The Taylor Swift Eras Tour is the highest grossing tour in history, grossing nearly $2.2 billion in sales across 149 shows with the average attendee spending nearly $1,300 per person to attend the event. All of this just 18 years since her career began. Whether you enjoy her music or not, there is no doubt that there is an attraction drawing people to Taylor; be it for her music or looks or attitude or another dozen reasons. But what makes these 149 concerts any different from the 50,000+ concerts put on annually? And could you use this information to increase the security of your network?
No, not at all. I was just hoping a tag to Taylor Swift would serve as amazing clickbait. Kidding. But, yes, there are pretty strong parallels between the two seemingly different topics. How does a Taylor Swift concert attract so much attention? It was massively publicized and marketed. You couldn’t go anywhere without hearing about it. It has something that people wanted. The path to attend was made easy – for those who were able to get tickets.
Similarly, the data housed by accountants and those in financial services is extremely attractive to many malicious actors – the PII (Personally Identifiable Information) could be used to target individuals, commit identity theft, steal assets, and more. Most accountants and those in financial services are very available – either with a physical office or with specific marketing efforts when operating virtually. Neither of the above two, publicized and attractive, are easy to change to reduce risk. However, the third one, making the path easy, is one that many accountants take for granted, opening themselves up to risks.
What is the Risk?
We are in a race; a race to innovate and improve features or client experience while at the same time facing ever-increasing threats from third-party malicious actors. As we continue to implement new products, add integrations, store data in new places, and introduce new technologies such cloud and AI, we increase our number of attack vectors.
An attack vector is a technique or path used by an attacker to infiltrate a system, exploit a vulnerability, or achieve malicious goals such as stealing data, disrupting operations, or installing malware. In other words, the more applications, integrations, and storage systems we have in place, the larger the number of attack vectors we are subject to, increase our risk. For example, if you use one application or platform for your operation, you have a much smaller number of attack vectors than if you used twenty applications.
Examples of vectors, or paths, of attack include:
Phishing, Vishing, Smishing,
Other Social Engineering
Man-in-the-Middle
Malware
Insider Threats
Unpatched Software / Zero-Day Vulnerabilities
Bruce Force
And many, many more…
A year ago, during a conference in our industry, a speaker shared that they used nearly twenty different applications to onboard a client. The average in the industry is between three and four. This speaker has drastically increased their number of potential attack vectors.
Varonis, a security firm, recently conducted a broad survey to help gauge the risks that increased or unmonitored attacked vectors introduce and released a report revealing the following:
90% of organizations have exposed sensitive cloud data.
88% have stale but enabled ghost users.
98% have unverified apps, including unsanctioned AI.
99% of organizations have sensitive data dangerously exposed to AI tools.
Other Factors Impacting Risk
There is more to security than just reducing the number of vectors. One must review vectors as well as all other factors to properly assess their actual risk. This Summer, GuardianTrust will be released, including an integrated Risk Calculator to help firms assess their risk level. In the meantime, some of the additional factors a firm must consider when calculating their risk include:
The individual security and design of each application. Some technologies are just built better, more securely, or are not targeted as closely as other providers.
Types of vector attacks. Each application and provider, based upon their design and infrastructure, are subject to a different myriad of vector attacks.
The quality of development or integration. Especially when it comes to custom development or unique, individual system integration, the quality and testing processes are not always as thorough.
Complexity of Configuration & Client Experience. Some firms add too many features, increasing complexity, or try to oversimplify processes or interfaces to ease the burden on their clients or employees.
Security as a Strategy
The vendors, suppliers, and configurations that a firm chooses are all part of its strategy for security, operations, and accuracy. The strategy discussion will come in a future article.
How to Minimize Your Risk & Attack Vectors
The first step to mitigating your risk is understanding the extent and depth of your potential vector attacks. This is called designing an Attack Vector (or Surface) Map. An attack vector map is a visual or structured text representation of all the potential ways a malicious actor could use to infiltrate, exploit, or compromise a firm’s digital or physical assets. It provides a comprehensive view of a firm’s exposure points allow for prioritization and reduction of risks. This includes all physical assets and hardware, all software, hosted services, networking environments and configurations, user access and roles, existing and known vulnerabilities, and existing vendors and supplies. This should all be outlined in a firm’s Written Information Security Plan (WISP).
Over the next several months, we will discuss different mitigation steps that a firm can take to reduce their risks, specifically focusing on reducing attack vectors or surfaces.
However, today, we do want to address one of the larger risks that was recently discussed through social media. A self-designated social influencer in our industry recently posted asking for people to publicly list and explain their technology stack (in a post that included their name and potential firm information). Aside from the blatant data-mining that occurred, this type of post is irresponsible and dangerous. A firm who publishes publicly their entire technology usage is opening themselves up to all sorts of potential risks:
This information could be used very easily by malicious actors to target a specific firm or their product stack. Imagine driving down the road and seeing WiFi for “Moe’s Drycleaning” or “Sally’s Accounting” – which one do you think is a greater opportunity to a malicious actor? Or seeing that a firm uses a specific software product, using a social engineering attack to find their firm e-mail addresses and then conducting a password-spray attack against that software. There is an old saying from an 80’s children’s cartoon that states, “Knowing is Half the Battle.” Somebody knowing what technology you use points them clearly in the right direction for attack.
It creates a risk for competitive advantage. If a firm focuses on a niche or region-specific operation, opening up your technology portfolio to a public post could give your competitors inside information increasing how they compete against you.
It is way too challenging to speak to the depths of security in a social media post. However, there are people out there not taking attack surface into account or ignoring the fact that different vectors and product, while maybe using the same technology, pose a heightened risk. For example, yes, most AI platforms and cloud products utilize very similar technology; however, there are two key vector differences between the products:
AI is currently a highly targeted field. Ther are more targets against AI platforms at the moment than any other cloud-based platform. So to the Taylor Swift example again, there is bound to be a night where a greater number of people try to climb on stage compared to other nights. Those nights, given the large number of attendees and not-unlimited-security, there is bound to be at least one attendee who makes it onto the stage (i.e. If you have enough people attacking one system, there is an increased risk of one of them getting through). Comparatively, if is a different venue that isn’t in so much demand or super popular right now, the threat lessons.
The rate at which AI is shifting and changing, especially compared to other web-based products, is a concern as well. In many cases, code is being pushed out to stay competitive with fewer, if any, reviews. The push of features has surprised the push for quality. Microsoft, alone, has had several targeted attacks on Copilot, releasing critical information entrusted to them by their customers. Compare this to existing products and the feature-focused mentality still lags behind have a stable and secure product.
Before any firm moves forward making adjustments to their operation or any product choices, they should sit down and fully map out their entire attack surface.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
