1 Hacking the AIS Introduction Hacking is the use of technology to gain access to an individual’s or organization’s computer or network without authorization and illegally. The purpose of hacking is to obtain information and resources that would otherwise not be available to unauthorized personnel. Hacking is also done to make alterations which aid in the process of committing future misdeeds and crimes o an organization. A person who hacks is referred to as a hacker. This paper discusses the 2016 hacking of Tesco’s system, how it responded to the security breach and the role of its accounting software provider in preventing and controlling hacking. The paper aims to outline the concept of control and security in accounting information systems, as well as how to ensure the integrity and safety of data in an organization. Tesco Database Hacking In November 2016, Tesco Bank’s network was hacked for 48 hours and a whopping £2.26 million stolen from its online accounts. The hackers stole this money from around 9,000 to 10,000 customer accounts (Palmer, 2018). Once the hacking was discovered, Tesco Bank was quick to address the issue. It suspended online debit transactions to prevent any further hacking as it secured the system. The hackers are suspected to be fraudsters from Brazil who had knowledge of Tesco Bank card numbers and used them to carry out transactions illegally. The CEO of Tesco Bank, Gerry Mallon, apologized to the customers for the hacking and compensated those who had lost money from their accounts during the hacking. In October 2018, the Financial Conduct Authority fined the bank £16 million for exposing customers to financial loss through its failure to exercise due diligence in securing customers’ accounts from data breaches as required in the baking industry.
2 Once the hacking incident was discovered, the management of Tesco Bank was efficient in handling the matter; it texted customers to beware of suspicious activities in their accounts. It also suspended online banking activities until the problem could be contained. Additionally, the company requested the National Cyber Security Centre to assist the National Crime Agency in investigations on the hacking. The Responsibility Of Third Party Accounting System Providers Third-party accounting system providers have a crucial role to play in securing their customers’ data from hacking and other security breaches. It is their responsibility to ensure that the business’ and customers’ information is safe by implementing security surveillance 24/7/365. Therefore, any hacking attempt should be detected immediately and stopped before the risk occurs. In the case of Tesco Bank’s hacking, the software provider failed and should take responsibility for the loss because the hacking occurred over a period of 48 hours. If the system had been secure enough, the breach should have been detected and controlled before it occurred (Boczko, 2012). A good software provider should also ensure that customers’ information is encrypted to prevent it from hacking; in this case, the software company is liable because the hacking of 9,000 – 10,000 accounts indicates that the data was not encrypted as per the required standards (Palmer, 2018). The software company should also take responsibility for the theft because the firewalls put in place were not effective enough to prevent unauthorized entry into the system. In addition to this, the software company should be held liable for the security breach because an effective accounting software system should allow access to authorized individuals only and should be able to detect and immediately alert users in case of any unauthorized access. The fact that the system was breached shows that
3 crucial security measures such as two-factor identification and biometric verification were not in place; which, essentially, is proof of negligence. Additional Regulation Measures to Protect Business Data Customers entrust businesses with their personal information such as credit card details, names, identification numbers and address. This information can easily put the business and its customers at risk of cyber-attacks and financial fraud. In the modern fastpaced and technologically advanced business environment, businesses should prioritize securing their data and networks since data security breaches have become increasingly common. The process of protecting business information begins within the organization. The employees of an organization can intentionally or unintentionally create a threat to data security (Hacking Studios, 2017). This can occur sharing passwords, clicking on unknown links, accessing websites that have viruses and malware or in other cases, deliberately performing fraudulent activities such as creating fake invoices and diverting money from customers’ accounts to a personal account. Businesses should train employees on how to protect company information both physically and digitally. For instance, the organization’s documents and records should be filed systematically and stored in a place that is not accessible to unauthorized persons. Passwords should be changed regularly to and methods of detecting unauthorized entry into the system implemented. Businesses can also secure data from erasure and loss by storing it in different data centres in different locations (Simpson, 2016). It is essential for businesses to constantly monitor how, when and which employees access and use information in the organization; this will enable them to detect security breaches promptly. Additionally,
4 security measures such as firewalls and data encryption minimize the risk of hacking (Reynolds, 2018). Businesses that lack adequate internal controls and a code of ethics governing what constitutes use or abuse of data are more vulnerable to hacking and other cyber-attacks. How Businesses Can Secure Their Information Against Hackers In today’s business environment, businesses are constantly exposed to a variety of cyber-security risks. Recovering from security breaches is costly to the firm as illustrated by the case of Tesco Bank, which lost £2.5 million through hacking and a further £16 million penalty charges for its failure to secure customer funds appropriately. It is therefore crucial for organizations to protect their systems and assets from internal and external cyber-attacks. Three methods of protecting these assets and systems are; firstly, using encryption tools to ensure that all the information in the systems is not easily accessible to hackers. In addition to installing encryption tools, the computers should be set to log out automatically when they are not in use in order to prevent hackers from unencrypting information through attacking the system with viruses and malware. Secondly, hackers can also gain access to business information by breaking into the premises and stealing laptops, computers and documents. It is, therefore, necessary to physically secure the devices and documents used in the business. Important documents should be stored in lockable safes or drawers, while electronic devices such as laptops should be tethered to the desk with a laptop lock. Additionally, access to the server room should be restricted to authorized personnel only, and its doors should always be locked (Reynolds, 2018). Thirdly, another aspect of enhancing data security is using strong passwords which include words, numbers and special characters. Employees should be cautioned against sharing their passwords or leaving their
5 devices on while unattended to prevent hackers from accessing the passwords. It is also essential to use two-factor authentication such that even if a password were to be compromised, the account would still not be accessible to a hacker because it would require separate authentication from a different device. AIS Control and Safety Concepts Accounting information systems (AIS) contain crucial financial data that should be protected from cyber-security risks. A well-designed (AIS) should contain features and programs that enhance the safety and integrity of the assets and accounting information of the business. One of the features of a secure accounting information system is its ability to backup the information it contains in a remote secure location. Therefore, in case the system crashes, the back-up information can be retrieved. A secure AIS requires users to log in using their individual log in IDs and passwords (Broad, 2013). Additionally, different users should have access to different facets of the system to prevent misuse of data. For example, an accounts payable accountant should have access to supplier invoices and not to the check signing facet of the system. Thirdly, a secure AIS should contain inbuilt protection against viruses and malware, therefore protecting the business against hacking attacks.
6
Reference Boczko, T. (2012). Introduction to accounting information systems. Harlow, England: Pearson. Broad, J. (2013). Risk Management Framework: A Lab-Based Approach to Securing Information System. Newnes. Hacking Studios. (2017). Cyber Security: Understand Hacking and Protect Yourself and Your. Columbia, SC: Hacking Studios. Palmer, D. (2018). This is how cyber attackers stole £2.26m from Tesco Bank customers | ZDNet. Retrieved from https://www.zdnet.com/article/this-is-how-cyber-attackerswere-able-to-steal-2-26m-from-tesco-bank-customers/ Reynolds, G. (2018). Ethics in information technology. Cengage Learning. Simpson, W. (2016). Enterprise Level Security. Taylor & Francis.