How secure is accounting software data in Aotearoa?
A Xero study released in December 2021 found that ICT spending for New Zealand businesses has seen a significant increase compared to pre-pandemic levels.
The study, titled ‘Picking up the pace: Trends in small business technology adoption and use', gathered anonymous data from more than 300,000 small businesses across New Zealand, Australia and the UK and factored in statistics involving aspects such as digitisation practices, app use, economic growth rates and total expenditure.
New Zealand enterprises have increased their ICT spending by 25%. In contrast, the UK has increased by 20% and Australia by 13%. Although both the UK and Australia had higher expenditure rates in individual categories within the data, New Zealand came out on top overall.
New Zealand's small businesses reported higher total sales levels leading to greater sales and payment outcomes and fewer job losses throughout the pandemic. As a result, the report acknowledged having significantly higher ICT expenditure than Australia and the UK as New Zealand's key to success.
“This demonstrates that small businesses in New Zealand, as well as Australia and the UK, are embracing technology to adapt to a changing operating environment and realising the benefits that cloud accounting and digital tools provide,” Xero says, citing the research.
“We are also seeing governments globally introduce initiatives to incentivise small businesses to move to the cloud as technology drives greater economic productivity.
Business.govt.nz is part of the Ministry of Business, Innovation and Employment (MBIE) and helps small businesses ensure they comply with government standards by providing information and advice through specially-tailored tools and resources. It does this by working with the likes of New Zealand government agencies and private sector businesses and organisations to ascertain what challenges small businesses are facing and how best to take them on.
According to their website, small businesses, contractors and those who are self-employed all need to keep their tax records for a minimum of seven years in the event they are audited and required to share them with Inland Revenue. Records that need to be kept include invoices, receipts, petty cash, vehicle logbooks, wage books, banking records, asset registers and depreciation schedules, and emails arranging business meetings if travel expenses to another city or country are part of a claim.
This means that the data at risk of being stolen doesn't just have to be recent, potentially exposing businesses to data breaches dating back years. Combining this with the increased uptake, it's worth asking, how secure is accounting software data?
KPMG Cyber Security Services partner Philip Whitmore says there are various potential risks for private sector businesses that come from using accounting software, such as someone making unauthorised payments or disclosing information about customers.
“Regardless of whether an accounting system is managed in-house, or whether you use a cloud-based system, the security risks are similar,” Whitmore says.
Xero echoes this statement, saying that ultimately, accessing accounting software from a greater number of devices and locations will bring increased risks of login information being intercepted by malware.
“This risk can be mitigated by only ever logging in from a known device, and having two factor authentication set up on all services,” Xero says.
Xero says as the company continues to expand on its three million current subscribers globally, it must continue to educate and help its customers ensure their data is as secure as the Xero platform itself.
“We see ourselves as custodians of customer data and we take that responsibility very seriously,” Xero adds.
“However, we all play a role in keeping Xero secure including our customers. From multi-factor authentication and password hygiene controls on customer accounts to data encryption and regular security audits, these are all small but critical things small businesses need to reduce risk.
Whitmore adds that in order to trust a cloud-based accounting system with data, whether business or personal, making sure they have robust security in place should be a top priority.
“This is most usually achieved through reviewing an independent report on their security. This style of report is commonly called a SOC (Service Organisation Controls) report,” Whitmore says.
“Beyond that, you want to make sure that you're using all the security features available – multi-factor authentication is a must – and have strong internal control processes in place around areas such as managing users, authorising payments, and managing changes to supplier records.
CERT NZ supports companies subjected to or with the potential to be impacted by cyber security incidents through advice and information designed to bolster robust cyber security practices at an enterprise level.
The organisation says that had it been in place, two-factor authentication could have prevented 65% of reported cyber security incidents.
According to CERT NZ, two-factor authentication (2FA) is a straightforward but strong security step that can be used business-wide to protect email accounts, bank accounts, financial systems and customer data.
2FA works by providing a user with a uniquely generated code when they attempt to log in, sent either to their phone or available through an authenticator app.
Multi-factor authentication is a variation of the same process and, in the case of Xero, “provides a second layer of security that stops anyone else accessing your Xero account, even if they know your password.
The Australian Taxation Office recently mandated multi-factor authentication (MFA), and as a result, the country witnessed a substantial reduction in account takeovers.
Seeing this, Xero followed suit by mandating that all its customers worldwide implement MFA, including New Zealand.
In addition, the company also released its own authenticator app, Xero Verify, to make the platform more secure and straightforward.
“As part of this work, we have security and education awareness managers running customer webinars, writing materials and constantly talking to Xero customers,” Xero notes.
“We also have a dedicated hub in Xero Central with resources about security.
Xero says that security is a crucial component of its business, and like other online services, the company continues to be vigilant about ensuring the data on its platform is safe.
“Our dedicated Security team has critical programs of work, which take a multi-layered approach to ensure that the security of our product and the platform it resides on, are safe to host the customer data that we are trusted with,” Xero adds.
This includes investing in areas such as working with high-end industry security tools, having its auditing conducted externally to ensure it adheres to international standards and prioritising data safety.
When it comes to attacks, Whitmore says they usually focus on stealing passwords through acts such as phishing or attempting to convince a user to change the bank account for a supplier.
He adds that at the end of the day, personal responsibility is as important when using accounting software as it is with anything else.
“These [attacks] aren't issues with the accounting software, but rather how you use them, and how robust your internal control processes are.