features for access would be available to the users. This strategy ensures that the vulnerabilities of the system remain hidden, apart from the obvious ones that would arise from the user.

In 2011, a hacking attack at RSA’s SecurID tags victimized 760 companies that rely on the service to manage their employees’ access to various areas in the different organizations (Goldman, 2011). The fact that the victim companies consisted of about a quarter of Fortune 100 companies goes on to show how critical the breach was and its effects were immense. This is a case where the provider of a system to manage secure entries for several companies became vulnerable and led to the exposure of all companies that relied on its service. The same can happen with a third-party accounting system provider. In the Nissan case, the attack might have originated from a loophole in the third party provider such that the malware could still penetrate the system through the gates opened for the third party provider access, even when the Nissan systems were breach-proof.

Research by Harris and Patten (2014) on security considerations for enterprise mobility exposes several corporate goals that expose firms to hackers. The research points out that most vulnerability arises as organizations seek to implement new ways of doing work, such as the use of remote login features for employees. Hackers, on the other hand, get access to various technologies that enable them to compromise devices and networks that eventually connect to a company’s database. As the case of Nissan suggests, getting access to an accounting system no longer needs an actual hacking of the system; instead, hacking other parts of the network and the device that connects to it allows hackers to penetrate and leave without leaving a trace, or the trace quickly dies out if it remains.

Businesses should embrace the following regulations to secure their data against any illegal copying or tampering. First, they should pay attention to any embedded technology that they rely on for their daily operations. While the new parts of the system might be secure, vulnerabilities in the retained parts of the previous system still expose the firm. New policies for managing other network access to the business must be evaluated and accepted only when they guarantee the security of the connecting network. All possible inter-company system connections need regular scrutiny to identify any weaknesses before hackers get access.

This recommendation rides on the fact that it is the businesses that delay in upgrading their systems in most cases, thereby exposing their systems to vulnerabilities that would be taken care of by the newer versions of the same systems provided by the third-party provider.

Upgrades are always costly, but it is better to take precautions as the risk of hacking is very real and losses can be very big. Target, the US retail giant, found out the importance of going with the latest secure version of a system when it was already late. Hackers compromised the payment system at their stores and were able to collect credit card information from the company’s customers. The company then decided to adopt a new chip and PIN store cards that are already widespread in Europe. A need to conserve funds had been cited as a major reason why firms had not upgraded to the new system as it would force businesses to get new card processing machines (Stout, 2014).

Businesses can secure their systems from hackers by following these three recommendations. They should rely on physical access to information policies to limit the chances of remote attacks so that the system can remain secure, even when the devices used by employees are compromised. It would be easy to deny access to a device, such as a smartphone or a laptop, by cutting off any means that it used to reach the system. The second recommendation is to rely on different third party providers of the same system at different levels.

While doing this, the company should combine any system access requests with an alert system so that the detection happens fast and the necessary measures are taken to prevent any compromising situation that would follow in case of questionable access. The third recommendation is for businesses to sensitize their employees and customers on any possible route that hackers can use to reach a secure system (Harris & Patten, 2014). Being open to attack from any angle within and outside the company is a critical condition that keeps everyone vigilant and provides the right environment for alerting system administrators.

References

Goldman, D. (2011). Massive hack hit 760 companies. CNN Money. Web.

Harris, M. A., & Patten, K. P. (2014). Mobile device security considerations for small and medium-sized enterprise business mobility. Information Management & Computer Security, 22(1), 97-114.

Perlroth, N. (2012). Nissan is the latest company to get hacked. The New York Times. Web.

Stout, H. (2014). Target vows to speed anti-fraud technology. The New York Times. Web.