This article was first published in the January 2018 international edition of Accounting and Business magazine.

Hacking is an ever-present and growing threat to the security of commercially confidential - and especially financial - information. As a result, there is a growing case for companies to hold their noses and invest in ethical hacking to secure their financial systems.

No one wants to announce to customers, clients and the public that their data has been compromised - the recent attack on Uber could cause significant brand damage. And the risk of attack is rising as more businesses embrace cloud-based systems.

‘Penetration testing’ or ‘pen testing’ by expert hackers is one way companies can assess their IT vulnerabilities. By invitation only, these experts can identify weaknesses in accounting systems, web pages, databases, servers and operating systems and attempt to exploit them. They will then report back, showing company chiefs where their vulnerabilities lie and the potential consequences of a malicious hack.

Pen testing begins with an automated system scan. Testers then dive deeper manually to identify weaknesses, trying to make the system fail or reveal information that an outsider should not know. Based on the results, businesses can intelligently manage their vulnerabilities and implement fixes, complying with regulatory requirements, and maintaining their corporate reputation and customer loyalty.

IT security should never be assumed to be watertight. It’s recommended that companies storing customer banking and credit card details should undergo pen testing regularly - up to every three months; after all, no large company would dream of submitting its accounts without an audit.

Indeed, pen testers urge companies of all sizes to invest up to 10% of their IT infrastructure budget in regular pen testing. Hackers will attempt to breach firewalls to see how far a cybercriminal could get into a system, spot coding errors that could bring a system down or test the damage a disgruntled employee could cause with internal access to a password-protected area of business.

Even the US Department of Defense last year invited ethical hackers to test the Pentagon’s external websites for bugs, offering up to US$7m in rewards for hackers identifying vulnerabilities. More than 1,400 hackers signed up, with US$75,000 paid out for uncovering more than 130 ‘legitimate, unique’ vulnerabilities, saving the department millions of dollars, estimates former defense secretary Ash Carter.

Global companies such as Google, Facebook and Microsoft also sponsor so-called ‘bug bounty’ programmes to encourage ethical hackers to continually test their systems. Two major international conferences for the global hacking community held last year in the US - DEF CON and Black Hat USA - underlined the need for such action.

DEF CON presenter Dan Cvrcek, founder of Cambridge-based encryption and security experts Enigma Bridge in the UK, says: ‘Fear of the unknown is often considered the worst situation - but if you don’t test, it will be worse.’

The former banking security analyst highlighted the importance of testing new systems before they go live, configuring them as closely as possible to the one with live data. And when allowing pen testers to attack a live system, access to sensitive data, especially financial data, must be restricted.

‘Pen testing is authorised activity - the customer has to say, “I want you to attack the system” and specify the scope for testing,’ he says.

Cvrcek warns that with the growing uptake of cost-effective cloud-based systems, many internal processes with limited inhouse access are now available remotely, bringing new risks. ‘It’s very dangerous,’ he says.

Size doesn’t matter

Many companies believe they are too insignificant to be targeted by hackers, but Cvrcek says malicious hackers often scan the internet for systems affected by a particular vulnerability and attack them randomly, regardless of size.

Dan Haagman, CEO of the NotSoSecure Group, which delivers pen testing from its bases in the UK, US, Australia and India, describes pen testing as business insurance. This can include fintech suppliers themselves, he says.
‘If you publish software and don’t check the code, it can have unanticipated consequences. You can never fully mitigate risks and have a 100% guarantee, but it’s a very sensible thing to do.

‘Security should be considered a function of capex and opex finance,’ he says. ‘The internet is a wonderful opportunity but it’s not free and it’s not safe.’

Pen tester ‘Anch’, who presented at last July’s DEF CON conference in Las Vegas, says different threat levels can be identified through such hacks. ‘I often find my greatest successes exploring the high and medium-rated vulnerabilities instead of the criticals,’ he says. ‘Most places will concentrate on eliminating the obvious exploitable vulnerabilities and ignore the ones lower on the list. A good pen tester can give you that information, prioritise the fixes and attempt to give a company the best bang for their buck.’

Anything is hackable

DEF CON participants regularly demonstrate their hacking skills in real time. ‘DEF CON showed us anything can be hacked - software, computers, apps, chips or anything in the supply chain. Always assume you can be hacked and your data can be compromised.’

Julie Missimore, ACCA’s head of policy - Americas, describes pen testing as ‘an invaluable tool to financial institutions and organisations everywhere’.

She says: ‘Given the large amounts of data that accountants and financial professionals are tasked with keeping safe, the security of online systems is essential to maintaining trust and confidence in the online financial services industry, as well as other organisations that are entrusted with consumer information.’

‘No organisation or government is so powerful that it does not need outside help identifying security issues,’ says Marten Mickos, CEO of HackerOne, a bug bounty coordination team created by executives at Facebook, Google and Microsoft, which has established open channels of communication with the global hacker community.

Former hacker turned co-founder of HackerOne, Jobert Abma, says issues can be found very quickly once testers or hackers start interrogating a system.

‘Breaches are happening every day. We’re all human, so there will inevitably be errors in code and bugs in all software. If those bugs are known, wouldn’t you want to know so you can fix them before someone exploits them?’ 

Sarah Gibbons, journalist