Accounting cybersecurity has been a hot topic of debate in the business landscape over the last decade. The conversation became especially relevant once remote work took over during the pandemic years and now, in the post-pandemic times. 2023 was an especially eventful year for the digital landscape, thanks to ChatGPT opening the floodgates on AI technology and allowing mass public access to some very powerful, and potentially dangerous, tools.
This is precisely why we have decided to tackle the subject of accounting cybersecurity today. Things have changed a lot over the past year. While much of what we noted in a previous publication titled “A Guide to Cyber Risk Management in Business Accounting” remains valid, there are some new developments and updates that we felt warranted our attention.
The rise of AI-powered tools has added both efficiency and complexity to the cybersecurity landscape. Tools like ChatGPT have revolutionized tasks like fraud detection and process automation in accounting, but they’ve also introduced new vulnerabilities. Companies must now protect against sophisticated AI-driven cyberattacks that can exploit these very same tools. With AI advancing at an unprecedented pace, constant vigilance and updating cybersecurity measures are essential to safeguarding sensitive financial data.
So, readers can take this new piece as a kind of supplement to our prior extensive look at accounting cybersecurity. We highly recommend reading both for a complete view of the accounting cybersecurity landscape.
Table of Contents
How Cyber-Crime Has Changed in 2024
Cybercrime should theoretically be pretty easy to avoid, provided you are sufficiently technologically literate. All the usual methods of phishing emails, social engineering, and malware have been talked about to no end, so there is no shortage of awareness.
Yet, cybercrime not only remains but is immensely prevalent across the business landscape. Just this year, for example, X (formally known as Twitter), reported a breach that leaked the data of over 220 million users. Similar data breaches continue to happen, and according to IBM’s report this year, 2023 was the most expensive year in recorded history for data breaches, with the average cost of a data breach coming out to $4.45 million, which is an astronomical figure that demonstrates how serious this issue has become on a global scale.
If the core of the issue lies in human error, as suggested by Security magazine, then surely through persistent, widespread cyber awareness campaigning there should, by all rights, be a tangible, visible effect on these ever-growing rates. On top of that, as the IBM report suggests, AI detection is estimated to save businesses an average of $1.76 million compared to businesses without it, which should make a huge difference. Yet still, the numbers simply don’t add up.
Numerous factors are playing into this seemingly worsening accounting cybersecurity situation, but as we alluded to previously, the most relevant and addressable one in our estimation is AI itself.
Yes, you heard correctly, we believe AI and technology to be a major cause of concern in accounting cybersecurity. Thanks to how widespread and accessible AI and automation are now, the logical answer from malicious parties to the rise of technological safeguards is to leverage technology themselves to keep up. Thus, we end up in an arms race of sorts, with either side developing and leveraging technology to thwart the other. Let’s reevaluate the most common accounting cybersecurity threats in light of AI and its impact.
Phishing Scams and Social Engineering in 2024
Phishing has profited heavily from the proliferation of AI, particularly AI chatbots and image generators. Phishing scams previously used to be very easy to catch if you kept your eyes peeled for them, but this is not the case anymore. Scammers from all around the world can now generate nigh-perfect email content, with immaculate grammar, in nearly any language they wish. The usual tell-tale signs of phishing scams, like poor spelling and syntax, are now completely gone thanks to ChatGPT. Not to mention, with masking technology, cybercriminals are now even able to mask email addresses, preventing you from being able to easily verify the legitimacy of the scam. Such attacks are usually referred to as Business Email Compromise (BEC) attacks.
Things get even more dire when we factor social engineering into all of this. Imagine a scammer feeds writings and transcripts from your company’s CEO into an AI learning model. Now, this model will be able to replicate those speech patterns and very easily dupe you. Not to mention the rise of “DeepFakes,” where cybercriminals use image and voice generation to generate entirely fake videos and audio of individuals like CEOs. These can be leveraged for blackmail and can even trick a naïve accountant into paying hackers thousands of dollars, as was the case with a Hungarian firm a few years ago, when this technology was nowhere near as powerful as it is today.
There are still ways, of course, to avoid these scams. The obvious one is to directly contact the sender of the phishing email and ask them about its legitimacy. But what do you do if a phishing scam is posing as the business’s bank or a vendor, asking you to click a legitimate-looking link to maybe reset your password or some other such common excuse? You could call, but might typically be met with a waiting queue or asked to schedule an appointment.
Well, one solution to this issue is having a second, disposable device on hand, entering the link there to see where it leads. Should the link be malicious, the most you have lost is a cheap phone, making it a worthwhile risk. But, of course, such solutions are hardly efficient and should not be leveraged at a corporate level for a comprehensive security strategy. Instead, companies must invest in advanced security training for employees, along with up-to-date software that can help detect and prevent phishing attempts.
Additionally, creating a culture of cybersecurity awareness within the organization can greatly enhance overall security. Regular training sessions, workshops, and phishing simulations can equip employees with the knowledge they need to identify potential threats effectively. Furthermore, organizations should encourage employees to report suspicious emails without fear of repercussions. By fostering an environment where everyone is vigilant and proactive about accounting cybersecurity, businesses can significantly reduce the likelihood of falling victim to these increasingly sophisticated scams. Ultimately, a collaborative approach to cybersecurity can help safeguard valuable assets against the ever-evolving landscape of cyber threats.
AI-Assisted Hacking and Password Cracking in 2024
Forgetting cunning methods of accounting cybercrime for a moment, let’s now talk about how much easier it has become to simply brute force your way into a business’ systems. With sophisticated algorithms and automation, hackers are quite literally able to perform feats from classical spy movies. A guy sitting in a van with a laptop can run millions and billions of scripts in a matter of hours and crack the encryption on your financial data. Thanks to machine learning and sophisticated algorithms, these malicious actors can sit back and wait for their automated hacking machine to eventually break in and commit Accounts Takeover Fraud (ATO).
And there is no real way for you to stop it. The only thing you can do is make sure you have as many layers of security as possible and invest heavily into developing customized financial data security measures to thwart these attempts. But what can a small business do in this case?
Small businesses, for the most part, do not have the resources to spare to combat brute force hacking. The best they can do is leverage measures like multi-factor authentication, keep data secured in trusted cloud storage, and hope for the best. It’s crucial for small business owners to understand that cybersecurity isn’t just a large company issue; even they are targets. Investing in employee training about identifying phishing scams, ensuring software is up to date, and conducting regular audits of data access can also help minimize risks. Proactive steps like these can often make a significant difference in deterring attacks.
There is yet to be a widely available solution to this problem. Luckily, however, there is also a severe lack of these types of attacks happening, relative to others. Brute force hacking is still an immensely difficult process, and most cybercriminals would rather play the numbers game and send phishing emails, hoping to catch someone on an off day.
Such lower-level attacks are preventable, should businesses encourage a culture of accounting cybersecurity awareness.
What is the Answer to this New Age of Accounting Cybersecurity?
The point of this demonstration was just to demonstrate how troubling an era we live in for accounting cybersecurity. Seemingly nothing is entirely trustworthy, and with most of our money being mere numbers in the cloud, we stand to lose it all in the blink of an eye. This is precisely why this is a conversation we felt needed to be brought up and adds significantly to the already ongoing conversation of accounting cybersecurity.
While there is no clear answer, however, we can yet take solace in the fact that these same technologies can be used to fight fire with fire. AI, when used strategically, can help predict potential threats, automate detection processes, and respond faster to incidents than human intervention alone. This was an inevitability waiting to happen, and now that we are a year into the AI-centric future, it’s up to us to spread the word around and educate people on accounting cybersecurity and these new developments. And why stop there?
Newer and more malicious ways of attacking your financial data are constantly popping up, so it’s up to the accounting and finance community, as well as the entire business landscape, to start taking steps toward a safer future. Implementing stronger security protocols, staying updated on the latest technological advances, and fostering a culture of continuous learning around cybersecurity should be a priority. And if not directly, we urge you to at least spread this and many other such publications around to get the word out.
A new age of accounting cybersecurity is here, and it will not wait for us to catch up.
